OS RedHat
OpenJdk 11
Version 1.23.0 CLI agent, when run is asking for password. It is possible to just hit enter or provide wrong password and it will do the job. But for what it is asking, even if I am try to run it as root?
[root@XXXXX apm]# java -jar apm-agent-attach-cli-1.23.0.jar --include-all
(current) UNIX password:
Help command: java -jar apm-agent-attach-cli-1.23.0.jar --help doesn't asks for it.
Hi and welcome to the forum.
Could you please send me a thread dump so that I can see where in the code the external process is started that requires a password.
To get the thread dump, execute ps aux | grep attach-cli and copy the pid of the attacher process. Then execute kill -3 <pid> where <pid> is the process id you just copied. The standard output of the attacher cli will then print the thread dump.
Does java -jar apm-agent-attach-cli-1.23.0.jar --include-all --list require a password?
Yes, with --list it is the same. Here is the thread dump:
[root@XXXX apm]# java -jar apm-agent-attach-cli-1.23.0.jar --include-all --list
(current) UNIX password: 2021-05-05 16:49:50
Full thread dump OpenJDK 64-Bit Server VM (11.0.9.1+1-LTS mixed mode, sharing):
Threads class SMR info:
_java_thread_list=0x00007f566c48fc10, length=10, elements={
0x00007f566c015800, 0x00007f566c11e000, 0x00007f566c120000, 0x00007f566c125800,
0x00007f566c127800, 0x00007f566c129800, 0x00007f566c12c000, 0x00007f566c163000,
0x00007f566c168000, 0x00007f566c48e000
}
"main" #1 prio=5 os_prio=0 cpu=1046.51ms elapsed=28.55s tid=0x00007f566c015800 nid=0xc945 in Object.wait() [0x00007f5674cf4000]
java.lang.Thread.State: WAITING (on object monitor)
at java.lang.Object.wait(java.base@11.0.9.1/Native Method)
- waiting on <0x00000000c65e0ab0> (a java.lang.ProcessImpl)
at java.lang.Object.wait(java.base@11.0.9.1/Object.java:328)
at java.lang.ProcessImpl.waitFor(java.base@11.0.9.1/ProcessImpl.java:495)
- waiting to re-lock in wait() <0x00000000c65e0ab0> (a java.lang.ProcessImpl)
at co.elastic.apm.attach.UserRegistry$User.canSwitchToUser(UserRegistry.java:153)
at co.elastic.apm.attach.UserRegistry$User.of(UserRegistry.java:144)
at co.elastic.apm.attach.UserRegistry$User.access$100(UserRegistry.java:130)
at co.elastic.apm.attach.UserRegistry.get(UserRegistry.java:125)
at co.elastic.apm.attach.UserRegistry.getCurrentUser(UserRegistry.java:90)
at co.elastic.apm.attach.AgentAttacher.<init>(AgentAttacher.java:73)
at co.elastic.apm.attach.AgentAttacher.main(AgentAttacher.java:131)
The only JVM which is run is also a root process, so there is a rather no point to switch to other user.
Looks like it is not a constant behaviour. On other server with Java 8 it is not asking for password. Cannot say that this all differences, but rather a hint.
There seem to be two issues.
The first one is that the script should not ask for a password input. Seems like the --non-interactive flag doesn't work as expected.
The other one is that the program even checks for the current user if it's allowed to switch to themselves which is unnecessary.
Could you please open an issue in GitHub - elastic/apm-agent-java: Elastic APM Java Agent?
Hi @molsza ,
Summary:
root userroot
--list option also asks for password, but --help does not.if you could also provide the output of the following commands that could also help:
lsb_release -a # get the exact OS version you are using
sudo -v # get the version of 'sudo' command used
Thanks in advance !
So there is a details you are requesting:
LSB Version: :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: RedHatEnterpriseServer
Description: Red Hat Enterprise Linux Server release 7.9 (Maipo)
Release: 7.9
Codename: Maipo
Sudo version:
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23
I have opened the following PR with a work-around attempt Fix runtime attach for current user by SylvainJuge · Pull Request #1819 · elastic/apm-agent-java · GitHub
As @felixbarny pointed out, there might be two issues here:
sudo when not needed (this is what the PR attempt to fix)sudo executions hang, probably waiting for interactive input.I tested on my side with an older version of sudo and the --non-interactive command option seems to work properly.
One hypothesis is that the sudo command run as root ignores the --non-interactive due to your system configuration. Could you try to run the following commands and provide us the output of the following commands as root user on your system ?
whoami
echo '# 1'; sudo -u root echo hello; echo $?
echo '# 2'; sudo --non-interactive -u root echo hello; echo $?
That should output the following without any interactive prompt:
root
# 1
hello
0
# 2
hello
0
It certainly does make a difference. It is not asking any more for a password.
Thanks for the feedback @molsza !
We have now merged the change (a slightly better version of it to be honest) into master branch, thus it will be included in the next release. Make sure to subscribe for notifications on github project.
Now, in case there is any "blocking" call to sudo, we will at least be able to see that into the standard output (it was silently blocking before).
This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.