性能排查 on Liangweidong's bloghttps://liangweidonggood.github.io/tags/%E6%80%A7%E8%83%BD%E6%8E%92%E6%9F%A5/Recent content in 性能排查 on Liangweidong's blogHugo -- gohugo.iozh-cnThu, 15 Nov 2018 00:00:00 +0800Arthas 实战:Java 线上问题排查利器https://liangweidonggood.github.io/p/arthas-online-diagnosis/Thu, 15 Nov 2018 00:00:00 +0800https://liangweidonggood.github.io/p/arthas-online-diagnosis/<img src="https://liangweidonggood.github.io/p/arthas-online-diagnosis/image/cover.jpg" alt="Featured image of post Arthas 实战:Java 线上问题排查利器" /> <blockquote> <p><strong>为什么写这篇</strong>:在生产环境里,复现一个偶发问题往往要等几天,重启服务会丢现场日志。Arthas 能在不重启、不改代码的前提下,把方法入参、返回值、异常、火焰图、线程栈全部&quot;现场直播&quot;——这是它与 jstack、jmap 最大的区别。</p> <p><strong>适用读者</strong>:需要在 K8s/容器中排查 Java 应用的运维与后端工程师。</p> <p><strong>前置知识</strong>:了解 JVM 基础(堆/线程)、Linux 常用命令、Docker/K8s 基础操作。</p> </blockquote> <h2 id="目录">目录 </h2><ol> <li><a class="link" href="#1-arthas-%e6%98%af%e4%bb%80%e4%b9%88" >Arthas 是什么</a></li> <li><a class="link" href="#2-%e5%bf%ab%e9%80%9f%e5%bc%80%e5%a7%8b" >快速开始</a></li> <li><a class="link" href="#3-%e6%a0%b8%e5%bf%83%e5%91%bd%e4%bb%a4%e9%80%9f%e6%9f%a5" >核心命令速查</a></li> <li><a class="link" href="#4-%e5%85%b8%e5%9e%8b%e5%9c%ba%e6%99%af" >典型场景</a></li> <li><a class="link" href="#5-%e5%b8%b8%e8%a7%81%e5%9d%91%e4%b8%8e%e6%9c%80%e4%bd%b3%e5%ae%9e%e8%b7%b5" >常见坑与最佳实践</a></li> </ol> <hr> <h2 id="1-arthas-是什么">1. Arthas 是什么 </h2><p>Arthas 是 Alibaba 开源的 <strong>Java 线上诊断工具</strong>,通过 Java Attach API 直接连进运行中的 JVM,<strong>不需要重启应用、不需要改代码</strong>,即可获得:</p> <table> <thead> <tr> <th>维度</th> <th>能看到什么</th> </tr> </thead> <tbody> <tr> <td>应用全景</td> <td>实时 dashboard(线程/内存/GC/Runtime)</td> </tr> <tr> <td>方法级观测</td> <td>入参、返回值、抛出异常、调用耗时</td> </tr> <tr> <td>类加载</td> <td>反编译、查看类加载器、搜索类</td> </tr> <tr> <td>性能</td> <td>profiler 火焰图、CPU 占用 TopN 线程</td> </tr> <tr> <td>离线</td> <td>heap dump、线程快照</td> </tr> </tbody> </table> <blockquote> <p><strong>When to use</strong>:当线上出现&quot;日志看不出但能感知&quot;的问题——比如接口慢但找不到慢在哪、内存偶发飙高、线程莫名 BLOCKED、第三方 jar 包方法名对不上——Arthas 是首选。</p> </blockquote> <hr> <h2 id="2-快速开始">2. 快速开始 </h2><h3 id="21-三种部署场景">2.1 三种部署场景 </h3><table> <thead> <tr> <th>场景</th> <th>命令骨架</th> </tr> </thead> <tbody> <tr> <td>直接跑</td> <td><code>curl -O https://arthas.aliyun.com/arthas-boot.jar &amp;&amp; java -jar arthas-boot.jar</code></td> </tr> <tr> <td>Docker 容器</td> <td><code>docker cp arthas-boot.jar &lt;container&gt;:/ &amp;&amp; docker exec -it &lt;container&gt; bash</code></td> </tr> <tr> <td>K8s Pod</td> <td><code>kubectl cp arthas-boot.jar &lt;ns&gt;/&lt;pod&gt;:/ &amp;&amp; kubectl exec -it -n &lt;ns&gt; &lt;pod&gt; -- bash</code></td> </tr> </tbody> </table> <blockquote> <p><strong>Why docker/k8s 这种方式</strong>:Arthas 启动后会 attach 到目标 JVM,要求<strong>两者在同一 PID 命名空间</strong>。直接拷 jar 进容器是最稳的——不需要在镜像里预装,也不用在 Pod spec 加 sidecar。</p> </blockquote> <p>启动后 arthas-boot 会扫描当前容器/进程里的 Java 进程,交互式让你选:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">[INFO] Found existing java process, please choose one and input the serial number </span></span><span class="line"><span class="cl">* [1]: 12345 /jar/your-app.jar </span></span><span class="line"><span class="cl">1 </span></span><span class="line"><span class="cl">[INFO] Attach process 1 success. </span></span></code></pre></td></tr></table> </div> </div><p>输入序号回车,attach 成功后进入 <code>[arthas@1]</code> 提示符。</p> <h3 id="22-k8s-中要先固定-hpa-副本">2.2 K8s 中要先固定 HPA 副本 </h3><p>生产环境 HPA 滚动扩缩时 attach 目标 pod 可能正好被驱逐。