On Thu, 18 Dec 2025 10:44:33 GMT, Sebastian Lövdahl <[email protected]> wrote:
>> We can see several thread dump on the console of Distroless nonroot JDK when
>> we attach debug (root) Distroless container image to the nonroot container
>> as following. It is not expected.
>>
>>
>> $ podman run -it --rm --name debuggee -v `pwd`/LongSleep:/opt/LongSleep:Z
>> --entrypoint java gcr.io/distroless/java25-debian13:nonroot -cp
>> /opt/LongSleep -Xlog:attach=debug LongSleep
>> [38.252s][debug][attach] Failed to find attach file: /tmp/.attach_pid1
>> 2025-12-17 06:34:37
>> Full thread dump OpenJDK 64-Bit Server VM (25.0.1+8-LTS mixed mode, sharing):
>>
>> Threads class SMR info:
>> _java_thread_list=0x000078a8bc13f200, length=10, elements={
>> 0x000078a8bc02bb60, 0x000078a8bc128200, 0x000078a8bc1293f0,
>> 0x000078a8bc12ae40,
>> 0x000078a8bc12c760, 0x000078a8bc12dfe0, 0x000078a8bc12fde0,
>> 0x000078a8bc1317d0,
>> :
>>
>>
>> Attach API put `.attach_pid<pid>` file at first to clarify subsequent
>> SIGQUIT means create AttachListener thread. That file attempt to create on
>> current work directory of the target process, but it would fallback to /tmp
>> if failed (e.g. attacher cannot write onto work directory).
>>
>> In case of attaching nonroot container from root container, and also it
>> would fail due to lack of write permission on current work directory, and
>> cannot access /proc/<PID>/root/tmp. It causes following error on jcmd:
>>
>>
>> $ podman run -it --rm --pid container:debuggee --entrypoint sh
>> gcr.io/distroless/java25-debian13:debug
>> / # /usr/lib/jvm/jcmd 1 VM.version
>> 1:
>> com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file
>> /tmp/.java_pid1: target process 1 doesn't respond within 10500ms or HotSpot
>> VM not loaded
>> at
>> jdk.attach/sun.tools.attach.VirtualMachineImpl.<init>(VirtualMachineImpl.java:115)
>> at
>> jdk.attach/sun.tools.attach.AttachProviderImpl.attachVirtualMachine(AttachProviderImpl.java:56)
>> at
>> jdk.attach/com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:201)
>> at jdk.jcmd/sun.tools.jcmd.JCmd.executeCommandForPid(JCmd.java:113)
>> at jdk.jcmd/sun.tools.jcmd.JCmd.main(JCmd.java:97)
>>
>> / # ls -l /proc/1/cwd
>> ls: /proc/1/cwd: cannot read link: Permission denied
>> lrwxrwxrwx 1 nonroot nonroot 0 Dec 17 06:34 /proc/1/cwd
>>
>>
>>
>> After this change, we can see following exception on the console of jcmd
>> when we encounter this situation:
>>
>> # jcmd 1 VM.version
>> 1:
>> com.sun.tools.attach.AttachNotSupportedException: Unable to access the
>> filesystem of the target process
>> at jdk.attac...
>
> There is a [problemlisted test](https://github.com/openjdk/jdk/pull/21417)
> related to this that could make sense to run manually
> (https://bugs.openjdk.org/browse/JDK-8341518). It's failing in some of
> Oracle's CI but I have not been able to reproduce the failure myself. It was
> discussed a bit in https://github.com/openjdk/jdk/pull/21331 too.
>
> I'll see if I can find time to check out this change locally and run some
> tests, otherwise, feel free to run it yourself.
@slovdahl I found out the cause of error in TestJcmdWithSideCar.java. It is not
a bug, environment issue.
I sent email to serviceability-dev because it is different from this PR.
https://mail.openjdk.org/pipermail/serviceability-dev/2025-December/068668.html
Anyway, I'm waiting for Reviewers for this PR!
-------------
PR Comment: https://git.openjdk.org/jdk/pull/28867#issuecomment-3670212706
