jstack - well-known file is not secure

Question

I am running tomcat 5.5 on x86_64 CentOS 5.7 using 32-bit Oracle Java 1.6.0.

JVM process used by tomcat has 6421 pid. Tomcat is working fine.

When run jstack it fails with:

[root@mybox ~]# jstack 6421
6421: well-known file is not secure

To get any reasonable output, I need to use force option:

[root@mybox ~]# jstack -F 6421
Attaching to process ID 6421, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 17.0-b16
Deadlock Detection:

No deadlocks found.
(...)

The questions are:

1. what does the error message "well-known file is not secure" mean?
2. what is the "well-known" file?
3. why/when does the jstack command not work without a force option?

Thanks in advance.

Answer 1

This is probably due to the file in /tmp used to communicate with the process having different permissions than the one the jstack gets. The file in question is /tmp/hsperfdata_$USER/$PID.

Don't know why it works with -F as the man page just says "Force a stack dump when 'jstack [-l] pid' does not respond."

Answer 2

You need to run the jstack command as the user that owns the java process :

For example if your java application is owned by a user called java-user :

sudo -u java-user jstack -l <pid> 

Answer 3

Besides running with the same user, make sure that the group id of the user running jstack/jmap is also the same from the process.

Take a look at the source code that checks for file permission (line 347). We can see that the function getting the group id is not an array, so it could be possible that the user has other groups, which started the process.

You might have to change the primary group from the user:

#usermod -g group -G user user

Answer 4

This is the one liner I use to make sure I'm always using the correct user permissions:

proc="my-process-name"; pid=`pgrep -f "${proc}"`; sudo -u "#`ps axo uid,pid | grep "${pid}" | tr -s " " | cut -f2 -d" "`" /usr/bin/jstack -l "${pid}" > /mnt/dumps/"${proc}"-`date +%s`.txt

Answer 5

I just would like to add that you might need to specify your /tmp directory by -J option, since not all apps use the the default one

jstack -J-Djava.io.tmpdir=PATH -l PID

Answer 6

when -F is used, the jvm will be frozen.

If you can find the file: /tmp/hsperfdata_$USER/$PID. Just try to switch to the $USER, and then exec jstack. You are running with "root", but that process may not belong to root.

if $USER does not have a login shell (i.e. daemon users), and thus can not switch to that user, you can work around this by using sudo -u $USER jstack $PID

Answer 7

I had this problem when i tried to run jstack as root.

Once i switched to another user it worked immediately.

Answer 8

To successfully use the jstack, you should be running it with the same user as the process.

Answer 9

If you don't want to worry about user and can work as root and are okay to kill the process, you could use this last resort:

kill -s SIGQUIT $PID

This will write the thread dump to your console log, for example, in case of Tomcat, that would require grepping for "Full Thread" that is the beginning of the thread dump in logs/catalina.out and then getting the tdump file as:

DUMP_IDX=`grep -n 'Full thread' logs/catalina.out | tail -1 | cut -d':' -f1`
sed -n $DUMP_IDX,1000000000000000000p logs/catalina.out > jstack-kill-thread-dump-0309.tdump

Answer 10

Probably the easiest way is:

see the owner of the process by ps -ef | grep "process name"

then switch to that user and run the command.

jcmd PID GC.run or any other java utility

One thing i noticed that nobody discussed here is; you also need to have JAVA_HOME variable set. check this by echo $JAVA_HOME

Answer 11

I was getting the same error running:

watch -n .5 "jstack 26259"

Doing as sudo it works:

sudo watch -n .5 "jstack 26259"