<strong>临时把 minReplicas = maxReplicas</strong> 锁住副本数:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 暂停 HPA(动态扩缩)</span> </span></span><span class="line"><span class="cl">kubectl patch hpa &lt;deploy-name&gt; -n &lt;ns&gt; <span class="se">\ </span></span></span><span class="line"><span class="cl"> -p <span class="s1">&#39;{&#34;spec&#34;:{&#34;minReplicas&#34;:1, &#34;maxReplicas&#34;:1}}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 排查完恢复</span> </span></span><span class="line"><span class="cl">kubectl patch hpa &lt;deploy-name&gt; -n &lt;ns&gt; <span class="se">\ </span></span></span><span class="line"><span class="cl"> -p <span class="s1">&#39;{&#34;spec&#34;:{&#34;minReplicas&#34;:1, &#34;maxReplicas&#34;:2}}&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="23-离线环境">2.3 离线环境 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -Lo arthas.zip <span class="s1">&#39;https://arthas.aliyun.com/download/latest_version?mirror=aliyun&#39;</span> </span></span><span class="line"><span class="cl">unzip arthas.zip -d arthas </span></span><span class="line"><span class="cl"><span class="nb">cd</span> arthas <span class="o">&amp;&amp;</span> java -jar arthas-boot.jar </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="3-核心命令速查">3. 核心命令速查 </h2><p>按&quot;打开就用什么&quot;的使用频次排序:</p> <h3 id="31-仪表盘类">3.1 仪表盘类 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dashboard <span class="c1"># 整体面板,每秒刷新</span> </span></span><span class="line"><span class="cl">dashboard -n <span class="m">1</span> <span class="c1"># 只刷一次(脚本里更友好)</span> </span></span><span class="line"><span class="cl">thread <span class="c1"># 所有线程,CPU 高者排前</span> </span></span><span class="line"><span class="cl">thread -n <span class="m">3</span> <span class="c1"># CPU Top3 线程</span> </span></span><span class="line"><span class="cl">thread -b <span class="c1"># 找出 synchronized 死锁的线程</span> </span></span><span class="line"><span class="cl">thread &lt;tid&gt; <span class="c1"># 单个线程的栈</span> </span></span><span class="line"><span class="cl">jvm <span class="c1"># JVM 信息(启动参数、class loader)</span> </span></span><span class="line"><span class="cl">memory <span class="c1"># 堆/非堆分区域</span> </span></span><span class="line"><span class="cl">heapdump /tmp/h.bin <span class="c1"># 类比 jmap -dump</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="32-方法观测类字节码增强">3.2 方法观测类(字节码增强) </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 监控方法,5 秒一次统计</span> </span></span><span class="line"><span class="cl">monitor -c <span class="m">5</span> com.x.Service method </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 看入参+返回值</span> </span></span><span class="line"><span class="cl">watch com.x.Service method <span class="s1">&#39;{params, returnObj}&#39;</span> -x <span class="m">3</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 看异常</span> </span></span><span class="line"><span class="cl">watch com.x.Service method <span class="s1">&#39;throwExp&#39;</span> -x <span class="m">3</span> --exception </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 调用耗时+路径</span> </span></span><span class="line"><span class="cl">trace com.x.Service method </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 当前调用链</span> </span></span><span class="line"><span class="cl">stack com.x.Service method </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 时间隧道:记录每次调用</span> </span></span><span class="line"><span class="cl">tt -t com.x.Service method </span></span><span class="line"><span class="cl">tt -l <span class="c1"># 列出所有记录</span> </span></span><span class="line"><span class="cl">tt -i <span class="m">1001</span> -p <span class="c1"># 重放某次调用</span> </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p><strong>重要警告</strong>:monitor/watch/trace 都通过<strong>字节码增强</strong>实现,会在方法入口插入切面,<strong>对线上有性能开销</strong>。用完务必 <code>stop</code> 或 <code>reset</code>,否则会一直生效。