Java Jail not working with safeexec on CentOS

[susobhang70]

Hi, I am having an issue with safeexec and java_jail. I'm on CentOS release 5.8 (Final)

When I try this command from java_jail (i.e. without chroot): /home/ssad1/safeexec/safeexec --share_newnet --nproc 50 --mem 30000000 --nfile 30 --env_vars CLASSPATH=./cp/:./cp/javax.json-1.0.jar:./java/lib/tools.jar --exec ./java/bin/java traceprinter.InMemory < cp/traceprinter/test-input.txt

Output is: Exception in thread "event-handler" java.lang.OutOfMemoryError: unable to create new native thread at java.lang.Thread.start0(Native Method) at java.lang.Thread.start(Thread.java:714) at traceprinter.JSONTracingThread.handleEvent(JSONTracingThread.java:221) at traceprinter.JSONTracingThread.run(JSONTracingThread.java:136) OK elapsed time: 2 seconds memory usage: 5092524 kbytes cpu usage: 1.585 seconds

When I run this: /home/ssad1/safeexec/safeexec --chroot_dir . --exec_dir / --share_newnet --nproc 50 --mem 3000000 --nfile 30 --env_vars CLASSPATH=/cp/:/cp/javax.json-1.0.jar:/java/lib/tools.jar --exec /java/bin/java traceprinter.InMemory < cp/traceprinter/test-input.txt

Output is: Error occurred during initialization of VM Could not allocate metaspace: 1073741824 bytes Command exited with non-zero status (1) elapsed time: 0 seconds memory usage: 0 kbytes cpu usage: 0.000 seconds

When I subsequently increase --mem, here is what i get: 1. 4000000 /home/ssad1/safeexec/safeexec --chroot_dir . --exec_dir / --share_newnet --nproc 50 --mem 4000000 --nfile 30 --env_vars CLASSPATH=/cp/:./cp/javax.json-1.0.jar:/java/lib/tools.jar --exec /java/bin/java traceprinter.InMemory < cp/traceprinter/test-input.txt

Error occurred during initialization of VM Could not allocate metaspace: 1073741824 bytes Command exited with non-zero status (1) elapsed time: 0 seconds memory usage: 0 kbytes cpu usage: 0.004 seconds

2. 5000000

/home/ssad1/safeexec/safeexec --chroot_dir . --exec_dir / --share_newnet --nproc 50 --mem 5000000 --nfile 30 --env_vars CLASSPATH=/cp/:./cp/javax.json-1.0.jar:/java/lib/tools.jar --exec /java/bin/java traceprinter.InMemory < cp/traceprinter/test-input.txt #

There is insufficient memory for the Java Runtime Environment to continue.

pthread_getattr_np

[thread 139926425515776 also had an error]

An error report file with more information is saved as:

//hs_err_pid10797.log

Command exited with non-zero status (1) elapsed time: 1 seconds memory usage: 4824000 kbytes cpu usage: 1.353 seconds

3. 6000000 /home/ssad1/safeexec/safeexec --chroot_dir . --exec_dir / --share_newnet --nproc 50 --mem 6000000 --nfile 30 --env_vars CLASSPATH=/cp/:./cp/javax.json-1.0.jar:/java/lib/tools.jar --exec /java/bin/java traceprinter.InMemory < cp/traceprinter/test-input.txt Exception in thread "event-handler" java.lang.OutOfMemoryError: unable to create new native thread at java.lang.Thread.start0(Native Method) at java.lang.Thread.start(Thread.java:714) at traceprinter.JSONTracingThread.handleEvent(JSONTracingThread.java:221) at traceprinter.JSONTracingThread.run(JSONTracingThread.java:136) OK elapsed time: 2 seconds memory usage: 5092532 kbytes cpu usage: 1.482 seconds

Going above 6000000 produces the same result over and over again

[daveagp]

Can you try adding -Xmx1000m after /java/bin/java?

Do putting in the same numbers always cause the same errors even if you repeat them?

[susobhang70]

Tried with -Xmx1000m

/home/ssad1/safeexec/safeexec --chroot_dir . --exec_dir / --share_newnet --nproc 50 --mem 5000000 --nfile 30 --env_vars CLASSPATH=/cp/:./cp/javax.json-1.0.jar:/java/lib/tools.jar --exec /java/bin/java -Xmx1000m traceprinter.InMemory < cp/traceprinter/test-input.txt

Exception in thread "event-handler" java.lang.OutOfMemoryError: unable to create new native thread at java.lang.Thread.start0(Native Method) at java.lang.Thread.start(Thread.java:714) at traceprinter.JSONTracingThread.handleEvent(JSONTracingThread.java:221) at traceprinter.JSONTracingThread.run(JSONTracingThread.java:136) OK elapsed time: 2 seconds memory usage: 4071456 kbytes cpu usage: 1.577 seconds

As for trying again with the same numbers, I tried all of them again. Everyone produced the same error, except 5000000 printed the log file on the screen itself (said it can't write to log file so dumping to screen). The output is too big and I cannot attach it here it seems (write permission to repo error).

Another observation: every log file present in java_jail is empty.

[daveagp]

You can also try increasing the "Xmx512M" inside of InMemory.java. I know it's annoying to have three parameters to tweak, but the --mem one being gigantic (30 million k = 30 g) should make that one a non-issue.

[susobhang70]

I tweaked Xmx512M to Xmx1024M, Xmx2048M, and Xmx4096M. Same result. I had set --mem as 30000000. Here is what I got:

Exception in thread "event-handler" java.lang.OutOfMemoryError: unable to create new native thread at java.lang.Thread.start0(Native Method) at java.lang.Thread.start(Thread.java:714) at traceprinter.JSONTracingThread.handleEvent(JSONTracingThread.java:221) at traceprinter.JSONTracingThread.run(JSONTracingThread.java:136) OK elapsed time: 1 seconds memory usage: 5092532 kbytes cpu usage: 1.523 seconds

[susobhang70]

Update: I increased nproc to 100 and mem as 30000000. Got proper output. Even with Xmx512M. But error while running on front end.

[daveagp]

Put all of the values you discovered worked into jv-config.json (safeexec_mem_k, Xmx) Add "safeexec_args" : {"nproc" : "100"} to set the nproc.

[susobhang70]

Thank you for everything. :+1:

My team is also trying to integrate this with a offline visual debugger called Jeliot, and planning to launch it via JNLP from this site itself.

I'm making changes to the front end, adding save code functionality, and changing the look. I'm attaching a screenshot of the same. Hope you like it :)

[daveagp]

Looks great! If you get it working with Jeliot, let me know, that would be very interesting.

[susobhang70]

This is how it looks now. I've added a Save Code button and a Start with Jeliot button, which actually launches jeliot with this code. The written code is saved in the server and a corresponding JNLP file is generated to launch Jeliot on the client side (user still has to launch the JNLP file). I've been working on it's Moodle plugin for a month now, and managed to fix the bugs for the newer Moodle versions, and applied the same technique to achieve this mechanism.

My initial plans were to also integrate your debugger to Moodle, but unfortunately neither me nor my team have much time to achieve that functionality.

[daveagp]

Looks nice, keep up the good work!