Bug 1290936
| Summary: | [Zero] Enable hardened build | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> | ||||
| Component: | java-1.8.0-openjdk | Assignee: | Severin Gehwolf <sgehwolf> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 28 | CC: | ahughes, alex.kasko.mail, dbhole, jerboaa, jvanek, msrb, mvala, omajid, sgehwolf | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-04-30 16:36:31 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1548475 | ||||||
| Attachments: |
|
||||||
|
Description
Orion Poplawski
2015-12-11 23:57:52 UTC
This seems to be a problem after the hardened build patch. java-1.8.0-openjdk fails to self-build with 1.8.0.65-11.b17.fc24 and better: http://koji.fedoraproject.org/koji/taskinfo?taskID=12181621 I've untagged problematic builds 1.8.0.65-{11,12}.b17.fc24 for the time being.
$ koji latest-build f24-build java-1.8.0-openjdk
Build Tag Built by
---------------------------------------- -------------------- ----------------
java-1.8.0-openjdk-1.8.0.65-10.b17.fc24 f24 jvanek
This seems to be an ARM/Zero only problem with the hardening build patch. I'm attaching a patch to exclude hardening for Zero builds until we know what's going on. Created attachment 1106347 [details]
Spec file patch for java-1.8.0-openjdk disabling hardening features on non-JIT arches.
Scratch build with patch in comment 4. It properly bootcycles for x86_64/i686/armv7hl: http://koji.fedoraproject.org/koji/taskinfo?taskID=12200133 I've used this diff on top of the patch in comment 4 for this scratch build (just changing the openjdk build target to "bootcycle-images docs" and disabling the slowdebug build): diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 41ebd42..420e918 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -22,7 +22,7 @@ # by default we build debug build during main build only on intel arches %ifarch %{ix86} x86_64 -%global include_debug_build 1 +%global include_debug_build 0 %else %global include_debug_build 0 %endif @@ -1217,7 +1217,7 @@ make \ STRIP_POLICY=no_strip \ POST_STRIP_CMD="" \ LOG=trace \ - all + bootcycle-images docs # the build (erroneously) removes read permissions from some jars # this is a regression in OpenJDK 7 (our compiler): Jiri, could you please apply the patch in comment 4 and push a koji build? If you prefer, I can do it myself. It will enable JIT arches to move forward with a hardened build without disturbing Zero arches. Build with patch in comment 4 is on-going: http://koji.fedoraproject.org/koji/taskinfo?taskID=12214633 This issue should be fixed with 1.8.0.65-13.b17.fc24 (rather worked-around). Interestingly enough is that another koshei build of vtk using 1.8.0.65-12.b17.fc24 passed: http://koji.fedoraproject.org/koji/taskinfo?taskID=12203729 java-1.8.0-openjdk-1.8.0.65-14.b17.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-bde689eb98 Just further confirmation that a full bootstrap of IcedTea 3 with OpenJDK 8 fails on Fedora 23 ARM in the same way: http://koji.fedoraproject.org/koji/taskinfo?taskID=12295374 but the same SRPM builds on F22: http://koji.fedoraproject.org/koji/taskinfo?taskID=12297317 Unless the build also fails with other Zero architectures, the patch should only turn off the flags on ARM32, not all non-JIT archs. java-1.8.0-openjdk-1.8.0.65-14.b17.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-bde689eb98 java-1.8.0-openjdk-1.8.0.65-14.b17.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. I've got a setup ready now so as to be able to look at a real fix for this. $ cat /etc/os-release NAME=Fedora VERSION="24 (Server Edition)" ID=fedora VERSION_ID=24 PRETTY_NAME="Fedora 24 (Server Edition)" ANSI_COLOR="0;34" CPE_NAME="cpe:/o:fedoraproject:fedora:24" HOME_URL="https://fedoraproject.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=rawhide REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=rawhide PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy VARIANT="Server Edition" VARIANT_ID=server $ uname -a Linux localhost.localdomain 4.4.0-0.rc6.git0.1.fc24.armv7hl+lpae #1 SMP Mon Dec 21 16:40:26 UTC 2015 armv7l armv7l armv7l GNU/Linux $ rpm -q java-1.8.0-openjdk java-1.8.0-openjdk-1.8.0.65-12.b17.fc24.armv7hl $ java -version openjdk version "1.8.0_65" OpenJDK Runtime Environment (build 1.8.0_65-b17) OpenJDK Zero VM (build 25.65-b01, interpreted mode) $ JAVA_TOOL_OPTIONS=-Xmx2048m java -version Picked up JAVA_TOOL_OPTIONS: -Xmx2048m Error occurred during initialization of VM Could not reserve enough space for 2097152KB object heap I'll see what I can find. Sorry that it took so long. Moving the bug back to assigned. This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase This seems to be back with java-1.8.0-openjdk-aarch32 1:1.8.0.112-1.161109.fc26 Moving to