Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1579446

Summary: java-1.8.0-openjdk-headless rpm package fails the certified container rpm_verify_successful test
Product: Red Hat Enterprise Linux 7 Reporter: Paul Christensen <pchriste>
Component: java-1.8.0-openjdkAssignee: jiri vanek <jvanek>
Status: CLOSED ERRATA QA Contact: zzambers
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: ahughes, bcook, dbhole, jupierce, jvanek, pchriste, sdodson, zzambers
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-1.8.0-openjdk-1.8.0.172-10.b11.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 07:27:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Christensen 2018-05-17 16:43:34 UTC 
Description of problem:

When building a docker image using:

java-1.8.0-openjdk-headless-1.8.0.171-7.b10.el7.x86_64

the resulting image will fail to pass the certification scan. 

The failure is in the rpm_verify_successful test and is caused by the modification of:

/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa

But when installing this package on a RHEL system, rpm -V works passes. There is something related to installing this image in a container that is modifying the file.

Output of rpm -V:

RHEL system:

[root@RHEL72-20160609 ~]# rpm -V java-1.8.0-openjdk-headless-1.8.0.171-7.b10.el7.x86_64
[root@RHEL72-20160609 ~]# 


Example in container:

bash-4.2# rpm -V java-1.8.0-openjdk-headless-1.8.0.171-7.b10.el7.x86_64
.M.......  g /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa
bash-4.2# 


Affected file in RHEL:

[root@RHEL72-20160609 ~]# ls -al /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa
-r--r--r--. 1 root root 22282240 May 16 19:20 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa
[root@RHEL72-20160609 ~]# 



Affected file in container:

bash-4.2# ls -al /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa
-r--r--r--. 1 root root 22282240 May 17 13:01 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/amd64/server/classes.jsa
bash-4.2# 


I'm not sure why this is happening as I don't see any difference in permissions. It may be similar to this BZ:

https://bugzilla.redhat.com/show_bug.cgi?id=1481808

or this BZ

https://bugzilla.redhat.com/show_bug.cgi?id=1536129


Version-Release number of selected component (if applicable):


Packages affected:



How reproducible:

100% reproducable


Steps to Reproduce:
1. Build image using FROM registry.access.redhat.com/rhel7-atomic:7.5-217

2.docker run -it -t <image name> /bin/bash
3. rpm -Va 

Actual results:

See above


Expected results:

No output


Additional info:
Comment 2 jiri vanek 2018-05-17 16:54:14 UTC 
The file is for shared classes. it is supposed to be modified. Thats why it is marked as ghost only in the spec file. MAybe ths is casued by new rpm (rpm itself) in rhel 7.5?
Comment 3 Paul Christensen 2018-05-23 01:01:23 UTC 
Hi Jiri.

rpm -V isn't failing on other rpms in the container. So I don't think that rpm itself is the issue. If I build the container without that package and run rpm -v, it passes. 

Is there anything else I can try to debug this root cause?
Comment 4 jiri vanek 2018-05-23 12:14:05 UTC 
And are other rpms using the %ghost  which can get modified in runtime?
Imho rpm tool is to be blamed.  Before, it was ignoring modified ghost in -V,  but now it reports it...
Comment 6 Paul Christensen 2018-05-30 19:59:48 UTC 
Hi jiri.

Sorry for the late reply.

There are other files that are using %ghost and rpm verify does not fail on them:

For example, systemd has them and in my scan results, it does not fail. if I remove the java-1.8.0-openjdk-headless rpm, the image passes the scan.

bash-4.2# rpm -V systemd-219-57.el7.x86_64
.M.......  c /etc/machine-id
.M.......  g /etc/udev/hwdb.bin
.M.......  g /var/lib/systemd/random-seed
bash-4.2# 


There is something else that is changing when installed on a container classes.jsa and I don't think that it's the rpm tool.

How can I assist to troubleshoot the root cause?
Comment 7 jiri vanek 2018-05-31 12:09:27 UTC 
I really dont know.  I personally never worked with conatainers, so I dont knwo what they cnabe doing. It can be container engine, it can be rpm... Many changed  in 7.5

bash-4.2# rpm -V systemd-219-57.el7.x86_64
.M.......  c /etc/machine-id
.M.......  g /etc/udev/hwdb.bin
.M.......  g /var/lib/systemd/random-seed
bash-4.2# 

M stands for Modified? Of not, then.. Are theghosts really modified? I guess yes, but ensuring:(
Comment 8 Scott Dodson 2018-06-05 12:30:49 UTC 
man 8 rpm says M Mode differs (includes permissions and file type)

This happens even outside of a containerized environment.

sdodson@t460: ~$ rpm -V java-1.8.0-openjdk-headless
.M.......  g /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.172-1.b11.el7.x86_64/jre/lib/amd64/server/classes.jsa

The specfile says it should be 664 root,root but it's 444

-r--r--r--. 1 root root 22286336 May 22 11:26 /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.172-1.b11.el7.x86_64/jre/lib/amd64/server/classes.jsa
Comment 9 jiri vanek 2018-06-05 13:11:08 UTC 
Ok. Then the cause is probaby this restriction:
%attr(664, root, root) %ghost

Is been removed in rhel8 in favor if simple  "%ghost". By the chance, do you have chance to try rhel's openjdk8 build?
Comment 10 Scott Dodson 2018-06-05 17:17:48 UTC 
*** Bug 1569564 has been marked as a duplicate of this bug. ***
Comment 11 Scott Dodson 2018-06-05 17:18:37 UTC 
Sorry, no I can't test EL8 right now.
Comment 12 jiri vanek 2018-06-21 08:56:37 UTC 
https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/c/75dc799865967a7a43c8cec6e07cffa9eceeffe6?branch=master
https://src.fedoraproject.org/rpms/java-openjdk/c/88eeaff540e42b3b94659e05ab4f9002968893ca?branch=master

https://koji.fedoraproject.org/koji/taskinfo?taskID=27750336
https://koji.fedoraproject.org/koji/taskinfo?taskID=27750524

Fixes the problem. Will move it to rhels
Comment 14 Andrew John Hughes 2018-07-03 02:32:14 UTC 
*** Bug 1591400 has been marked as a duplicate of this bug. ***
Comment 21 errata-xmlrpc 2018-10-30 07:27:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3017