</p> </blockquote> <h3 id="33-性能分析">3.3 性能分析 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">profiler start --event alloc <span class="c1"># 采样分配</span> </span></span><span class="line"><span class="cl">profiler status </span></span><span class="line"><span class="cl">profiler stop --file /tmp/p.html <span class="c1"># 火焰图</span> </span></span><span class="line"><span class="cl"><span class="c1"># 拷出</span> </span></span><span class="line"><span class="cl">docker cp &lt;container&gt;:/tmp/p.html . </span></span></code></pre></td></tr></table> </div> </div><h3 id="34-反编译">3.4 反编译 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">jad com.x.Service method <span class="c1"># 反编译方法</span> </span></span><span class="line"><span class="cl">sc com.x.* <span class="c1"># search class</span> </span></span><span class="line"><span class="cl">sm com.x.* method <span class="c1"># search method</span> </span></span></code></pre></td></tr></table> </div> </div><hr> <h2 id="4-典型场景">4. 典型场景 </h2><h3 id="41-cpu-占用突然飙高">4.1 CPU 占用突然飙高 </h3><p>三步走:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 1) 找出 Top3 忙线程</span> </span></span><span class="line"><span class="cl">thread -n <span class="m">3</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 2) 看那个线程在做什么</span> </span></span><span class="line"><span class="cl">thread &lt;tid&gt; </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 3) 顺藤摸瓜找方法</span> </span></span><span class="line"><span class="cl">trace com.x.SomeService someHotMethod </span></span></code></pre></td></tr></table> </div> </div><p>或者更直接——<strong>火焰图</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">profiler start --duration <span class="m">30</span> --file /tmp/flame.svg --event cpu </span></span></code></pre></td></tr></table> </div> </div><p>30 秒采样后浏览器打开 flame.svg,<strong>横轴是 CPU 时间占比、纵轴是调用栈</strong>。</p> <h3 id="42-偶发的慢请求">4.2 偶发的慢请求 </h3><p>如果某个接口 1 小时才慢一次,普通日志抓不到。用 <code>tt</code> 时空隧道:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">tt -t com.x.Controller slowApi </span></span><span class="line"><span class="cl">tt -l <span class="c1"># 查所有记录</span> </span></span><span class="line"><span class="cl">tt -i <span class="m">1001</span> <span class="c1"># 看第 1001 次</span> </span></span><span class="line"><span class="cl">tt -i <span class="m">1001</span> -p <span class="c1"># 重放这次调用</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="43-看方法真实入参反编译后还原">4.3 看方法真实入参(反编译后还原) </h3><p>有时一个方法入参是 <code>ByteBuf</code>(Netty 场景),日志里是 <code>toString()</code> 的乱码。可以用 arthas 调 <code>ByteBufUtil.hexDump</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-java" data-lang="java"><span class="line"><span class="cl"><span class="c1">// 原方法</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="kd">public</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="nf">channelRead</span><span class="p">(</span><span class="n">ChannelHandlerContext</span><span class="w"> </span><span class="n">ctx</span><span class="p">,</span><span class="w"> </span><span class="n">Object</span><span class="w"> </span><span class="n">msg</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="n">ByteBuf</span><span class="w"> </span><span class="n">buf</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="p">(</span><span class="n">ByteBuf</span><span class="p">)</span><span class="w"> </span><span class="n">msg</span><span class="p">;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c1">// ...</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="p">}</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">watch com.example.InboundHandler channelRead <span class="se">\ </span></span></span><span class="line"><span class="cl"> <span class="s1">&#39;@io.netty.buffer.ByteBufUtil@hexDump(params[1])&#39;</span> -b </span></span></code></pre></td></tr></table> </div> </div><p><code>-b</code> 表示方法调用前触发,<code>-x 3</code> 控制对象展开深度。十六进制打印出来后,<strong>再用协议表比对每个字节位</strong>。