jstack - 众所周知的文件不安全
我正在使用 32 位 Oracle Java 1.6.0 在 x86_64 CentOS 5.7 上运行 tomcat 5.5。
tomcat使用的JVM进程有6421 pid。汤姆猫工作正常。
当运行jstack时,它失败并显示:
[root@mybox ~]# jstack 6421
6421: well-known file is not secure
为了获得任何合理的输出,我需要使用force选项:
[root@mybox ~]# jstack -F 6421
Attaching to process ID 6421, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 17.0-b16
Deadlock Detection:
No deadlocks found.
(...)
问题是:
- 错误消息“众所周知”是什么意思文件不安全”是什么意思?
- 什么是“众所周知”的文件?
- 为什么/什么时候如果没有强制选项,
jstack命令不起作用?
提前致谢。
I am running tomcat 5.5 on x86_64 CentOS 5.7 using 32-bit Oracle Java 1.6.0.
JVM process used by tomcat has 6421 pid. Tomcat is working fine.
When run jstack it fails with:
[root@mybox ~]# jstack 6421
6421: well-known file is not secure
To get any reasonable output, I need to use force option:
[root@mybox ~]# jstack -F 6421
Attaching to process ID 6421, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 17.0-b16
Deadlock Detection:
No deadlocks found.
(...)
The questions are:
- what does the error message "well-known file is not secure" mean?
- what is the "well-known" file?
- why/when does the
jstackcommand not work without a force option?
Thanks in advance.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(11)
可能最简单的方法是:
通过以下方式查看进程的所有者
ps-ef | grep“进程名称”
然后切换到该用户并运行命令。
jcmd PID GC.run 或任何其他 java 实用程序
我注意到这里没有人讨论的一件事是;您还需要设置 JAVA_HOME 变量。检查这个
回显$JAVA_HOME
Probably the easiest way is:
see the owner of the process by
ps -ef | grep "process name"
then switch to that user and run the command.
jcmd PID GC.run or any other java utility
One thing i noticed that nobody discussed here is; you also need to have JAVA_HOME variable set. check this by
echo $JAVA_HOME
要成功使用 jstack,您应该使用与进程相同的用户来运行它。
To successfully use the jstack, you should be running it with the same user as the process.
这可能是由于 /tmp 中用于与进程通信的文件具有与 jstack 获取的权限不同的权限。有问题的文件是/tmp/hsperfdata_$USER/$PID。
不知道为什么它与 -F 一起使用,因为手册页只是说“当‘jstack [-l] pid’没有响应时强制进行堆栈转储。”
This is probably due to the file in /tmp used to communicate with the process having different permissions than the one the jstack gets. The file in question is /tmp/hsperfdata_$USER/$PID.
Don't know why it works with -F as the man page just says "Force a stack dump when 'jstack [-l] pid' does not respond."
当使用
-F时,jvm将冻结。如果您可以找到
文件:/tmp/hsperfdata_$USER/$PID。只需尝试切换到$USER,然后exec jstack。您正在使用“root”运行,但该进程可能不属于root。如果 $USER 没有登录 shell(即守护程序用户),因此无法切换到该用户,您可以使用 sudo -u $USER jstack $PID< 来解决此问题/代码>
when
-Fis used, the jvm will be frozen.If you can find the
file: /tmp/hsperfdata_$USER/$PID. Just try to switch to the$USER, and thenexec jstack. You are running with "root", but that process may not belong to root.if
$USERdoes not have a login shell (i.e. daemon users), and thus can not switch to that user, you can work around this by usingsudo -u $USER jstack $PID您需要以拥有 java 进程的用户身份运行 jstack 命令:
例如,如果您的 java 应用程序由名为
java-user的用户拥有:You need to run the jstack command as the user that owns the java process :
For example if your java application is owned by a user called
java-user:当我尝试以
root身份运行jstack时,我遇到了这个问题。一旦我切换到另一个用户,它立即起作用。
I had this problem when i tried to run
jstackasroot.Once i switched to another user it worked immediately.
我只是想补充一点,您可能需要通过 -J 选项指定您的 /tmp 目录,因为并非所有应用程序都使用默认目录
I just would like to add that you might need to specify your /tmp directory by -J option, since not all apps use the the default one
我运行时遇到同样的错误:
作为 sudo 执行它可以工作:
I was getting the same error running:
Doing as sudo it works:
如果您不想担心用户并且可以以 root 身份工作并且可以终止进程,则可以使用最后的手段:
这会将线程转储写入控制台日志,例如,对于 Tomcat,需要 grep 查找“完整线程”,即 logs/catalina.out 中线程转储的开头,然后获取 tdump 文件,如下所示:
If you don't want to worry about user and can work as root and are okay to kill the process, you could use this last resort:
This will write the thread dump to your console log, for example, in case of Tomcat, that would require grepping for "Full Thread" that is the beginning of the thread dump in logs/catalina.out and then getting the tdump file as:
这是我用来确保我始终使用正确的用户权限的一行:
This is the one liner I use to make sure I'm always using the correct user permissions:
除了使用相同的用户运行之外,请确保运行 jstack/jmap 的用户的组 ID 也与进程中的相同。
看一下 检查文件权限的源代码(第347行)。我们可以看到获取组 id 的函数不是一个数组,因此用户可能有其他组启动了该进程。
您可能必须更改用户的主要组:
#usermod -g group -G user userBesides running with the same user, make sure that the group id of the user running jstack/jmap is also the same from the process.
Take a look at the source code that checks for file permission (line 347). We can see that the function getting the group id is not an array, so it could be possible that the user has other groups, which started the process.
You might have to change the primary group from the user:
#usermod -g group -G user user