elastic · eyalkoren · Sep 7, 2022 · Aug 4, 2022 · Aug 9, 2022 · Aug 10, 2022
@@ -25,7 +25,6 @@ import (
 	"os"
 	"os/exec"
 	"os/user"
-	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
@@ -40,8 +39,10 @@ import (
 	"github.com/elastic/apm-server/internal/beater/config"
 )
 
-// javaAttacher is bundled by the server
-var javaAttacher = filepath.FromSlash("./java-attacher.jar")
+const javawExe = "javaw.exe"
+const javaExe = "java.exe"
+
+const bundledJavaAttacher = "java-attacher.jar"
 
 type jvmDetails struct {
 	user        string
@@ -62,11 +63,14 @@ type JavaAttacher struct {
 	agentConfigs         map[string]string
 	downloadAgentVersion string
 	jvmCache             map[int]*jvmDetails
+	uidToAttacherJar     map[string]string
+	tmpDirs              []string
+	tmpAttacherLock      sync.Mutex
 }
 
 func New(cfg config.JavaAttacherConfig) (*JavaAttacher, error) {
 	logger := logp.NewLogger("java-attacher")
-	if _, err := os.Stat(javaAttacher); err != nil {
+	if _, err := os.Stat(bundledJavaAttacher); err != nil {
 		return nil, err
 	}
 	if !cfg.Enabled {
@@ -83,6 +87,7 @@ func New(cfg config.JavaAttacherConfig) (*JavaAttacher, error) {
 		downloadAgentVersion: cfg.DownloadAgentVersion,
 		rawDiscoveryRules:    cfg.DiscoveryRules,
 		jvmCache:             make(map[int]*jvmDetails),
+		uidToAttacherJar:     make(map[string]string),
 	}
 	for _, flag := range cfg.DiscoveryRules {
 		for name, value := range flag {
@@ -145,7 +150,7 @@ func (j *JavaAttacher) Run(ctx context.Context) error {
 		return fmt.Errorf("java attacher is disabled")
 	}
 
-	// Non-Windows: run discovery and attachment until context is closed.
+	defer j.cleanResources()
 	ticker := time.NewTicker(time.Second)
 	defer ticker.Stop()
 	for {
@@ -160,14 +165,14 @@ func (j *JavaAttacher) Run(ctx context.Context) error {
 			j.logger.Errorf("error during JVMs discovery: %v", err)
 			continue
 		}
-		if err := j.foreachJVM(ctx, jvms, j.attachJVM, true, 30*time.Second); err != nil {
+		if err := j.foreachJVM(ctx, jvms, j.attachJVM, false, 2*time.Minute); err != nil {
 			// Error is non-fatal; try again next time.
 			j.logger.Errorf("JVM attachment failed: %s", err)
 		}
 	}
 }
 
-// this function blocks until discovery has ended, an error occurred or the context had been cancelled
+// discoverJVMsForAttachment blocks until discovery ends, an error is received or the context is done.
 func (j *JavaAttacher) discoverJVMsForAttachment(ctx context.Context) (map[int]*jvmDetails, error) {
 	jvms, err := j.discoverAllRunningJavaProcesses()
 	if err != nil {
@@ -253,14 +258,22 @@ func (j *JavaAttacher) discoverAllRunningJavaProcesses() (map[int]*jvmDetails, e
 			gid:         gid,
 			pid:         pid,
 			startTime:   info.StartTime,
-			command:     info.Exe,
+			command:     normalizeJavaCommand(info.Exe),
 			version:     "unknown", // filled in later
 			cmdLineArgs: strings.Join(info.Args, " "),
 		}
 	}
 	return jvms, nil
 }
 
+func normalizeJavaCommand(command string) string {
+	if strings.HasSuffix(command, javawExe) {
+		command = strings.TrimSuffix(command, javawExe)
+		command = command + javaExe
+	}
+	return command
+}
+
 // foreachJVM calls f for each JVM in jvms concurrently,
 // returning when one of the following is true:
 //   1. The function completes for each JVM
@@ -308,8 +321,8 @@ func (j *JavaAttacher) foreachJVM(
 
 func (j *JavaAttacher) filterCached(jvms map[int]*jvmDetails) {
 	for pid, jvm := range jvms {
-		cachedjvmDetails, found := j.jvmCache[pid]
-		if !found || !cachedjvmDetails.startTime.Equal(jvm.startTime) {
+		cachedJvmDetails, found := j.jvmCache[pid]
+		if !found || !cachedJvmDetails.startTime.Equal(jvm.startTime) {
 			// this is a JVM not yet encountered - add to cache
 			j.jvmCache[pid] = jvm
 		} else {
@@ -354,15 +367,25 @@ func (j *JavaAttacher) verifyJVMExecutable(ctx context.Context, jvm *jvmDetails)
 // once the agent is attached or the context is closed; it may be blocking for long and should be called with a timeout context.
 func (j *JavaAttacher) attachJVM(ctx context.Context, jvm *jvmDetails) error {
 	cmd := j.attachJVMCommand(ctx, jvm)
+	if cmd == nil {
+		return nil
+	}
 	if err := j.setRunAsUser(jvm, cmd); err != nil {
 		j.logger.Warnf("Failed to attach as user %q: %v. Trying to attach as current user,", jvm.user, err)
 	}
 	return runAttacherCommand(ctx, cmd, j.logger)
 }
 
