JDK 8 - Error: Could not find or load main class <PID> [hotpatch-for-apache-log4j2] - TagMerge

JDK 8 - Error: Could not find or load main class <PID> [hotpatch-for-apache-log4j2]

dunklaAsked 5 months ago

When trying to run

java -cp <java-home>/lib/tools.jar:Log4jHotPatch.jar <java-pid>

with JDK 8, I only get the message

Error: Could not find or load main class <PID>

what could i be doing wrong?

Source: link

Amitgb14Answered 5 months ago

@dunkla check Log4jHotPatch.jar file has correct permission, or add absolute path of Log4jHotPatch.jar, it works me sudo -Hu app_user /usr/bin/java -cp /tmp/Log4jHotPatch.jar:<java-home>/lib/tools.jar Log4jHotPatch 1234

simonisAnswered 5 months ago

I thin the instruction for JDK 8 in the Readem are missing the class name. Try:

java -cp <java-home>/lib/tools.jar:Log4jHotPatch.jar Log4jHotPatch <java-pid>

Instead of:

java -cp <java-home>/lib/tools.jar:Log4jHotPatch.jar <java-pid>

I'll updated the documentation.

dunklaAnswered 5 months ago

thanks, but now i get:

elasticsearch@srv-a-de:/tmp/hotpatch-for-apache-log4j2/build/libs$ java -cp /usr/lib/jvm/java-8-openjdk-amd64/lib/tools.jar:Log4jHotPatch.jar Log4jHotPatch 7410
com.sun.tools.attach.AgentInitializationException: Agent JAR loaded but agent failed to initialize
    at sun.tools.attach.HotSpotVirtualMachine.loadAgent(HotSpotVirtualMachine.java:121)
    at Log4jHotPatch.loadInstrumentationAgent(Log4jHotPatch.java:234)
    at Log4jHotPatch.main(Log4jHotPatch.java:298)
Error: couldn't loaded the agent into JVM process 7410
  Are you running as a different user (including root) than process 7410?
Errors occurred deploying hot patch. If you are using java 8 to run this
tool against JVM 11 or later, the target JVM may still be patched. Please look for a message
like 'Loading Java Agent (using ASM 6).' in stdout of the target JVM. Also note that JVM 17+
are not supported.

(executed as elasticsearch, same user running the process 7410)

dunklaAnswered 5 months ago

OK, found the reason: The process was running with jre. I installed jdk afterwards. Restarting the process now yields the correct result:

elasticsearch@srv-a-de:/tmp/hotpatch-for-apache-log4j2/build/libs$ java -cp /usr/lib/jvm/java-8-openjdk-amd64/lib/tools.jar:Log4jHotPatch.jar Log4jHotPatch 639
Successfully loaded the agent into JVM process 639
  Look at stdout of JVM process 639 for more information

Is there a way to run this tool with JVM 8 with only JRE/without JDK? (openjdk-11-jre-headless seems to be working just fine without openjdk-11-jdk-headless)

Amitgb14Answered 5 months ago

@dunkla can you apply patch again in same process, I seen it not apply in els, same Successfully message printed instead of Skipping patch for JVM process 1, patch version 1 already applied

dunklaAnswered 5 months ago

@Amitgb14 I am always getting

elasticsearch@srv-a-de:/tmp/hotpatch-for-apache-log4j2/build/libs$ java -cp /usr/lib/jvm/java-8-openjdk-amd64/lib/tools.jar:Log4jHotPatch.jar Log4jHotPatch 639
Successfully loaded the agent into JVM process 639
  Look at stdout of JVM process 639 for more information
elasticsearch@srv-a-de:/tmp/hotpatch-for-apache-log4j2/build/libs$ java -cp /usr/lib/jvm/java-8-openjdk-amd64/lib/tools.jar:Log4jHotPatch.jar Log4jHotPatch 639
Successfully loaded the agent into JVM process 639
  Look at stdout of JVM process 639 for more information
simonisAnswered 5 months ago

That's because your target process is running with a security manager so the agent can't set set a property to flag that it was already installed. You'll se this warning in on stdout of the target process:

Warning: Could not record agent version in system property: ...
Warning: This will make it more difficult to test if agent is already loaded, but will not prevent patching"

See "Checkpoint: PoC that works when target has security manager enabled "

Notice that the transformations wont run a second time, you'll see:

Info: hot patch agent already loaded

but the client which injected the agent just can't tell.

dunklaAnswered 5 months ago

@simonis you are right, can confirm

Do you know

Is there a way to run this tool with JVM 8 with only JRE/without JDK? (openjdk-11-jre-headless seems to be working just fine without openjdk-11-jdk-headless)

simonisAnswered 5 months ago

If you want to dynamically attach, you need the attach API. For JDK 8 the attach API is bundled in tools.jar which is only available in JDKs and not JREs. For JDK 11 there's no "standard" JRE so people are free to put whatever modules they like into their "JRE 11". Apparently yours contains the Attach API.

You can still use the tool as a static agent by adding -javaagent:Log4jHotPatch.jar to the command line or to the JAVA_TOOL_OPTIONS environment variable. But this obviously requires a restart of the java process to take effect.

Amitgb14Answered 5 months ago

That's because your target process is running with a security manager so the agent can't set set a property to flag that it was already installed. You'll se this warning in on stdout of the target process:

Warning: Could not record agent version in system property: ...
Warning: This will make it more difficult to test if agent is already loaded, but will not prevent patching"

See "Checkpoint: PoC that works when target has security manager enabled "

Notice that the transformations wont run a second time, you'll see:

Info: hot patch agent already loaded

but the client which injected the agent just can't tell.

@simonis So, it means patch applied successfully? Is there other way to identify?

Recent Issues

    Programming Languages