On Wed, 2 Oct 2024 18:46:07 GMT, Severin Gehwolf <sgehw...@openjdk.org> wrote:
>> The change of [JDK-8327114](https://bugs.openjdk.org/browse/JDK-8327114) >> also increased test coverage. In particular, the `TestJcmdWithSideCar.java` >> test got enhanced to cover these cases (prior to >> [JDK-8327114](https://bugs.openjdk.org/browse/JDK-8327114) only case 1 was >> tested): >> >> 1. Shared volumes between attachee and attacher and shared pid namespace >> 2. Shared volumes between attachee and attacher and shared pid namespace, >> both running with elevated privileges >> 3. Shared pid namespace between attachee and attacher only >> 4. Shared pid namespace between attachee and attacher, both running with >> elevated privileges >> >> The OpenJDK attach code is able to handle cases 1 through 3 which pass, but >> the last case, `4`, hasn't been implemented yet when running as regular user >> and directing the container runtime to map the container user to that user >> as well. Thus, the test fails. For now I propose to disable the 4th test >> case. It can get re-enabled once the product code got updated to account for >> this case (tracked in https://bugs.openjdk.org/browse/JDK-8341349). >> >> Thoughts? Could somebody please run this through Oracle's test system in >> order to see if this fixes the issue? Thank you! > > Severin Gehwolf has updated the pull request incrementally with two > additional commits since the last revision: > > - Revert "Improve runtime of test" > > This reverts commit 5b2f646c73b747f6fff364347031074d24e49822. > - Revert "Remove the attachee container if it exists" > > This reverts commit ef7abf249268c30f726bee19dde3337d92c6493d. > It can get re-enabled once the product code got updated to account for this > case (tracked in https://bugs.openjdk.org/browse/JDK-8341349). I spent some time thinking about this, and I'm not sure if it can be solved? The test case that fails with Podman is `ACCESS_TMP_VIA_PROC_ROOT`. That is, we try to attach to another JVM by accessing the target JVM's root filesystem through `/proc/[pid]/root`. But for processes with elevated privileges `/proc/[pid]/root` can only be read by `root`. That is why it works with the default setup of Docker but not Podman. Or am I missing something? ------------- PR Comment: https://git.openjdk.org/jdk/pull/21289#issuecomment-2389535881
