Created attachment 1130367 [details] journal snippet The tomcat-8.0.32-3.fc23 update in updates-testing will break all existing FreeIPA and Dogtag installations. It appears that this update moves some classes around between jar files, which will cause a restart of the tomcat-based FreeIPA and Dogtag services to fail with a class loader error. I have attached a snippet from the system journal showing the failure. Since this change is not backwards compatible and will break many installations, I think we should not be moving these classes around in F23. We can adjust code on the Dogtag side for F24 to deal with these new locations since it is still pre-alpha release.
The issue here is not that the Bootstrap class moved between jars. The problem is that the classpath is not correct anymore unless CATALINA_HOME is set in Dogtag's sysconfig file as follows: CATALINA_HOME="/usr/share/tomcat" This was not required with the previous tomcat package in F23, so this still has the effect of breaking FreeIPA and Dogtag installations.
Dogtag doesn't build with 8.0.32 either because javac couldn't locate org.apache.tomcat.ContextBind. I had to patch our build system and include tomcat-api.jar in the classpath.
As was mentioned in email, the workaround for this bug is to downgrade to tomcat-8.0.26-2.fc23.
tomcat-7.0.68-1.fc22 is also broken, https://bodhi.fedoraproject.org/updates/FEDORA-2016-62619c1bda
tomcat-8.0.32-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a266936df7
tomcat-7.0.68-2.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b19c75d748
tomcat-7.0.68-2.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b19c75d748
tomcat-8.0.32-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-a266936df7
tomcat-7.0.68-2.fc22 and tomcat-8.0.32-4.fc23 are still broken and fail with "Could not find or load main class org.apache.catalina.startup.Bootstrap".
The problem of CATALINA_HOME not being set is actually only symptomatic of the underlying issue - which are the changes implemented for https://bugzilla.redhat.com/show_bug.cgi?id=1293636 -- Systemd tomcat.service unit loads /etc/sysconfig/tomcat without shell expansion Dogtag creates a clone of the tomcat service and therefore -- according to instructions -- created a copy of the /usr/lib/systemd/system/tomcat@.service systemd unit file. Prior to the fix for 1293636, this file would source /etc/tomcat/tomcat.conf as an environment file. In this file, we set CATALINA_HOME and other parameters. In the fix for 1293636, the unit file was changed to source /etc/sysconfig/tomcat instead, and tomcat.conf was changed into a shell script. This was of course not propagated to our copy of the unit file. We can certainly change our unit files in F24 if needed, but its not clear whether it is acceptable to break existing installations by changing the semantics of config files in F23, F22 and RHEL 7. If this change needs to be done, then it should be done in a backwards compatible way -- perhaps leaving /etc/tomcat/tomcat.conf as it is - and as the referenced file, and then using a different file for the non-systemd/ shell expanded version.
To test out the reverted code, we downloaded and installed the following 'F25 rawhide' build to an F23 machine: * http://koji.fedoraproject.org/koji/buildinfo?buildID=741084 tomcat-8.0.32-4.fc25 Without making any changes to Dogtag, we were able to successfully install, configure, and enroll certificates. We would like this reversion applied to F24, F23, an F22 builds. If possible, as we are fast approaching the F24 alpha cycle, we would like the F24 build the soonest. thanks -- Matt
Tested out the following F24 package: * http://koji.fedoraproject.org/koji/buildinfo?buildID=741325 tomcat-8.0.32-4.fc24 Everything works as advertised! Thanks, -- Matt
tomcat-7.0.68-3.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-e6651efbaf
tomcat-8.0.32-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-48ee453d15
tomcat-7.0.68-3.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e6651efbaf
tomcat-8.0.32-5.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-48ee453d15
(In reply to Fedora Update System from comment #16) > tomcat-8.0.32-5.fc23 has been pushed to the Fedora 23 testing repository. If > problems still persist, please make note of it in this bug report. > See https://fedoraproject.org/wiki/QA:Updates_Testing for > instructions on how to install test updates. > You can provide feedback for this update here: > https://bodhi.fedoraproject.org/updates/FEDORA-2016-48ee453d15 Unfortunately, Dogtag will not build on Fedora 23 due to the introduction of the addition of ContextBind in tomcat 8.0.32: com/netscape/cms/tomcat/ProxyRealm.java:43: error: cannot access ContextBind proxies.put(context.getBaseName(), this): class file for org.apache.tomcat.ContextBind not found
(In reply to Matthew Harmsen from comment #17) > (In reply to Fedora Update System from comment #16) > > tomcat-8.0.32-5.fc23 has been pushed to the Fedora 23 testing repository. If > > problems still persist, please make note of it in this bug report. > > See https://fedoraproject.org/wiki/QA:Updates_Testing for > > instructions on how to install test updates. > > You can provide feedback for this update here: > > https://bodhi.fedoraproject.org/updates/FEDORA-2016-48ee453d15 > > Unfortunately, Dogtag will not build on Fedora 23 due to the introduction of > the addition of ContextBind in tomcat 8.0.32: > > com/netscape/cms/tomcat/ProxyRealm.java:43: error: cannot access > ContextBind > proxies.put(context.getBaseName(), this): > > class file for org.apache.tomcat.ContextBind not found See comment #2 above.
After discussions, it was determined that if this was only a build time issue, that I would back port the code necessary to build Dogtag for tomcat 8.0.32 on F23. I tested the existing pki packages against Tomcat 8.0.32, and found that I was still able to run transparently. As a consequence, we will back port this Dogtag build change, as we needed to rebuild pki packages for a separate issue anyway.
tomcat-8.0.32-5.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
tomcat-7.0.68-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.