Merge pull request #39 from paypal/issue-38-multi-platform-image

add support for multi-platform images

Author: maxxedev

.github/workflows/maven.yml

@@ -16,7 +16,7 @@ jobs:
 
     strategy:
       matrix:
-        java: [ '8', '11', '17', '21', '23' ]
+        java: [ '8', '11', '17', '21', '24' ]
 
     name: Java ${{ matrix.Java }}
 

Dockerfile

@@ -1,7 +1,7 @@
-FROM amazoncorretto:8 as builder
+FROM --platform=$BUILDPLATFORM amazoncorretto:8 AS builder
 
 # build nsenter1 in another stage
-FROM ubuntu as nsenter1
+FROM --platform=$BUILDPLATFORM ubuntu AS nsenter1
 RUN apt update \
     && apt install gcc libc6-dev -y
 COPY src/main/c/nsenter1.c ./
@@ -13,8 +13,8 @@ COPY --from=nsenter1 /usr/bin/nsenter1 /usr/bin/nsenter1
 
 WORKDIR /tmp/
 
-ENV APP_ID heap-dump-tool
-ENV APP_JAR /opt/heap-dump-tool/$APP_ID.jar
+ENV APP_ID=heap-dump-tool
+ENV APP_JAR=/opt/heap-dump-tool/$APP_ID.jar
 COPY src/main/docker/docker-entrypoint.sh /
 COPY target/$APP_ID.jar $APP_JAR
 

src/main/java/com/paypal/heapdumptool/capture/PrivilegeEscalator.java

@@ -2,10 +2,10 @@
 
 import com.paypal.heapdumptool.utils.ProcessTool;
 import com.paypal.heapdumptool.utils.ProcessTool.ProcessResult;
+import org.apache.commons.lang3.RuntimeEnvironment;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.text.StringSubstitutor;
 
-import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.Arrays;
@@ -47,26 +47,13 @@ public static Escalation escalatePrivilegesIfNeeded(final String... args) throws
         return ESCALATED;
     }
 
-    public static enum Escalation {
+    public enum Escalation {
         ESCALATED,
         PRIVILEGED_ALREADY
     }
 
     public static boolean isInDockerContainer() {
-        final Path file = Paths.get("/proc/1/cgroup");
-        final Callable<Boolean> cgroupContainsDocker = () -> Files.readAllLines(file)
-                                                                  .stream()
-                                                                  .anyMatch(line -> line.contains(DOCKER));
-        final boolean isInContainer = callQuietlyWithDefault(false, cgroupContainsDocker);
-
-        if (!isInContainer) {
-            // If true, then definitely true.
-            // If false, then process might be running on the host, or be in a privileged container with pid namespace mounted.
-            // Just try running nsenter1 docker then
-            final int exitCode = callQuietlyWithDefault(1, () -> ProcessTool.run("nsenter1", DOCKER).exitCode);
-            return exitCode == 0;
-        }
-        return isInContainer;
+        return RuntimeEnvironment.inContainer();
     }
 
     // yes, print directly to stdout (bypassing SysOutOverSLF4J or other logger decorations)

src/main/resources/privilege-escalate.sh.tmpl

@@ -6,6 +6,26 @@
 # The container does not have privileges or pid namespace is not attached. Escalating privileges by running the container
 # again with privileges.
 
+function runForAppleSilicon() {
+	CMD='docker run -d --rm --name heap-dump-tool --entrypoint sleep'
+	HDT_DIR=${HDT_DIR:-$TMPDIR/heap-dump-tool}
+	echo "Extracting heap-dump-tool to $HDT_DIR ..."
+  set +e
+	docker stop --time 0 heap-dump-tool > /dev/null 2>&1
+  set -e
+	eval $CMD $FQ_IMAGE 99 > /dev/null
+
+	sleep 1
+	rm -rf $HDT_DIR
+	docker cp -q heap-dump-tool:/opt/heap-dump-tool/heap-dump-tool.jar $TMPDIR/
+
+	docker stop --time 0 heap-dump-tool > /dev/null
+
+  echo "java -jar $TMPDIR/heap-dump-tool.jar __ARGS__"
+  echo
+	exec java -jar $TMPDIR/heap-dump-tool.jar __ARGS__
+}
+
 set -euo pipefail
 FQ_IMAGE="${__DOCKER_REGISTRY_ENV_NAME__:-__DEFAULT_REGISTRY__}/__IMAGE_NAME__"
 
@@ -17,6 +37,23 @@ TMPDIR="${TMPDIR:-/tmp/}"
 JAVA_TOOL_OPTIONS=${JAVA_TOOL_OPTIONS:--XX:MaxRAMPercentage=50.0 -XX:-OmitStackTraceInFastThrow}
 DOCKER_OPTIONS="${DOCKER_OPTIONS:-}"
 
