Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8261242

[Linux] OSContainer::is_containerized() returns true when run outside a container

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Open
    • Priority: P4
    • Resolution: Unresolved
    • Affects Version/s: 17
    • Fix Version/s: 18
    • Component/s: hotspot
    • Labels:
    • Subcomponent:
    • CPU:
      generic
    • OS:
      linux

      Description

      Currently the code in Hotspot in order to determine whether or not the JVM thinks it runs in a container may return false positives on a plain Linux host.

      Bob mentions that there wasn't a reliable way to detect whether or not a JVM runs in a container:

      https://bugs.openjdk.java.net/browse/JDK-8227006?focusedCommentId=14275609&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14275609

      I believe this changed. We should be able to determine whether we run in a container by looking for the existence of /.dockerenv file (Docker) or /run/.containerenv file (Podman and others). It's still less than perfect, but the status quo is less than ideal too.

      Research questions:
      What should happen if there are cgroup limits enforced via other means? For example systemd. It wouldn't have either file and the code would regress on some of those systems if implemented that way.

      See:
      https://github.com/containers/buildah/issues/1843
      http://docs.podman.io/en/latest/markdown/podman-run.1.html
      https://github.com/moby/libnetwork/pull/815/commits/66ab744d19e534ed723fdb7b8df11a5e95f05630

        Attachments

          Activity

            People

            Assignee:
            hseigel Harold Seigel
            Reporter:
            sgehwolf Severin Gehwolf
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: