I deployed a microservice with docker container and want to check the jvm information. So I enter the container and find the pid. Then I run jmap -heap pid command, but I get the following error log:
How to fix it?
Asked
Active
Viewed 517 times
1 Answers
0
In Linux jmap -heap works on top of Serviceability Agent which in turn relies on ptrace syscall.
By default ptrace requires root privileges (or more precisely, CAP_SYS_PTRACE capability). Furthermore, docker default security profile denies ptrace syscall either by seccomp or apparmor.
So, in order to allow ptrace and jmap -heap in a container, it might be needed to add the following docker options:
--cap-add=SYS_PTRACE --security-opt=seccomp:unconfined --security-opt=apparmor:unconfined
Note: this is not the best solution from security perspective. Consult docker manual to find how to enable particular syscall without switching off seccomp and apparmor.
Even better option would be to avoid jmap -heap at all. There are other efficient ways to monitor JVM without Serviceability Agent support, e.g. jcmd, jstat and JMX.
apangin
- 92,924
- 10
- 193
- 247