biemond / biemond-jdk7 Goto Github PK

So, it seems like if a JDK version already has a US_export_policy.jar, then the JCE will not be updated.

The problem is in this line: https://github.com/biemond/biemond-jdk7/blob/master/manifests/config/javaexec.pp#L57

We installed some flavors of Oracle JDK, and they already come with this file, so the untar never occurs.

The unless part of 'java alternatives ${title}' checks for existence of alternatives entry, but does not check if priority is similar.
Thus if there is an entry with different priority or no priority, the 'command' is not executed.
Tested on centos 7, with puppet 3.7.4

On Redhat systems, chkconfig path should be /sbin/chkconfig

https://github.com/biemond/biemond-jdk7/blob/master/manifests/urandomfix.pp#L45
https://github.com/biemond/biemond-jdk7/blob/master/manifests/urandomfix.pp#L47

Hi Edwin,

How do I prevent the module from downloading the tarball to the local folder ?

I have currently setup "source_path" and "download_dir". I dont want it to download the file to the "download_dir"

If I dont specify "download_dir" it simply defaults to "/install" and fails with following exception :

Notice: /Stage[main]/Safeway::Ohs::Install_jdk7/Jdk7::Install7[jdk1.7.0_91]/Exec[create /install directory]/returns: mkdir: cannot create directory ‘/install’: Permission denied
Error: mkdir -p /install returned 1 instead of one of [0]
Error: /Stage[main]/Safeway::Ohs::Install_jdk7/Jdk7::Install7[jdk1.7.0_91]/Exec[create /install directory]/returns: change from notrun to 0 failed: mkdir -p /install returned 1 instead of one of [0]

Version 8u151 introduces a new feature whereby the JCE jurisdiction policy files used by the JDK can be controlled via a new Security property. The download and install steps are no longer necessary. To enable unlimited cryptography, one can use the new crypto.policy Security property. If the new Security property (crypto.policy) is set in the java.security file, that setting will be honored. By default, the property will be undefined. If the property is undefined and the legacy JCE jurisdiction files don't exist in the legacy lib/security directory, then the default cryptographic level will remain at 'limited'. To configure the JDK to use unlimited cryptography, set the crypto.policy to a value of 'unlimited'.

But on version 8u161, while it maintain the logic of version 8u151, the default if the property is undefined is unlimited.

Due to this differences in recent versions, i think there is a need to add a way to add and change the value of this new property.

I jave been trying to do it without relying on other modules (such as stdlib with file_line), but the best approach I found is to use something similar to the Exec used for setting urandom, with a sed to replace the property. The problem is that in all versions starting from 8u151, the property is not defined and it only appears commented, making it only posible to uncoment and define once, but once its defined, the same exec wont work. Would it be possible to add the stdlib module as a dependency for this?

it will be optimum if the JAVA_HOME is also set via this module. I have been struggling with install7.pp file to get this feature in but may be ruby files needs to be changed. If you have suggestion please reply.

So,

I am using a module very similar to this one, does the same things with urandomfix etc. When I run with jdk 1.7.0_67, urandomfix stuff only executes once (the first run). But, running with jdk 1.8.0_25 , urandomfix executes each run.

[root@<host> ~]# cat /app/java/jdk1.7.0_67/jre/lib/security/java.security | grep securerandom
# the securerandom.source property. If an exception occurs when
securerandom.source=file:/dev/./urandom
# Specifying this system property will override the securerandom.source
[root@<host> ~]# cat /app/java/jdk1.8.0_25/jre/lib/security/java.security | grep securerandom
# specified by the "securerandom.source" Security property.  If an
# "securerandom.source" Security property.
securerandom.source=file:/dev/random
securerandom.strongAlgorithms=NativePRNGBlocking:SUN

Is there possibly a problem with the unless statement or the sed replacement in later Java versions (8+)?

https://github.com/biemond/biemond-jdk7/blob/master/manifests/urandomfix.pp#L47

Nested double and single quotes are causing the search to fail?

Error: /Stage[main]/Jdk7::Urandomfix/Exec[chkconfig rngd]: Could not evaluate: Could not find command 'chkconfig | /bin/grep '

When I set the entry "cryptography_extension_file => 'UnlimitedJCEPolicyJDK7.zip'," it just does not work. Any idea on how to fix this ?

As shown below, it looks like its trying to extract to the exact same folder

Info: /Stage[main]/mw::Ohs::Install_jdk7/Jdk7::Install7[jdk1.7.0_91]/Jdk7::Config::Javaexec[jdkexec jdk1.7.0_91 7u91]/Exec[extract jce jdk1.7.0_91]: Scheduling refresh of Exec[Move jce jdk1.7.0_91 jar files to /opt/jdk1.7.0_91/jre/lib/security]
Notice: /Stage[main]/mw::Ohs::Install_jdk7/Jdk7::Install7[jdk1.7.0_91]/Jdk7::Config::Javaexec[jdkexec jdk1.7.0_91 7u91]/Exec[Move jce jdk1.7.0_91 jar files to /opt/jdk1.7.0_91/jre/lib/security]/returns: find: Failed to change directory: Permission denied
Notice: /Stage[main]/mw::Ohs::Install_jdk7/Jdk7::Install7[jdk1.7.0_91]/Jdk7::Config::Javaexec[jdkexec jdk1.7.0_91 7u91]/Exec[Move jce jdk1.7.0_91 jar files to /opt/jdk1.7.0_91/jre/lib/security]/returns: find: Failed to change directory: Permission denied
Notice: /Stage[main]/mw::Ohs::Install_jdk7/Jdk7::Install7[jdk1.7.0_91]/Jdk7::Config::Javaexec[jdkexec jdk1.7.0_91 7u91]/Exec[Move jce jdk1.7.0_91 jar files to /opt/jdk1.7.0_91/jre/lib/security]/returns: find: failed to restore initial working directory: Permission denied
Error: /Stage[main]/mw::Ohs::Install_jdk7/Jdk7::Install7[jdk1.7.0_91]/Jdk7::Config::Javaexec[jdkexec jdk1.7.0_91 7u91]/Exec[Move jce jdk1.7.0_91 jar files to /opt/jdk1.7.0_91/jre/lib/security]: Failed to call refresh: find /opt/jdk1.7.0_91/jre/lib/security -mindepth 2 -name '.jar' -exec mv '{}' /opt/jdk1.7.0_91/jre/lib/security ';' returned 1 instead of one of [0]
Error: /Stage[main]/mw::Ohs::Install_jdk7/Jdk7::Install7[jdk1.7.0_91]/Jdk7::Config::Javaexec[jdkexec jdk1.7.0_91 7u91]/Exec[Move jce jdk1.7.0_91 jar files to /opt/jdk1.7.0_91/jre/lib/security]: find /opt/jdk1.7.0_91/jre/lib/security -mindepth 2 -name '.jar' -exec mv '{}' /opt/jdk1.7.0_91/jre/lib/security ';' returned 1 instead of one of [0]

tart should be start in urandomfix.pp

When running puppet one time, the /usr/java/latest and /usr/java/default links are created successfully. However, when I run puppet with a newer java version with the "default_links=true" option, the links DO NOT get updated to link to the latest version due to the puppet file code at https://github.com/biemond/biemond-jdk7/blob/master/manifests/config/javaexec.pp#L85.

I believe by definition that the latest link should always point to the newest version in the directory. If this is not a desired option, then the application should not use the latest link but the java links should still switch.