在Docker容器中运行时，JVM不能映射保留的内存

I cant seem to run java at all in a Docker container on my server. Even when issuing java -version, I get the following error.

我似乎根本不能在服务器上的Docker容器中运行java。即使在发布java版本时，也会出现以下错误。

root@86088d679103:/# java -version
OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x0000035ce1000000, 2555904, 1) failed; error='Operation not permitted' (errno=1)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# //hs_err_pid17.log

According to this, java can't map 2.5Mb of space for reserved memory? This does not seem right...

基于此，java不能映射2.5Mb的预留内存空间?这似乎不太对……

I have the full log included at the end, but for the sake of some extra information, my system is reporting the following:

我有完整的日志包括在最后，但为了一些额外的信息，我的系统报告如下:

root@86088d679103:/# uname -m
x86_64
root@86088d679103:/# free -mh
             total       used       free     shared    buffers     cached
Mem:           15G       9.7G       5.8G       912K       148M       8.9G
-/+ buffers/cache:       639M        14G
Swap:          15G         0B        15G

Can anyone point me in the right direction?

谁能给我指出正确的方向吗?

Full Log: https://gist.github.com/KayoticSully/e206c44681ce261674ba

完整的日志:https://gist.github.com/KayoticSully/e206c44681ce261674ba

Update

更新

@Yobert nailed the problem and I highly suggest you read through the comments and chat log. Good info in there.

@Yobert解决了这个问题，我强烈建议你阅读评论和聊天记录。良好的信息。

For those who want the final command that made Java work: setfattr -n user.pax.flags -v "mr" /usr/bin/java

对于那些想要让Java工作的最终命令的人:setfattr -n user.pax。/usr/bin/java国旗- v“先生”

If your distro does not have setfattr installed by default it should be included in the installable package attr through paceman, apt-get, etc.

如果你的发行版在默认情况下没有安装setfattr，它应该包含在通过paceman、apt-get等安装的软件包attr中。

3 个解决方案

#1

I had this same problem when using a Grsec enabled kernel. For java to play nice, I had to disable MPROTECT on the java binary. You can use the paxctl utility for this:

在使用启用Grsec的内核时，我遇到了同样的问题。为了让java运行得更好，我必须在java二进制文件上禁用MPROTECT。您可以使用paxctl实用程序:

paxctl -m /usr/lib/jvm/java-7-openjdk/jre/bin/java

You'll need to do paxctl -c on the binary first if you've never used it on that binary before:

如果您以前从未在二进制文件中使用过paxctl -c，那么您需要先在二进制文件中使用paxctl -c:

paxctl -c /usr/lib/jvm/java-7-openjdk/jre/bin/java

More information about paxctl can be found at: http://en.wikibooks.org/wiki/Grsecurity/Additional_Utilities

更多关于paxctl的信息可以在http://en.wikibooks.org/wiki/Grsecurity/Additional_Utilities找到

#2

I had the same problem when running Docker on Alpine Linux, after enabling PaX soft mode it worked:

在Alpine Linux上运行Docker时，我也遇到了同样的问题，在启用了PaX soft mode后，它成功了:

sysctl -w kernel.pax.softmode=1

Soft mode will disable most PaX features by default, therefore it is not recommended to enable it. The proper way is to use paxctl, as already mentioned above.

软模式将在默认情况下禁用大多数PaX特性，因此不建议启用它。正确的方法是使用paxctl，如上所述。

Also have a look here: https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Support_soft_mode

也可以在这里查看:https://en.wikibooks.org/wiki/grsecurity/阑尾/ grsecurity_and_pax_configuration_options #Support_soft_mode

#3

This happened to me as well , We reduced the RAM size on our VM and after a couple of days started getting this error and service did not came up for ever.

这也发生在我身上，我们减少了VM上的RAM大小，几天后开始出现这个错误，服务也不再出现。

Solution :: We reduced the heap size of the application or service having this issue and the service came up fine again.

解决方案:我们减少了存在此问题的应用程序或服务的堆大小，服务再次恢复正常。

#1