jstack - well-known file is not secure
JavaJvmJstackJava Problem Overview
I am running tomcat 5.5 on x86_64 CentOS 5.7 using 32-bit Oracle Java 1.6.0.
JVM process used by tomcat has 6421 pid. Tomcat is working fine.
When run jstack it fails with:
[root@mybox ~]# jstack 6421
6421: well-known file is not secure
To get any reasonable output, I need to use force option:
[root@mybox ~]# jstack -F 6421
Attaching to process ID 6421, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 17.0-b16
Deadlock Detection:
No deadlocks found.
(...)
The questions are:
- what does the error message "well-known file is not secure" mean?
- what is the "well-known" file?
- why/when does the
jstackcommand not work without a force option?
Thanks in advance.
Java Solutions
Solution 1 - Java
This is probably due to the file in /tmp used to communicate with the process having different permissions than the one the jstack gets. The file in question is /tmp/hsperfdata_$USER/$PID.
Don't know why it works with -F as the man page just says "Force a stack dump when 'jstack [-l] pid' does not respond."
Solution 2 - Java
when -F is used, the jvm will be frozen.
If you can find the file: /tmp/hsperfdata_$USER/$PID. Just try to switch to the $USER, and then exec jstack. You are running with "root", but that process may not belong to root.
if $USER does not have a login shell (i.e. daemon users), and thus can not switch to that user, you can work around this by using sudo -u $USER jstack $PID
Solution 3 - Java
I had this problem when i tried to run jstack as root.
Once i switched to another user it worked immediately.
Solution 4 - Java
I just would like to add that you might need to specify your /tmp directory by -J option, since not all apps use the the default one
jstack -J-Djava.io.tmpdir=PATH -l PID
Solution 5 - Java
I was getting the same error running:
watch -n .5 "jstack 26259"
Doing as sudo it works:
sudo watch -n .5 "jstack 26259"
Solution 6 - Java
If you don't want to worry about user and can work as root and are okay to kill the process, you could use this last resort:
kill -s SIGQUIT $PID
This will write the thread dump to your console log, for example, in case of Tomcat, that would require grepping for "Full Thread" that is the beginning of the thread dump in logs/catalina.out and then getting the tdump file as:
DUMP_IDX=`grep -n 'Full thread' logs/catalina.out | tail -1 | cut -d':' -f1`
sed -n $DUMP_IDX,1000000000000000000p logs/catalina.out > jstack-kill-thread-dump-0309.tdump
Solution 7 - Java
You need to run the jstack command as the user that owns the java process :
For example if your java application is owned by a user called java-user :
sudo -u java-user jstack -l <pid>
Solution 8 - Java
This is the one liner I use to make sure I'm always using the correct user permissions:
proc="my-process-name"; pid=`pgrep -f "${proc}"`; sudo -u "#`ps axo uid,pid | grep "${pid}" | tr -s " " | cut -f2 -d" "`" /usr/bin/jstack -l "${pid}" > /mnt/dumps/"${proc}"-`date +%s`.txt
Solution 9 - Java
Probably the easiest way is:
see the owner of the process by ps -ef | grep "process name"
then switch to that user and run the command.
jcmd PID GC.run or any other java utility
One thing i noticed that nobody discussed here is; you also need to have JAVA_HOME variable set. check this by echo $JAVA_HOME
Solution 10 - Java
To successfully use the jstack, you should be running it with the same user as the process.
Solution 11 - Java
Besides running with the same user, make sure that the group id of the user running jstack/jmap is also the same from the process.
Take a look at the source code that checks for file permission (line 347). We can see that the function getting the group id is not an array, so it could be possible that the user has other groups, which started the process.
You might have to change the primary group from the user:
#usermod -g group -G user user