Bug 1579446 - java-1.8.0-openjdk-headless rpm package fails the certified container rpm_verify_successful test
Summary: java-1.8.0-openjdk-headless rpm package fails the certified container rpm_ver...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: java-1.8.0-openjdk
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: jiri vanek
QA Contact: zzambers
URL:
Whiteboard:
: 1569564 1591400 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-17 16:43 UTC by Paul Christensen
Modified: 2018-10-30 07:29 UTC (History)
8 users (show)

Fixed In Version: java-1.8.0-openjdk-1.8.0.172-10.b11.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 07:27:33 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3017 None None None 2018-10-30 07:29:13 UTC

Description Paul Christensen 2018-05-17 16:43:34 UTC
Description of problem:

When building a docker image using:

java-1.8.0-openjdk-headless-1.8.0.171-7.b10.el7.x86_64

the resulting image will fail to pass the certification scan. 

The failure is in the rpm_verify_successful test and is caused by the modification of:

/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa

But when installing this package on a RHEL system, rpm -V works passes. There is something related to installing this image in a container that is modifying the file.

Output of rpm -V:

RHEL system:

[root@RHEL72-20160609 ~]# rpm -V java-1.8.0-openjdk-headless-1.8.0.171-7.b10.el7.x86_64
[root@RHEL72-20160609 ~]# 


Example in container:

bash-4.2# rpm -V java-1.8.0-openjdk-headless-1.8.0.171-7.b10.el7.x86_64
.M.......  g /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa
bash-4.2# 


Affected file in RHEL:

[root@RHEL72-20160609 ~]# ls -al /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa
-r--r--r--. 1 root root 22282240 May 16 19:20 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa
[root@RHEL72-20160609 ~]# 



Affected file in container:

bash-4.2# ls -al /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa
-r--r--r--. 1 root root 22282240 May 17 13:01 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa
bash-4.2# 


I'm not sure why this is happening as I don't see any difference in permissions. It may be similar to this BZ:

https://bugzilla.redhat.com/show_bug.cgi?id=1481808

or this BZ

https://bugzilla.redhat.com/show_bug.cgi?id=1536129


Version-Release number of selected component (if applicable):


Packages affected:



How reproducible:

100% reproducable


Steps to Reproduce:
1. Build image using FROM registry.access.redhat.com/rhel7-atomic:7.5-217

2.docker run -it -t <image name> /bin/bash
3. rpm -Va 

Actual results:

See above


Expected results:

No output


Additional info:

Comment 2 jiri vanek 2018-05-17 16:54:14 UTC
The file is for shared classes. it is supposed to be modified. Thats why it is marked as ghost only in the spec file. MAybe ths is casued by new rpm (rpm itself) in rhel 7.5?

Comment 3 Paul Christensen 2018-05-23 01:01:23 UTC
Hi Jiri.

rpm -V isn't failing on other rpms in the container. So I don't think that rpm itself is the issue. If I build the container without that package and run rpm -v, it passes. 

Is there anything else I can try to debug this root cause?

Comment 4 jiri vanek 2018-05-23 12:14:05 UTC
And are other rpms using the %ghost  which can get modified in runtime?
Imho rpm tool is to be blamed.  Before, it was ignoring modified ghost in -V,  but now it reports it...

Comment 6 Paul Christensen 2018-05-30 19:59:48 UTC
Hi jiri.

Sorry for the late reply.

There are other files that are using %ghost and rpm verify does not fail on them:

For example, systemd has them and in my scan results, it does not fail. if I remove the java-1.8.0-openjdk-headless rpm, the image passes the scan.

bash-4.2# rpm -V systemd-219-57.el7.x86_64
.M.......  c /etc/machine-id
.M.......  g /etc/udev/hwdb.bin
.M.......  g /var/lib/systemd/random-seed
bash-4.2# 


There is something else that is changing when installed on a container classes.jsa and I don't think that it's the rpm tool.

How can I assist to troubleshoot the root cause?

Comment 7 jiri vanek 2018-05-31 12:09:27 UTC
I really dont know.  I personally never worked with conatainers, so I dont knwo what they cnabe doing. It can be container engine, it can be rpm... Many changed  in 7.5

bash-4.2# rpm -V systemd-219-57.el7.x86_64
.M.......  c /etc/machine-id
.M.......  g /etc/udev/hwdb.bin
.M.......  g /var/lib/systemd/random-seed
bash-4.2# 

M stands for Modified? Of not, then.. Are theghosts really modified? I guess yes, but ensuring:(

Comment 8 Scott Dodson 2018-06-05 12:30:49 UTC
man 8 rpm says M Mode differs (includes permissions and file type)

This happens even outside of a containerized environment.

sdodson@t460: ~$ rpm -V java-1.8.0-openjdk-headless
.M.......  g /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.172-1.b11.el7.x86_64/jre/lib/amd64/server/classes.jsa

The specfile says it should be 664 root,root but it's 444

-r--r--r--. 1 root root 22286336 May 22 11:26 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.172-1.b11.el7.x86_64/jre/lib/amd64/server/classes.jsa

Comment 9 jiri vanek 2018-06-05 13:11:08 UTC
Ok. Then the cause is probaby this restriction:
%attr(664, root, root) %ghost

Is been removed in rhel8 in favor if simple  "%ghost". By the chance, do you have chance to try rhel's openjdk8 build?

Comment 10 Scott Dodson 2018-06-05 17:17:48 UTC
*** Bug 1569564 has been marked as a duplicate of this bug. ***

Comment 11 Scott Dodson 2018-06-05 17:18:37 UTC
Sorry, no I can't test EL8 right now.

Comment 14 Andrew John Hughes 2018-07-03 02:32:14 UTC
*** Bug 1591400 has been marked as a duplicate of this bug. ***

Comment 21 errata-xmlrpc 2018-10-30 07:27:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3017


Note You need to log in before you can comment on or make changes to this bug.