Alex, he is on -aarch32 now Looks like I've "overdone" merge with mainline jdk package inadvertently removing hardened build workaround. Restored workaround back, rawhide build in progress - https://koji.fedoraproject.org/koji/taskinfo?taskID=17150592 This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'. Work-around of disabling hardened build is still active in rawhide. This is now blocking bug 1548475. (In reply to Andrew John Hughes from comment #10) > Just further confirmation that a full bootstrap of IcedTea 3 with OpenJDK 8 > fails on Fedora 23 ARM in the same way: > > http://koji.fedoraproject.org/koji/taskinfo?taskID=12295374 > > but the same SRPM builds on F22: > > http://koji.fedoraproject.org/koji/taskinfo?taskID=12297317 > > Unless the build also fails with other Zero architectures, the patch should > only turn off the flags on ARM32, not all non-JIT archs. Just to clarify this statement. Yes, that's not surprising since the hardening of all packages[1] was done with the F23 cycle. The difference is changes in redhat-rpm-config package[2]. [1] https://fedoraproject.org/wiki/Changes/Harden_All_Packages [2] https://koji.fedoraproject.org/koji/buildinfo?buildID=613083 I cannot reproduce the original issue on F27 with hardened build enabled on Zero (tested it on arm 32): # rpm -q --changelog java-1.8.0-openjdk | head * Fri Apr 20 2018 Severin Gehwolf <sgehwolf> - 1:1.8.0.171-3.b10 - Enable hardened build also for Zero. * Fri Apr 20 2018 Severin Gehwolf <sgehwolf> - 1:1.8.0.171-2.b10 - Enable hardened build for Aarch64. * Wed Apr 18 2018 Jiri Vanek <jvanek> - 1:1.8.0.171-1.b10 - Update to aarch64-jdk8u171-b10 and aarch64-shenandoah-jdk8u171-b10. - Fix jconsole.desktop.in subcategory, replacing "Monitor" with "Profiling" (PR3550) (gnu_andrew) - Fix invalid license 'LGPL+' (should be LGPLv2+ for ECC code) and add misisng ones (gnu_andrew) Did a rebuild of vtk with this java-1.8.0-openjdk and got: [...] + cd /builddir/build/BUILD + cd VTK-7.1.1 + /usr/bin/rm -rf /builddir/build/BUILDROOT/vtk-7.1.1-7.fc27.arm + exit 0 Finish: rpmbuild vtk-7.1.1-7.fc27.src.rpm Finish: build phase for vtk-7.1.1-7.fc27.src.rpm INFO: Done(vtk-7.1.1-7.fc27.src.rpm) Config(fedora-27-armhfp) 1122 minutes 48 seconds INFO: Results and/or logs in: /var/lib/mock/fedora-27-armhfp/result Finish: run $ ls -1 /var/lib/mock/fedora-27-armhfp/result | grep vtk-java vtk-java-7.1.1-7.fc27.armv7hl.rpm vtk-java-debuginfo-7.1.1-7.fc27.armv7hl.rpm $ grep JAVA_TOOL_OPTIONS /var/lib/mock/fedora-27-armhfp/result/build.log + export JAVA_TOOL_OPTIONS=-Xmx2048m + JAVA_TOOL_OPTIONS=-Xmx2048m Picked up JAVA_TOOL_OPTIONS: -Xmx2048m Picked up JAVA_TOOL_OPTIONS: -Xmx2048m Picked up JAVA_TOOL_OPTIONS: -Xmx2048m Picked up JAVA_TOOL_OPTIONS: -Xmx2048m Picked up JAVA_TOOL_OPTIONS: -Xmx2048m Picked up JAVA_TOOL_OPTIONS: -Xmx2048m Picked up JAVA_TOOL_OPTIONS: -Xmx2048m Picked up JAVA_TOOL_OPTIONS: -Xmx2048m Picked up JAVA_TOOL_OPTIONS: -Xmx2048m $ grep -A1 'Compiling Java Classes' /var/lib/mock/fedora-27-armhfp/result/build.log [100%] Compiling Java Classes cd /builddir/build/BUILD/VTK-7.1.1/build/Wrapping/Java && /usr/lib/jvm/java/bin/javac -source 1.6 -target 1.6 -classpath /builddir/build/BUILD/VTK-7.1.1/build/java/vtk/.. -sourcepath /builddir/build/BUILD/VTK-7.1.1/Wrapping/Java/ -d /builddir/build/BUILD/VTK-7.1.1/build/java @/builddir/build/BUILD/VTK-7.1.1/build/java/javac_stamp.rsp -- [100%] Compiling Java Classes cd /builddir/build/BUILD/VTK-7.1.1/build-mpich/Wrapping/Java && /usr/lib/jvm/java/bin/javac -source 1.6 -target 1.6 -classpath /builddir/build/BUILD/VTK-7.1.1/build-mpich/java/vtk/.. -sourcepath /builddir/build/BUILD/VTK-7.1.1/Wrapping/Java/ -d /builddir/build/BUILD/VTK-7.1.1/build-mpich/java @/builddir/build/BUILD/VTK-7.1.1/build-mpich/java/javac_stamp.rsp -- [ 99%] Compiling Java Classes cd /builddir/build/BUILD/VTK-7.1.1/build-openmpi/Wrapping/Java && /usr/lib/jvm/java/bin/javac -source 1.6 -target 1.6 -classpath /builddir/build/BUILD/VTK-7.1.1/build-openmpi/java/vtk/.. -sourcepath /builddir/build/BUILD/VTK-7.1.1/Wrapping/Java/ -d /builddir/build/BUILD/VTK-7.1.1/build-openmpi/java @/builddir/build/BUILD/VTK-7.1.1/build-openmpi/java/javac_stamp.rsp The build of java-1.8.0-openjdk with hardening enabled also bootcycled properly. I'm going to enable hardened build unconditionally. Should be fixed once this build completes: https://koji.fedoraproject.org/koji/buildinfo?buildID=1075458 java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f06de7cbbb java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5b8a00a0 java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f06de7cbbb java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5b8a00a0 java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |