Bug 1035477

Summary: Incorrect instruction to add JAVA_OPTS config at end of domain.conf
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Brian Stansberry <brian.stansberry>
Component: DocumentationAssignee: Scott Mumford <smumford>
Status: CLOSED CURRENTRELEASE QA Contact: Russell Dickenson <rdickens>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: fbogyai, nziakova, olukas, smumford, twells
Target Milestone: GAKeywords: Documentation, EasyFix, Triaged
Target Release: EAP 6.2.0, EAP 6.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-06 14:39:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1035353    

Description Brian Stansberry 2013-11-27 21:24:14 UTC 
This is a side issue to related bug https://bugzilla.redhat.com/show_bug.cgi?id=1035232.

The process described in the Security Guide and Administration guide and the Administration and Configuration guide is not correct for domain mode.

http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Security_Guide/index.html#Run_JBoss_Enterprise_Application_Platform_Within_the_Java_Security_Manager

http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Administration_and_Configuration_Guide/Run_JBoss_Enterprise_Application_Platform_Within_the_Java_Security_Manager.html

The problem is "2. Add the Java options at the end of the file." followed by an instruction to configure the JAVA_OPTS variable.

By the time the last line of domain.conf is processed, no further use of the JAVA_OPTS variable will be made except for domain.sh's outputting of its value to the console.

The line that's described must come *before* this line:

# The ProcessController process uses its own set of java options
if [ "x$PROCESS_CONTROLLER_JAVA_OPTS" = "x" ]; then
    PROCESS_CONTROLLER_JAVA_OPTS="$JAVA_OPTS"
fi

It could be placed at the beginning of the file, but in that case the settings configured in this block would not be used:

if [ "x$JAVA_OPTS" = "x" ]; then
   JAVA_OPTS="-Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true"
   JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS -Djava.awt.headless=true"
else
   echo "JAVA_OPTS already set in environment; overriding default settings with values: $JAVA_OPTS"
fi

The most appropriate placement is in the 'if [ "x$JAVA_OPTS" = "x" ]; then' block above.
Comment 1 Brian Stansberry 2013-11-28 00:29:02 UTC 
Also there's a typo in the suggested JAVA_OPTS settings:

-Djava.security.policy==$PWD/server.policy

Two equals signs. Using that results in obscure permission failures on domain boot, probably because the policy file isn't loaded so no permissions are set?
Comment 2 Ondrej Lukas 2013-11-28 06:52:49 UTC 
I think using two equals is correct expression (not a typo), it means that security manager use only policy file which is set in java.security.policy property. If you use one equals it means that security manager uses policy from java.security.policy combined with policy set in policy.url part of java.home/lib/security/java.security. You can see at http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#DefaultLocs to part "Specifying an Additional Policy File at Runtime".

However it is possible that two equals sign causes any problems if $PWD/server.policy doesn't grant needed permissions, but it that way it should throw SecurityException or AccessControlException.
Comment 3 Brian Stansberry 2013-11-28 13:37:29 UTC 
Ondrej -- agreed, not a typo. Thanks for the information.
Comment 4 Scott Mumford 2014-02-18 03:40:09 UTC 
These changes were made to the 6.3 content and backported to the 6.2 content.

The updated 6.2 documents are available for review at:

http://docbuilder.usersys.redhat.com/14874/ (Admin and Config Guide)

http://docbuilder.usersys.redhat.com/14876/ (Security Guide).

Moving this ticket to MODIFIED until update is available for QA on the documentation stage.
Comment 5 Scott Mumford 2014-02-26 05:12:42 UTC 
Moving to ON_QA.

The changes should be available for review on the documentation stage within an hour or so from this comment.

http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/
Comment 6 Scott Mumford 2014-02-26 05:15:19 UTC 
Moving to ON_QA.

The changes should be available for review on the documentation stage within an hour or so from this comment.

http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/
Comment 7 FIlip Bogyai 2014-03-05 10:27:09 UTC 
The changed were not backported to EAP 6.2 Administration and Configuration Guide.
Comment 8 Scott Mumford 2014-03-06 02:25:08 UTC 
The 6.2 docs have been rebuilt to show the updated content.

Admin & Config Guide:
http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Administration_and_Configuration_Guide/index.html#Run_JBoss_Enterprise_Application_Platform_Within_the_Java_Security_Manager

Security Guide:
http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Security_Guide/index.html#Run_JBoss_Enterprise_Application_Platform_Within_the_Java_Security_Manager