Bug 2162714
| Summary: | solr broken due to access denied ("java.io.FilePermission" "/etc/pki/java/cacerts" "read") [rhel-9, openjdk-8] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Andrew John Hughes <ahughes> | |
| Component: | java-1.8.0-openjdk | Assignee: | Andrew John Hughes <ahughes> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | OpenJDK QA <java-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 9.1 | CC: | jandrlik, jvanek, pmikova | |
| Target Milestone: | rc | Keywords: | Triaged, ZStream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | java-1.8.0-openjdk-1.8.0.362.b09-3.el9 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2163594 (view as bug list) | Environment: | ||
| Last Closed: | 2023-07-17 18:48:51 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2163594 | |||
On 1/18/23 18:29, Jiri Vanek wrote: We are using frozen solr 8.8.2 for jdk11 and jdk8. Jdk11 keeps being ok, but jdk8 **{*}RPMS{*}** got broken: [http://hydra.brq.redhat.com:8080/job/lucene-jp8-ojdk8~rpms-el8z.aarch64-release.sdk-el8z.aarch64.beaker-x11.defaultgc.legacy.lnxagent.jfroff/168/java-reports/] Note, that > Most of the traces are "wrongly Strightforward": as {code} Suppressed: java.lang.NoClassDefFoundError: Could not initialize class sun.security.ssl.TrustStoreManager$TrustStoreDescriptor at sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:56) at sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49) at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:250) at sun.security.ssl.SSLContextImpl.engineInit(SSLContextImpl.java:89) at javax.net.ssl.SSLContext.init(SSLContext.java:282) at org.apache.http.ssl.SSLContextBuilder.initSSLContext(SSLContextBuilder.java:377) at org.apache.http.ssl.SSLContextBuilder.build(SSLContextBuilder.java:391) at org.apache.solr.util.SSLTestConfig$2.createContextFactory(SSLTestConfig.java:227) at org.apache.solr.client.solrj.embedded.SSLConfig.createContextFactory(SSLConfig.java:92) at org.apache.solr.client.solrj.embedded.JettySolrRunner.init(JettySolrRunner.java:281) at org.apache.solr.client.solrj.embedded.JettySolrRunner.<init>(JettySolrRunner.java:258) at org.apache.solr.client.solrj.embedded.JettySolrRunner.<init>(JettySolrRunner.java:230) at org.apache.solr.cloud.MiniSolrCloudCluster.startJettySolrRunner(MiniSolrCloudCluster.java:474) at org.apache.solr.cloud.MiniSolrCloudCluster.lambda$new$0(MiniSolrCloudCluster.java:301) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at org.apache.solr.common.util.ExecutorUtil$MDCAwareThreadPoolExecutor.lambda$execute$0(ExecutorUtil.java:218) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ... 1 more {code} > But some of them are actually showing (maybe) cause: {code} Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/pki/java/cacerts" "read") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:886) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) at java.io.File.exists(File.java:825) at sun.security.tools.KeyStoreUtil.getCacertsKeyStoreFile(KeyStoreUtil.java:141) at sun.security.ssl.TrustStoreManager$TrustStoreDescriptor.<clinit>(TrustStoreManager.java:80) {code} one more noticable exception is: {code} Caused by: java.lang.RuntimeException: Unable to initialize 'Default' SSLContext Algorithm, JVM is borked at org.apache.solr.cloud.TestMiniSolrCloudClusterSSL.<clinit>(TestMiniSolrCloudClusterSSL.java:75) ... 44 more Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext) at java.security.Provider$Service.newInstance(Provider.java:1617) at sun.security.jca.GetInstance.getInstance(GetInstance.java:236) at sun.security.jca.GetInstance.getInstance(GetInstance.java:164) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96) at org.apache.solr.cloud.TestMiniSolrCloudClusterSSL.<clinit>(TestMiniSolrCloudClusterSSL.java:72) ... 44 more Caused by: java.lang.NoClassDefFoundError: Could not initialize class sun.security.ssl.SSLContextImpl$DefaultManagersHolder at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:1227) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at java.security.Provider$Service.newInstance(Provider.java:1595) ... 49 more {code} But afaik goes back to the java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/pki/java/cacerts" "read") Note, that you need (acording to at java.security.AccessController.checkPermission(AccessController.java:886) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.SecurityManager.checkRead(SecurityManager.java:888) ) security manager on. It may be, that Severin's patch for secure random: https://issues.redhat.com/browse/OPENJDK-1357 May be the same thing. All traces are visible here: [http://hydra.brq.redhat.com:9090/diff.html?generated-part=+-view%3Dhide-positives+++-view%3Dinfo-problems+++-view%3Dinfo-summary+++-view%3Dinfo-summary-suites+++-output%3Dhtml++&custom-part=lucene-jp8-ojdk8%7Erpms-el8z.aarch64-release.sdk-el8z.aarch64.beaker-x11.defaultgc.legacy.lnxagent.jfroff+168] **important note** PORTABLE jdk8 IS NOT, repeat NOT affected so issue is by my guess at one of the few differences: [https://pkgs.devel.redhat.com/cgit/rpms/java-1.8.0-openjdk/tree/java-1.8.0-openjdk.spec?h=openjdk-portable-rhel-7#n1040] x [https://pkgs.devel.redhat.com/cgit/rpms/java-11-openjdk/tree/java-11-openjdk.spec?h=rhel-8.7.0#n2053] and its implementation in jdk8 compared to 11, as 11 rpms are ok.