Bug 1311771 - Tomcat 8.0.32 update breaks FreeIPA and Dogtag installations
Tomcat 8.0.32 update breaks FreeIPA and Dogtag installations
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: tomcat (Show other bugs)
23
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Ivan Afonichev
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-24 19:05 EST by Nathan Kinder
Modified: 2016-03-25 18:22 EDT (History)
9 users (show)

See Also:
Fixed In Version: tomcat-8.0.32-5.fc23 tomcat-7.0.68-3.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-24 21:26:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
journal snippet (3.74 KB, text/plain)
2016-02-24 19:05 EST, Nathan Kinder
no flags Details

  None (edit)
Description Nathan Kinder 2016-02-24 19:05:50 EST
Created attachment 1130367 [details]
journal snippet

The tomcat-8.0.32-3.fc23 update in updates-testing will break all existing FreeIPA and Dogtag installations.  It appears that this update moves some classes around between jar files, which will cause a restart of the tomcat-based FreeIPA and Dogtag services to fail with a class loader error.  I have attached a snippet from the system journal showing the failure.

Since this change is not backwards compatible and will break many installations, I think we should not be moving these classes around in F23.  We can adjust code on the Dogtag side for F24 to deal with these new locations since it is still pre-alpha release.
Comment 1 Nathan Kinder 2016-02-24 19:45:02 EST
The issue here is not that the Bootstrap class moved between jars.  The problem is that the classpath is not correct anymore unless CATALINA_HOME is set in Dogtag's sysconfig file as follows:

  CATALINA_HOME="/usr/share/tomcat"

This was not required with the previous tomcat package in F23, so this still has the effect of breaking FreeIPA and Dogtag installations.
Comment 2 Christian Heimes 2016-02-24 19:50:33 EST
Dogtag doesn't build with 8.0.32 either because javac couldn't locate org.apache.tomcat.ContextBind. I had to patch our build system and include tomcat-api.jar in the classpath.
Comment 3 Matthew Harmsen 2016-02-25 15:16:28 EST
As was mentioned in email, the workaround for this bug is to downgrade to tomcat-8.0.26-2.fc23.
Comment 4 Christian Heimes 2016-02-25 17:19:46 EST
tomcat-7.0.68-1.fc22 is also broken, https://bodhi.fedoraproject.org/updates/FEDORA-2016-62619c1bda
Comment 5 Fedora Update System 2016-02-27 10:43:15 EST
tomcat-8.0.32-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a266936df7
Comment 6 Fedora Update System 2016-02-27 10:43:17 EST
tomcat-7.0.68-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b19c75d748
Comment 7 Fedora Update System 2016-02-28 08:50:50 EST
tomcat-7.0.68-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b19c75d748
Comment 8 Fedora Update System 2016-02-28 08:53:42 EST
tomcat-8.0.32-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-a266936df7
Comment 9 Christian Heimes 2016-02-29 05:06:29 EST
tomcat-7.0.68-2.fc22 and tomcat-8.0.32-4.fc23 are still broken and fail with "Could not find or load main class org.apache.catalina.startup.Bootstrap".
Comment 10 Ade Lee 2016-03-02 15:06:23 EST
The problem of CATALINA_HOME not being set is actually only symptomatic of the underlying issue - which are the changes implemented for 
https://bugzilla.redhat.com/show_bug.cgi?id=1293636 -- Systemd tomcat.service unit loads /etc/sysconfig/tomcat without shell expansion

Dogtag creates a clone of the tomcat service and therefore -- according to instructions -- created a copy of the /usr/lib/systemd/system/tomcat@.service
systemd unit file.

Prior to the fix for 1293636, this file would source /etc/tomcat/tomcat.conf as an environment file.  In this file, we set CATALINA_HOME and other parameters.

In the fix for 1293636, the unit file was changed to source /etc/sysconfig/tomcat instead, and tomcat.conf was changed into a shell script.  This was of course not propagated to our copy of the unit file.

We can certainly change our unit files in F24 if needed, but its not clear whether it is acceptable to break existing installations by changing the semantics of config files in F23, F22 and RHEL 7.

