JVM cant map reserved memory when running in Docker container

Question

I cant seem to run java at all in a Docker container on my server. Even when issuing java -version, I get the following error.

root@86088d679103:/# java -version
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x0000035ce1000000, 2555904, 1) failed; error='Operation not permitted' (errno=1)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# //hs_err_pid17.log

According to this, java can't map 2.5Mb of space for reserved memory? This does not seem right...

I have the full log included at the end, but for the sake of some extra information, my system is reporting the following:

root@86088d679103:/# uname -m
x86_64
root@86088d679103:/# free -mh
             total       used       free     shared    buffers     cached
Mem:           15G       9.7G       5.8G       912K       148M       8.9G
-/+ buffers/cache:       639M        14G
Swap:          15G         0B        15G

Can anyone point me in the right direction?

Full Log: https://gist.github.com/KayoticSully/e206c44681ce261674ba

Update

@Yobert nailed the problem and I highly suggest you read through the comments and chat log. Good info in there.

For those who want the final command that made Java work: setfattr -n user.pax.flags -v "mr" /usr/bin/java

If your distro does not have setfattr installed by default it should be included in the installable package attr through paceman, apt-get, etc.

score 12 · Accepted Answer · edited Apr 05 '17 at 21:02

12

I had this same problem when using a Grsec enabled kernel. For java to play nice, I had to disable MPROTECT on the java binary. You can use the paxctl utility for this:

paxctl -m /usr/lib/jvm/java-7-openjdk/jre/bin/java

You'll need to do paxctl -c on the binary first if you've never used it on that binary before:

paxctl -c /usr/lib/jvm/java-7-openjdk/jre/bin/java

More information about paxctl can be found at: http://en.wikibooks.org/wiki/Grsecurity/Additional_Utilities

edited Apr 05 '17 at 21:02

answered Dec 04 '14 at 17:37

Yobert

485
5
11

That is awesome to know about, but it's not working for me... I made sure the flag was disabled on the actual java binary that is executed but the same problem is still happening. – KayoticSully Dec 04 '14 at 19:49
Check out dmesg-- you should see some stuff there when you try to run it if it's a PAX problem. Also there's a newer way of setting the security attributes via xattrs instead of the binary header, if your kernel supports it. Maybe you have the legacy mode disabled? – Yobert Dec 04 '14 at 22:30
Hmm I'd try removing more flags than just m as well. We remove pemrs for java (though I don't think that's idiomatic) – Yobert Dec 04 '14 at 22:38
Okay so... I am getting this in dmesg it looks like. `[24753.007799] grsec: From 10.0.0.106: denied RWX mmap of by /usr/lib/jvm/java-8-jre/jre/bin/java[java:19815] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/bash[bash:14286] uid/euid:1000/1000 gid/egid:1000/1000` do I need to do this on Bash too? And this is after I disabled all of the flags on java – KayoticSully Dec 05 '14 at 01:31
The Java bin should be all you need. Perhaps there is a different binary in the docker container it's using? – Yobert Dec 05 '14 at 01:33
Well that was just running on my main system. Trying to see if this is docker specific. Looks like it has something to do with my setup of Arch. I remember doing some security hardening to it. That's probably what's messing things up. – KayoticSully Dec 05 '14 at 01:38
Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/66234/discussion-between-yobert-and-kayoticsully). – Yobert Dec 05 '14 at 01:40

score 11 · Answer 2 · answered Apr 08 '16 at 19:27

11

I had the same problem when running Docker on Alpine Linux, after enabling PaX soft mode it worked:

sysctl -w kernel.pax.softmode=1

Soft mode will disable most PaX features by default, therefore it is not recommended to enable it. The proper way is to use paxctl, as already mentioned above.

Also have a look here: https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Support_soft_mode

answered Apr 08 '16 at 19:27

Sven Mohr

111
1
4

That didn't work for me. I got: [91msysctl: error: 'kernel.pax.softmode' is an unknown key Does that mean my system is not using PaX? – Ashley Aitken Aug 18 '17 at 13:27
Thanks. This did work for me on 3.7.0 standard and virtual. – Fábio Correia Jan 01 '18 at 13:53

score 1 · Answer 3 · answered Jul 28 '16 at 16:51

This happened to me as well , We reduced the RAM size on our VM and after a couple of days started getting this error and service did not came up for ever.

Solution :: We reduced the heap size of the application or service having this issue and the service came up fine again.

JVM cant map reserved memory when running in Docker container

3 Answers3

Linked