search

eclipse-openj9 / openj9

Eclipse OpenJ9: A Java Virtual Machine for OpenJDK that's optimized for small footprint, fast start-up, and high throughput. Builds on Eclipse OMR (https://github.com/eclipse/omr) and combines with the Extensions for OpenJDK for OpenJ9 repo.
Other
3.28k stars 722 forks source link

How to disable Java Attach API #14938

Closed krismarc closed 2 years ago

krismarc commented 2 years ago

Dear openj9 community,

within our organization Qualys complained about files generated by the Java in our temp directory. It creates files with world-wide permissions.

Basically, I found a solution -> https://www.eclipse.org/openj9/docs/attachapi/

However, without doing an ugly hack, I've got no idea how to enable following two args by default for the java itself. I tried some java.properties etc. without any success ☹ ..as a hack, I mean running Java binary with extra arguments added on the top of all other args. Like open-liberty does with it's java9.options file during the startup.

user@server:/opt/wlp/java/current/bin # cat java
#!/bin/bash
$JAVA_HOME/bin/java1 -Dcom.ibm.tools.attach.enable=no -Dcom.ibm.tools.attach.logging=no "$@"

..where java1 is actual renamed java executable binary. This way files are not getting created at all.

HOW TO REPRODUCE:

user@server:/ # /opt/wlp/java/current/bin/java 2> /dev/null ; ls -ld /tmp/.com_ibm_tools_attach ; rm -fr /tmp/.com_ibm_tools_attach                    
drwxrwxrwt 2 wlpme wlp 4096 Apr  7 13:12 /tmp/.com_ibm_tools_attach

..this would run java, check if directory exists and remove it.

..by doing the same with those arguments it's not reproducible anymore (files are not getting created - so there's nothing to be deleted).

/opt/wlp/java/current/bin/java -Dcom.ibm.tools.attach.enable=no -Dcom.ibm.tools.attach.logging=no  2> /dev/null ; ls -ld /tmp/.com_ibm_tools_attach ; rm -fr /tmp/.com_ibm_tools_attach
ls: cannot access '/tmp/.com_ibm_tools_attach': No such file or directory

So my question is if there's an option to disable attach api permanently on the java level without using bash hacks.

Best regards, K.M.

JasonFengJ9 commented 2 years ago

So my question is if there's an option to disable attach api permanently on the java level without using bash hacks.

Can't -Dcom.ibm.tools.attach.enable=no be specified as a command line option when running a java application? pls elaborate the usage scenario.

~On the other hand, adding the option into options.default seems no affect~, will have a look.

JasonFengJ9 commented 2 years ago

Adding -Dcom.ibm.tools.attach.enable=no into options.default does prevent JVM to create .com_ibm_tools_attach folder. Be aware any other OpenJ9 VM w/o this option running at background which is going to create same folder silently.

@krismarc fyi

krismarc commented 2 years ago

Hi @JasonFengJ9,

It worked. Thank you very much! I've seen this file (options.default). Not sure if I forgot to give it a try...

Just to answer your question. I want to prevent creation of those files whenever java is used on specific servers, so there might be many sources/applications which share the same java. Those are just defaults, so if it's really needed then the same can be explicitly enabled. It means your approach meets my goal :)

Best regards, K.M.

pshipton commented 2 years ago

It's also possible to set options in an environment variable, which affects all JVMs that run in the environment. See https://www.eclipse.org/openj9/docs/cmdline_specifying/

krismarc commented 2 years ago

Hi @pshipton that's so cool! Even better than using the file. Will survive even if somebody would reinstall the java.

TLDR for everyone else: export OPENJ9_JAVA_OPTIONS="-Dcom.ibm.tools.attach.enable=no"

pshipton commented 2 years ago

It works well for the top level, but if you have a process which creates a java process and doesn't carry forward the environment, there could be JVMs started that don't get the option.