If this change needs to be done, then it should be done in a backwards compatible way -- perhaps leaving /etc/tomcat/tomcat.conf as it is - and as the referenced file, and then using a different file for the non-systemd/ shell expanded version.
Comment 11 Matthew Harmsen 2016-03-02 17:25:35 EST
To test out the reverted code, we downloaded and installed the following 'F25 rawhide' build to an F23 machine:

    * http://koji.fedoraproject.org/koji/buildinfo?buildID=741084
      tomcat-8.0.32-4.fc25

Without making any changes to Dogtag, we were able to successfully install, configure, and enroll certificates.

We would like this reversion applied to F24, F23, an F22 builds.  If possible, as we are fast approaching the F24 alpha cycle, we would like the F24 build the soonest.

thanks
-- Matt
Comment 12 Matthew Harmsen 2016-03-03 13:07:34 EST
Tested out the following F24 package:

    * http://koji.fedoraproject.org/koji/buildinfo?buildID=741325
      tomcat-8.0.32-4.fc24

Everything works as advertised!

Thanks,
-- Matt
Comment 13 Fedora Update System 2016-03-11 01:48:51 EST
tomcat-7.0.68-3.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e6651efbaf
Comment 14 Fedora Update System 2016-03-11 01:49:50 EST
tomcat-8.0.32-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-48ee453d15
Comment 15 Fedora Update System 2016-03-12 11:53:11 EST
tomcat-7.0.68-3.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e6651efbaf
Comment 16 Fedora Update System 2016-03-12 12:25:16 EST
tomcat-8.0.32-5.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-48ee453d15
Comment 17 Matthew Harmsen 2016-03-14 21:29:58 EDT
(In reply to Fedora Update System from comment #16)
> tomcat-8.0.32-5.fc23 has been pushed to the Fedora 23 testing repository. If
> problems still persist, please make note of it in this bug report.
> See https://fedoraproject.org/wiki/QA:Updates_Testing for
> instructions on how to install test updates.
> You can provide feedback for this update here:
> https://bodhi.fedoraproject.org/updates/FEDORA-2016-48ee453d15

Unfortunately, Dogtag will not build on Fedora 23 due to the introduction of the addition of ContextBind in tomcat 8.0.32:

    com/netscape/cms/tomcat/ProxyRealm.java:43: error: cannot access ContextBind
                proxies.put(context.getBaseName(), this):

      class file for org.apache.tomcat.ContextBind not found
Comment 18 Matthew Harmsen 2016-03-14 21:49:35 EDT
(In reply to Matthew Harmsen from comment #17)
> (In reply to Fedora Update System from comment #16)
> > tomcat-8.0.32-5.fc23 has been pushed to the Fedora 23 testing repository. If
> > problems still persist, please make note of it in this bug report.
> > See https://fedoraproject.org/wiki/QA:Updates_Testing for
> > instructions on how to install test updates.
> > You can provide feedback for this update here:
> > https://bodhi.fedoraproject.org/updates/FEDORA-2016-48ee453d15
> 
> Unfortunately, Dogtag will not build on Fedora 23 due to the introduction of
> the addition of ContextBind in tomcat 8.0.32:
> 
>     com/netscape/cms/tomcat/ProxyRealm.java:43: error: cannot access
> ContextBind
>                 proxies.put(context.getBaseName(), this):
> 
>       class file for org.apache.tomcat.ContextBind not found

See comment #2 above.
Comment 19 Matthew Harmsen 2016-03-15 13:05:37 EDT
After discussions, it was determined that if this was only a build time issue, that I would back port the code necessary to build Dogtag for tomcat 8.0.32 on F23.

I tested the existing pki packages against Tomcat 8.0.32, and found that I was still able to run transparently.

As a consequence, we will back port this Dogtag build change, as we needed to rebuild pki packages for a separate issue anyway.
Comment 20 Fedora Update System 2016-03-24 21:26:35 EDT
tomcat-8.0.32-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2016-03-25 18:21:19 EDT
tomcat-7.0.68-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.