</p> <h3 id="44-容器内-attach-失败">4.4 容器内 attach 失败 </h3><p>最常见错误是 <code>Permission denied</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">java.io.IOException: Permission denied </span></span><span class="line"><span class="cl"> at sun.tools.attach.LinuxVirtualMachine.sendQuitTo(Native Method) </span></span></code></pre></td></tr></table> </div> </div><p><strong>根因</strong>:attach 走 <code>/proc/&lt;pid&gt;/root/tmp/.java_pid&lt;uid&gt;</code>,需要 attach 进程与目标进程 UID 一致,且有 <code>/proc</code> 写权限。</p> <p><strong>解决方案</strong>:</p> <table> <thead> <tr> <th>场景</th> <th>方案</th> </tr> </thead> <tbody> <tr> <td>Docker</td> <td>启动时加 <code>--privileged</code> 或 <code>--cap-add=SYS_PTRACE</code></td> </tr> <tr> <td>K8s</td> <td>containerd 默认开启;containerd 旧版需 <code>securityContext.privileged: true</code></td> </tr> <tr> <td>都不行</td> <td>重启容器是最后兜底(会丢现场)</td> </tr> </tbody> </table> <hr> <h2 id="5-常见坑与最佳实践">5. 常见坑与最佳实践 </h2><h3 id="51-字节码增强未清理">5.1 字节码增强未清理 </h3><p><code>watch/trace/monitor</code> 增强过的类,<strong>就算 arthas 客户端退出也不会自动 reset</strong>。下次 attach 时这些类仍然是增强版,可能导致奇怪的&quot;线上代码和我本地反编译的不一样&quot;。</p> <p><strong>诊断</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 看哪些类被增强过</span> </span></span><span class="line"><span class="cl">mc -M </span></span></code></pre></td></tr></table> </div> </div><p><strong>清理</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">reset com.x.EnhancedClass <span class="c1"># 恢复单个类</span> </span></span><span class="line"><span class="cl">reset <span class="c1"># 全部恢复</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="52-attach-完别忘了退出">5.2 attach 完别忘了退出 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">quit <span class="c1"># 客户端断开,目标进程上的 arthas 服务继续运行</span> </span></span><span class="line"><span class="cl">stop <span class="c1"># 完全停止 arthas 服务</span> </span></span></code></pre></td></tr></table> </div> </div> <blockquote> <p>attach 后 arthas 实际是双进程——client(你 ssh 进去的这个)和 agent(在目标 JVM 里)。<code>quit</code> 断 client,agent 还在;<code>stop</code> 才彻底退出。</p> </blockquote> <h3 id="53-profiler-不要长时间跑">5.3 profiler 不要长时间跑 </h3><p><code>profiler start</code> 默认是无限期运行,<strong>会持续写采样数据</strong>。30 秒到几分钟足够采样,<strong>用 <code>--duration 30</code> 限定</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">profiler start --duration <span class="m">30</span> --file /tmp/p.html --event alloc </span></span></code></pre></td></tr></table> </div> </div><h3 id="54-安全提示">5.4 安全提示 </h3><p>Arthas 几乎能做<strong>任何运行时操作</strong>(执行 OGNL、修改 logger 级别、强制 GC),<strong>绝不能暴露在公网</strong>。如果是远程调试,用 <code>arthas tunnel</code> + 鉴权,<strong>隧道地址必须是内网</strong>。</p> <hr> <h2 id="小结">小结 </h2><p><strong>一句话总结</strong>:Arthas 是一把 Java 线上诊断的瑞士军刀——dashboard 看全景,thread/trace 追热点,watch/tt 录证据,profiler 出火焰图,jad 看真相。</p> <p><strong>5 个最常用命令</strong>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">dashboard # 全景 </span></span><span class="line"><span class="cl">thread -n 3 # CPU Top3 </span></span><span class="line"><span class="cl">trace 类名 方法 # 方法耗时 </span></span><span class="line"><span class="cl">watch 类名 方法 &#39;{params,returnObj}&#39; # 入参返回值 </span></span><span class="line"><span class="cl">profiler start --duration 30 --file flame.svg # 火焰图 </span></span></code></pre></td></tr></table> </div> </div><p><strong>5 个最容易踩的坑</strong>:</p> <ol> <li>attach 容器报 <code>Permission denied</code> → 加 <code>--cap-add SYS_PTRACE</code></li> <li>K8s 排查前忘了锁 HPA 副本数 → 用 <code>kubectl patch hpa</code></li> <li>watch/trace 用完没 reset → 类被污染,下次启动行为不一致</li> <li>profiler 没加 <code>--duration</code> 跑了一晚上 → 撑爆磁盘</li> <li>Arthas 暴露在公网 → 任何人能执行 OGNL,等于拿到 RCE</li> </ol> <hr> <p><strong>数据来源</strong>:<a class="link" href="https://arthas.aliyun.com/" target="_blank" rel="noopener" >Arthas 官方文档</a></p>