Don't allow JVM option -Xrunjdwp:transport in hosted

author: Harald Musum <musum@yahooinc.com> 2022-01-10 09:42:00 +0100
committer: Harald Musum <musum@yahooinc.com> 2022-01-10 09:42:00 +0100
commit: 597792f3760034f2055b83c9518a9c328f39cb42 (patch)
tree: 5d83e216de5f01f2a5aaaa3a81c6d4bdb99934be
parent: d6f4ce3a54daab7577b2b65432168aa65f00950d (diff)
2 files changed, 20 insertions, 3 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 346f450d8b6..288476de015 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -1064,12 +1064,15 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
     private static class JvmOptions {
 
         private static final Pattern validPattern = Pattern.compile("-[a-zA-z0-9=:./,]+");
+        // debug port will not be available in hosted, don't allow
+        private static final Pattern invalidInHostedatttern = Pattern.compile("-Xrunjdwp:transport=.*");
 
         private final ContainerCluster<?> cluster;
         private final Element nodesElement;
         private final DeployLogger logger;
         private final boolean legacyOptions;
         private final boolean failDeploymentWithInvalidJvmOptions;
+        private final boolean isHosted;
 
         public JvmOptions(ContainerCluster<?> cluster, Element nodesElement, DeployState deployState, boolean legacyOptions) {
             this.cluster = cluster;
@@ -1077,6 +1080,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
             this.logger = deployState.getDeployLogger();
             this.legacyOptions = legacyOptions;
             this.failDeploymentWithInvalidJvmOptions = deployState.featureFlags().failDeploymentWithInvalidJvmOptions();
+            this.isHosted = deployState.isHosted();
         }
 
         String build() {
@@ -1086,7 +1090,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
             Element jvmElement = XML.getChild(nodesElement, "jvm");
             if (jvmElement == null) return "";
             String jvmOptions = jvmElement.getAttribute(VespaDomBuilder.OPTIONS);
-            if (jvmOptions == null) return "";
+            if (jvmOptions.isEmpty()) return "";
             validateJvmOptions(jvmOptions);
             return jvmOptions;
         }
@@ -1135,6 +1139,12 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
                                                 .filter(option -> !Pattern.matches(validPattern.pattern(), option))
                                                 .sorted()
                                                 .collect(Collectors.toList());
+            if (isHosted)
+                invalidOptions.addAll(Arrays.stream(optionList)
+                                            .filter(option -> !option.isEmpty())
+                                            .filter(option -> Pattern.matches(invalidInHostedatttern.pattern(), option))
+                                            .sorted()
+                                            .collect(Collectors.toList()));
 
             if (invalidOptions.isEmpty()) return;
 
diff --git a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JvmOptionsTest.java b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JvmOptionsTest.java
index 01f5e1ee776..ba27deedb61 100644
--- a/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JvmOptionsTest.java
+++ b/config-model/src/test/java/com/yahoo/vespa/model/container/xml/JvmOptionsTest.java
@@ -200,9 +200,11 @@ public class JvmOptionsTest extends ContainerModelBuilderTestBase {
             return;
         }
 
-        Collections.sort(strings);
+        assertTrue("Expected 1 or more log messages for invalid JM options, got none", logger.msgs.size() > 0);
         Pair<Level, String> firstOption = logger.msgs.get(0);
         assertEquals(Level.WARNING, firstOption.getFirst());
+
+        Collections.sort(strings);
         assertEquals("Invalid JVM " + (optionName.equals("gc-options") ? "GC " : "") +
                              "options in services.xml: " + String.join(",", strings), firstOption.getSecond());
     }
@@ -238,6 +240,11 @@ public class JvmOptionsTest extends ContainerModelBuilderTestBase {
                                   "$(touch /tmp/hello-from-gc-options)",
                                   "$(touch", "/tmp/hello-from-gc-options)");
 
+        verifyLoggingOfJvmOptions(true,
+                                  "options",
+                                  "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005",
+                                  "-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005");
+
         verifyLoggingOfJvmOptions(false,
                                   "options",
                                   "$(touch /tmp/hello-from-gc-options)",
@@ -246,7 +253,7 @@ public class JvmOptionsTest extends ContainerModelBuilderTestBase {
         // Valid options, should not log anything
         verifyLoggingOfJvmOptions(true, "options", "-Xms2G");
         verifyLoggingOfJvmOptions(true, "options", "-verbose:gc");
-        verifyLoggingOfJvmOptions(true, "options", "-Djava.library.path=/opt/vespa/lib64:/home/y/lib64 -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005");
+        verifyLoggingOfJvmOptions(true, "options", "-Djava.library.path=/opt/vespa/lib64:/home/y/lib64");
         verifyLoggingOfJvmOptions(false, "options", "-Xms2G");
     }
author	Harald Musum <musum@yahooinc.com>	2022-01-10 09:42:00 +0100
committer	Harald Musum <musum@yahooinc.com>	2022-01-10 09:42:00 +0100
commit	597792f3760034f2055b83c9518a9c328f39cb42 (patch)
tree	5d83e216de5f01f2a5aaaa3a81c6d4bdb99934be
parent	d6f4ce3a54daab7577b2b65432168aa65f00950d (diff)