+HDT_DETECT_CPU=${HDT_DETECT_CPU:-TRUE}
+HDT_OS=${HDT_OS:-`uname -s`}
+HDT_CPU_TYPE=${HDT_CPU_TYPE:-`uname -m`}
+if [ "$HDT_DETECT_CPU" = "TRUE" ] && [ "$HDT_CPU_TYPE" = "arm64" ] && [ "$HDT_OS" = "Darwin" ]; then
+	echo "Detected Apple Silicon"
+	echo "    \$HDT_DETECT_CPU=$HDT_DETECT_CPU"
+	echo "    \$HDT_OS=$HDT_OS"
+	echo "    \$HDT_CPU_TYPE=$HDT_CPU_TYPE"
+	echo ""
+	echo "Due to containerization limitations on Mac, heap-dump-tool running within a container cannot capture a sanitized"
+	echo "heap dump of a Java process running in another container."
+	echo ""
+	echo "Running heap-dump-tool directly on Mac instead ..."
+	runForAppleSilicon __ARGS__
+	exit 0
+fi
+
 # --privileged --pid=host -- let the tool run processes on host
 # --workdir `pwd` -v `pwd`:`pwd` -- mount host cwd as container cwd, where the heap dump will be saved
 # -e HOST_USER=`whoami` -- pass in host username so that the tool sets right owner on the output file

src/test/java/com/paypal/heapdumptool/capture/PrivilegeEscalatorTest.java

@@ -3,6 +3,7 @@
 import com.google.common.io.Closer;
 import com.paypal.heapdumptool.fixture.ConstructorTester;
 import com.paypal.heapdumptool.fixture.ResourceTool;
+import org.apache.commons.lang3.RuntimeEnvironment;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -41,16 +42,16 @@ public void tearDown() throws IOException {
 
     @Test
     public void testNotInDockerContainer() throws Exception {
-        final Path cgroupPath = Paths.get(copyCgroup("native-cgroup.txt"));
-        final MockedStatic<Paths> mocked = createStaticMock(Paths.class);
-        expectCgroup(mocked, cgroupPath);
+        expectInDockerContainer(false);
 
         assertThat(escalatePrivilegesIfNeeded("foo", "b a r"))
                 .isEqualTo(PRIVILEGED_ALREADY);
     }
 
     @Test
     public void testInDockerContainerPrivilegedAlready() throws Exception {
+        expectInDockerContainer(true);
+
         final Path cgroupPath = Paths.get(copyCgroup("docker-cgroup.txt"));
         final Path replacementPath = Paths.get("/bin/echo");
         final MockedStatic<Paths> mocked = createStaticMock(Paths.class);
@@ -63,6 +64,8 @@ public void testInDockerContainerPrivilegedAlready() throws Exception {
 
     @Test
     public void testInDockerContainerNotPrivilegedAlready(final CapturedOutput output) throws Exception {
+        expectInDockerContainer(true);
+
         final Path cgroupPath = Paths.get(copyCgroup("docker-cgroup.txt"));
         final MockedStatic<Paths> mocked = createStaticMock(Paths.class);
         expectCgroup(mocked, cgroupPath);
@@ -75,6 +78,8 @@ public void testInDockerContainerNotPrivilegedAlready(final CapturedOutput outpu
 
     @Test
     public void testCustomDockerRegistryOneArg(final CapturedOutput output) throws Exception {
+        expectInDockerContainer(true);
+
         final Path cgroupPath = Paths.get(copyCgroup("docker-cgroup.txt"));
         final MockedStatic<Paths> mocked = createStaticMock(Paths.class);
         expectCgroup(mocked, cgroupPath);
@@ -87,6 +92,8 @@ public void testCustomDockerRegistryOneArg(final CapturedOutput output) throws E
 
     @Test
     public void testCustomDockerRegistryTwoArg(final CapturedOutput output) throws Exception {
+        expectInDockerContainer(true);
+
         final Path cgroupPath = Paths.get(copyCgroup("docker-cgroup.txt"));
         final MockedStatic<Paths> mocked = createStaticMock(Paths.class);
         expectCgroup(mocked, cgroupPath);
@@ -99,6 +106,9 @@ public void testCustomDockerRegistryTwoArg(final CapturedOutput output) throws E
 
     @Test
     public void testCustomDockerRegistryInvalidArg() throws Exception {
+        final boolean value = true;
+        expectInDockerContainer(value);
+
         final Path cgroupPath = Paths.get(copyCgroup("docker-cgroup.txt"));
         final MockedStatic<Paths> mocked = createStaticMock(Paths.class);
         expectCgroup(mocked, cgroupPath);
@@ -113,6 +123,11 @@ public void testConstructor() throws Exception {
         ConstructorTester.test(PrivilegeEscalator.class);
     }
 
+    private void expectInDockerContainer(final boolean value) {
+        final MockedStatic<RuntimeEnvironment> env = createStaticMock(RuntimeEnvironment.class);
+        env.when(RuntimeEnvironment::inContainer).thenReturn(value);
+    }
+
     private <T> MockedStatic<T> createStaticMock(final Class<T> clazz) {
         final MockedStatic<T> mocked = mockStatic(clazz);
         closer.register(mocked::close);