+// attachJVMCommand constructs an attacher command for the provided jvmDetails.
+// NOTE: this method may have side effects, including the creation of a tmp directory with a copy of the attacher jar (non-Windows),
+// as well as a corresponding status change to this JavaAttacher, where the created tmp dir and jar paths are cached.
 func (j *JavaAttacher) attachJVMCommand(ctx context.Context, jvm *jvmDetails) *exec.Cmd {
+	attacherJar := j.getAttacherJar(jvm.uid)
+	if attacherJar == "" {
+		return nil
+	}
 	args := []string{
-		"-jar", javaAttacher,
+		"-jar", attacherJar,
 		"--log-level", "debug",
 		"--include-pid", strconv.Itoa(jvm.pid),
 	}

@@ -0,0 +1,148 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build !windows
+// +build !windows
+
+package javaattacher
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/user"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuildInvalidCommand(t *testing.T) {
+	cfg := createTestConfig()
+	f, err := os.Create(bundledJavaAttacher)
+	require.NoError(t, err)
+	//goland:noinspection GoUnhandledErrorResult
+	defer os.Remove(f.Name())
+
+	attacher, err := New(cfg)
+	require.NoError(t, err)
+	defer attacher.cleanResources()
+
+	// invalid user and group ensures usage of the bundled jar
+	jvm := &jvmDetails{
+		pid:     12345,
+		uid:     "invalid",
+		command: filepath.FromSlash("/home/someuser/java_home/bin/java"),
+	}
+	command := attacher.attachJVMCommand(context.Background(), jvm)
+	assert.Nil(t, command)
+	assert.Empty(t, attacher.tmpDirs)
+	assert.Len(t, attacher.uidToAttacherJar, 1)
+}
+
+func TestBuildCommandWithTempJar(t *testing.T) {
+	cfg := createTestConfig()
+	f, err := os.Create(bundledJavaAttacher)
+	require.NoError(t, err)
+	//goland:noinspection GoUnhandledErrorResult
+	defer os.Remove(f.Name())
+
+	attacher, err := New(cfg)
+	require.NoError(t, err)
+	defer attacher.cleanResources()
+
+	currentUser, _ := user.Current()
+	jvm := &jvmDetails{
+		pid:     12345,
+		uid:     currentUser.Uid,
+		gid:     currentUser.Gid,
+		command: filepath.FromSlash("/home/someuser/java_home/bin/java"),
+	}
+	assert.Empty(t, attacher.tmpDirs)
+	assert.Empty(t, attacher.uidToAttacherJar)
+	command := attacher.attachJVMCommand(context.Background(), jvm)
+	assert.Len(t, attacher.tmpDirs, 1)
+	assert.Len(t, attacher.uidToAttacherJar, 1)
+	attacherJar := attacher.uidToAttacherJar[currentUser.Uid]
+	assert.NotEqual(t, attacherJar, "")
+	require.NotEqual(t, bundledJavaAttacher, attacherJar)
+	want := filepath.FromSlash(fmt.Sprintf("/home/someuser/java_home/bin/java -jar %v", attacherJar)) +
+		" --log-level debug --include-pid 12345 --download-agent-version 1.27.0 --config server_url=http://myhost:8200"
+
+	cmdArgs := strings.Join(command.Args, " ")
+	assert.Equal(t, want, cmdArgs)
+
+	cfg.Config["service_name"] = "my-cool-service"
+	attacher, err = New(cfg)
+	require.NoError(t, err)
+	defer attacher.cleanResources()
+
+	command = attacher.attachJVMCommand(context.Background(), jvm)
+	cmdArgs = strings.Join(command.Args, " ")
+	assert.Contains(t, cmdArgs, "--config server_url=http://myhost:8200")
+	assert.Contains(t, cmdArgs, "--config service_name=my-cool-service")
+}
+
+func TestTempDirCreation(t *testing.T) {
+	cfg := createTestConfig()
+	f, err := os.Create(bundledJavaAttacher)
+	require.NoError(t, err)
+	//goland:noinspection GoUnhandledErrorResult
+	defer os.Remove(f.Name())
+	attacher, err := New(cfg)
+	require.NoError(t, err)
+	defer attacher.cleanResources()
+
+	currentUser, _ := user.Current()
+	jvm := &jvmDetails{
+		pid:     12345,
+		uid:     currentUser.Uid,
+		gid:     currentUser.Gid,
+		command: filepath.FromSlash("/home/someuser/java_home/bin/java"),
+	}
+	assert.Empty(t, attacher.tmpDirs)
+	assert.Empty(t, attacher.uidToAttacherJar)
+	// this call creates the temp dir
+	attacher.attachJVMCommand(context.Background(), jvm)
+	assert.Len(t, attacher.uidToAttacherJar, 1)
+	attacherJar := attacher.uidToAttacherJar[currentUser.Uid]
+	assert.NotEqual(t, attacherJar, "")
+	require.NotEqual(t, bundledJavaAttacher, attacherJar)
+
+	assert.Len(t, attacher.tmpDirs, 1)
+	tempAttacherDir := attacher.tmpDirs[0]
+	require.DirExists(t, tempAttacherDir)
+	attacherDirInfo, err := os.Stat(tempAttacherDir)
+	require.NoError(t, err)
+	require.Equal(t, os.FileMode(0700), attacherDirInfo.Mode().Perm())
+	tempDir, err := os.Open(tempAttacherDir)
+	require.NoError(t, err)
+	files, err := tempDir.ReadDir(0)
+	require.NoError(t, err)
+	require.Len(t, files, 1)
+	attacherJarFileInfo, err := files[0].Info()
+	require.NoError(t, err)
+	require.Equal(t, os.FileMode(0600), attacherJarFileInfo.Mode().Perm())
+	require.Equal(t, attacherJar, filepath.Join(tempAttacherDir, attacherJarFileInfo.Name()))
+
+	// verify caching
+	attacher.attachJVMCommand(context.Background(), jvm)
+	assert.Len(t, attacher.tmpDirs, 1)
+	assert.Len(t, attacher.uidToAttacherJar, 1)
+}
@@ -18,11 +18,8 @@
 package javaattacher
 
