docker容器内部无法使用jmap等命令,cap-add

在docker容器内部执行 jmap命令报错 Operation not permitted

• 详细报错信息如下,初步判断是权限问题

root@XXX:/opt/contentCloud/admin# docker exec -it content-cloud bash
root@da515f1d9f7a:/opt/contentCloud/admin# jps              
2512 Jps
8 jar
root@da515f1d9f7a:/opt/contentCloud/admin# jmap -clstats 8
Attaching to process ID 8, please wait...
Error attaching to process: sun.jvm.hotspot.debugger.DebuggerException: Can't attach to the process: ptrace(PTRACE_ATTACH, ..) failed for 8: Operation not permitted
sun.jvm.hotspot.debugger.DebuggerException: sun.jvm.hotspot.debugger.DebuggerException: Can't attach to the process: ptrace(PTRACE_ATTACH, ..) failed for 8: Operation not permitted
    at sun.jvm.hotspot.debugger.linux.LinuxDebuggerLocal$LinuxDebuggerLocalWorkerThread.execute(LinuxDebuggerLocal.java:163)
    at sun.jvm.hotspot.debugger.linux.LinuxDebuggerLocal.attach(LinuxDebuggerLocal.java:278)
    at sun.jvm.hotspot.HotSpotAgent.attachDebugger(HotSpotAgent.java:671)
    at sun.jvm.hotspot.HotSpotAgent.setupDebuggerLinux(HotSpotAgent.java:611)
    at sun.jvm.hotspot.HotSpotAgent.setupDebugger(HotSpotAgent.java:337)
    at sun.jvm.hotspot.HotSpotAgent.go(HotSpotAgent.java:304)
    at sun.jvm.hotspot.HotSpotAgent.attach(HotSpotAgent.java:140)
    at sun.jvm.hotspot.tools.Tool.start(Tool.java:185)
    at sun.jvm.hotspot.tools.Tool.execute(Tool.java:118)
    at sun.jvm.hotspot.tools.ClassLoaderStats.main(ClassLoaderStats.java:54)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at sun.tools.jmap.JMap.runTool(JMap.java:201)
    at sun.tools.jmap.JMap.main(JMap.java:130)
Caused by: sun.jvm.hotspot.debugger.DebuggerException: Can't attach to the process: ptrace(PTRACE_ATTACH, ..) failed for 8: Operation not permitted
    at sun.jvm.hotspot.debugger.linux.LinuxDebuggerLocal.attach0(Native Method)
    at sun.jvm.hotspot.debugger.linux.LinuxDebuggerLocal.access$100(LinuxDebuggerLocal.java:62)
    at sun.jvm.hotspot.debugger.linux.LinuxDebuggerLocal$1AttachTask.doit(LinuxDebuggerLocal.java:269)
    at sun.jvm.hotspot.debugger.linux.LinuxDebuggerLocal$LinuxDebuggerLocalWorkerThread.run(LinuxDebuggerLocal.java:138)

• 问题原因
  Docker 自1.10版本开始加入的安全特性。类似于 jmap 这些 JDK 工具依赖于 Linux 的 PTRACE_ATTACH,而是Docker自1.10在默认的seccomp配置文件中禁用了ptrace
  参考:
  https://jarekprzygodzki.wordpress.com/2016/12/19/jvm-in-docker-and-ptrace_attach/

• 解决方案
  如果使用docker-compose启动容器,如下加入 cap_add即可

version: '2'
services:
  content1:
    image: xxx/content
    container_name: content
    restart: always
    cap_add:
     - SYS_PTRACE
    expose:
     - 80
    ports:
      - "8080:80"
    volumes:
     ......

使用原生docker run命令增加–cap-add=SYS_PTRACE

docker run –cap-add=SYS_PTRACE ........

参考: https://www.xiaocaicai.com/2018/07/docker-%E5%AE%B9%E5%99%A8%E9%87%8C%E6%97%A0%E6%B3%95%E4%BD%BF%E7%94%A8-jdk-%E7%9A%84-jmap-%E7%AD%89%E5%91%BD%E4%BB%A4%E7%9A%84%E9%97%AE%E9%A2%98/