apm-server icon indicating copy to clipboard operation
apm-server copied to clipboard
verified publisher icon elastic

Add full support for Java attacher on Windows

Open eyalkoren opened this issue 3 years ago • 4 comments

A followup on #8590 , which doesn't include Windows support.

Two topics that require some investigation in this regard:

  1. ~~We don't yet have a proper ps-equivalent for full command path discovery (some preliminary examination done by @jackshirazi ). Possible alternatives if we can't find such:~~
    • ~~rely on file system (hsperfdata files), which is limited to HotSpot~~
    • ~~bundle our own binaries for this task~~
  2. The ability to run as a different user is handled differently, but seems to be possible - https://github.com/golang/go/issues/21105

eyalkoren avatar Jul 20 '22 08:07 eyalkoren

I have modified https://github.com/elastic/apm-server/pull/8590 to use go-sysinfo for listing processes, so I believe point 1 is addressed now.

axw avatar Jul 21 '22 04:07 axw

Update: after some initial testing, it appears that in Windows, a JVM that runs as the administrator can attach to JVM that is ran by other users, in which case the ability to run as a different user is not required.

One thing we did notice that is required is to identify when the JVM is ran by the non-console executable - javaw.exe and attach to such processes through the java.exe

eyalkoren avatar Aug 11 '22 13:08 eyalkoren

With https://github.com/elastic/apm-server/pull/8803, the APM Server Java attacher code will always use the bundled attacher jar and invoke it with the current user. The javaw.exe handling described above would be fixed through this same PR. More testing shows that the same-user restriction for remote JVM attach is applicable in Windows as well after all. The former conclusion that this is not the case was apparently based on invalid testing. So we will have to implement both proper tmp dir copying (probably per user temp dir discovery) and figure out how to run as a different user, if at all possible.

eyalkoren avatar Aug 25 '22 14:08 eyalkoren

Following is the updated list of things required for full Windows support:

  • [x] if the JVM is ran through javaw.exe, don't use it but the java.exe of the same JRE to run the attacher to attach to it - fixed through #8803
  • [ ] figure out if and how external processes can be ran as a different user. https://github.com/golang/go/issues/21105 may be a good starting point
  • [ ] investigate how to deal with file access. Hopefully we can apply a similar approach of relying on per-user temp directory, but it may mean we will need to find a way to discover the user's temp dir. Assuming we are on this step, we got a way to run as a different user (former bullet), in which case one option is to run ECHO %Temp% as the target user and read the command output

eyalkoren avatar Aug 25 '22 15:08 eyalkoren

Created a dedicated tracking issue for removing the technical blockers https://github.com/elastic/apm-server/issues/9186.

This issue should be kept open until the whole feature is implemented and tested.

simitt avatar Sep 23 '22 13:09 simitt