 import (
-	"context"
 	"os"
-	"path/filepath"
 	"regexp"
-	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -39,37 +36,6 @@ func TestNoAttacherCreatedWithoutDiscoveryRules(t *testing.T) {
 	require.Error(t, err)
 }
 
-func TestBuild(t *testing.T) {
-	cfg := createTestConfig()
-	f, err := os.Create(javaAttacher)
-	require.NoError(t, err)
-	//goland:noinspection GoUnhandledErrorResult
-	defer os.Remove(f.Name())
-
-	attacher, err := New(cfg)
-	require.NoError(t, err)
-
-	jvm := &jvmDetails{
-		pid:     12345,
-		command: filepath.FromSlash("/home/someuser/java_home/bin/java"),
-	}
-	cmd := attacher.attachJVMCommand(context.Background(), jvm)
-	want := filepath.FromSlash("/home/someuser/java_home/bin/java -jar ./java-attacher.jar") +
-		" --log-level debug --include-pid 12345 --download-agent-version 1.27.0 --config server_url=http://myhost:8200"
-
-	cmdArgs := strings.Join(cmd.Args, " ")
-	assert.Equal(t, want, cmdArgs)
-
-	cfg.Config["service_name"] = "my-cool-service"
-	attacher, err = New(cfg)
-	require.NoError(t, err)
-
-	cmd = attacher.attachJVMCommand(context.Background(), jvm)
-	cmdArgs = strings.Join(cmd.Args, " ")
-	assert.Contains(t, cmdArgs, "--config server_url=http://myhost:8200")
-	assert.Contains(t, cmdArgs, "--config service_name=my-cool-service")
-}
-
 func createTestConfig() config.JavaAttacherConfig {
 	args := []map[string]string{
 		{"exclude-user": "root"},
@@ -99,12 +65,13 @@ func TestDiscoveryRulesAllowlist(t *testing.T) {
 		Enabled:        true,
 		DiscoveryRules: args,
 	}
-	f, err := os.Create(javaAttacher)
+	f, err := os.Create(bundledJavaAttacher)
 	require.NoError(t, err)
 	//goland:noinspection GoUnhandledErrorResult
 	defer os.Remove(f.Name())
 	javaAttacher, err := New(cfg)
 	require.NoError(t, err)
+	defer javaAttacher.cleanResources()
 	discoveryRules := javaAttacher.discoveryRules
 	require.Len(t, discoveryRules, allowlistLength)
 }
@@ -125,12 +92,13 @@ func TestConfig(t *testing.T) {
 		},
 		DownloadAgentVersion: "1.25.0",
 	}
-	f, err := os.Create(javaAttacher)
+	f, err := os.Create(bundledJavaAttacher)
 	require.NoError(t, err)
 	//goland:noinspection GoUnhandledErrorResult
 	defer os.Remove(f.Name())
 	javaAttacher, err := New(cfg)
 	require.NoError(t, err)
+	defer javaAttacher.cleanResources()
 	require.True(t, javaAttacher.enabled)
 	require.Equal(t, "http://localhost:8200", javaAttacher.agentConfigs["server_url"])
 	require.Equal(t, "1.25.0", javaAttacher.downloadAgentVersion)
@@ -181,3 +149,9 @@ func TestConfig(t *testing.T) {
 	javaAttacher.discoveryRules[4] = &userDiscoveryRule{}
 	require.Nil(t, javaAttacher.findFirstMatch(&jvmDetails))
 }
+
+func TestJavaCommandNormalization(t *testing.T) {
+	javaBin := "java_home/bin/"
+	assert.Equal(t, javaBin+javaExe, normalizeJavaCommand(javaBin+javaExe))
+	assert.Equal(t, javaBin+javaExe, normalizeJavaCommand(javaBin+javawExe))
+}