> We can see several thread dump on the console of Distroless nonroot JDK when
> we attach debug (root) Distroless container image to the nonroot container as
> following. It is not expected.
>
>
> $ podman run -it --rm --name debuggee -v `pwd`/LongSleep:/opt/LongSleep:Z
> --entrypoint java gcr.io/distroless/java25-debian13:nonroot -cp
> /opt/LongSleep -Xlog:attach=debug LongSleep
> [38.252s][debug][attach] Failed to find attach file: /tmp/.attach_pid1
> 2025-12-17 06:34:37
> Full thread dump OpenJDK 64-Bit Server VM (25.0.1+8-LTS mixed mode, sharing):
>
> Threads class SMR info:
> _java_thread_list=0x000078a8bc13f200, length=10, elements={
> 0x000078a8bc02bb60, 0x000078a8bc128200, 0x000078a8bc1293f0,
> 0x000078a8bc12ae40,
> 0x000078a8bc12c760, 0x000078a8bc12dfe0, 0x000078a8bc12fde0,
> 0x000078a8bc1317d0,
> :
>
>
> Attach API put `.attach_pid<pid>` file at first to clarify subsequent SIGQUIT
> means create AttachListener thread. That file attempt to create on current
> work directory of the target process, but it would fallback to /tmp if failed
> (e.g. attacher cannot write onto work directory).
>
> In case of attaching nonroot container from root container, and also it would
> fail due to lack of write permission on current work directory, and cannot
> access /proc/<PID>/root/tmp. It causes following error on jcmd:
>
>
> $ podman run -it --rm --pid container:debuggee --entrypoint sh
> gcr.io/distroless/java25-debian13:debug
> / # /usr/lib/jvm/jcmd 1 VM.version
> 1:
> com.sun.tools.attach.AttachNotSupportedException: Unable to open socket file
> /tmp/.java_pid1: target process 1 doesn't respond within 10500ms or HotSpot
> VM not loaded
> at
> jdk.attach/sun.tools.attach.VirtualMachineImpl.<init>(VirtualMachineImpl.java:115)
> at
> jdk.attach/sun.tools.attach.AttachProviderImpl.attachVirtualMachine(AttachProviderImpl.java:56)
> at
> jdk.attach/com.sun.tools.attach.VirtualMachine.attach(VirtualMachine.java:201)
> at jdk.jcmd/sun.tools.jcmd.JCmd.executeCommandForPid(JCmd.java:113)
> at jdk.jcmd/sun.tools.jcmd.JCmd.main(JCmd.java:97)
>
> / # ls -l /proc/1/cwd
> ls: /proc/1/cwd: cannot read link: Permission denied
> lrwxrwxrwx 1 nonroot nonroot 0 Dec 17 06:34 /proc/1/cwd
>
>
>
> After this change, we can see following exception on the console of jcmd when
> we encounter this situation:
>
> # jcmd 1 VM.version
> 1:
> com.sun.tools.attach.AttachNotSupportedException: Unable to access the
> filesystem of the target process
> at
> jdk.attach/sun.tools.attach.VirtualMachineImpl.findTargetProcessTmpDirectory(VirtualMachineIm...
Yasumasa Suenaga has updated the pull request incrementally with one additional
commit since the last revision:
Check whether target process is on same host
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/28867/files
- new: https://git.openjdk.org/jdk/pull/28867/files/4b253b8b..fb1a16a3
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=28867&range=01
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=28867&range=00-01
Stats: 13 lines in 1 file changed: 11 ins; 0 del; 2 mod
Patch: https://git.openjdk.org/jdk/pull/28867.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/28867/head:pull/28867
PR: https://git.openjdk.org/jdk/pull/28867
