biemond / biemond-jdk7

Puppet JDK7 module optimized for Oracle
Apache License 2.0
2 stars 15 forks source link

urandom fix running with every puppet run #8

Closed adamjk-dev closed 9 years ago

adamjk-dev commented 9 years ago

So,

I am using a module very similar to this one, does the same things with urandomfix etc. When I run with jdk 1.7.0_67, urandomfix stuff only executes once (the first run). But, running with jdk 1.8.0_25 , urandomfix executes each run.

[root@<host> ~]# cat /app/java/jdk1.7.0_67/jre/lib/security/java.security | grep securerandom
# the securerandom.source property. If an exception occurs when
securerandom.source=file:/dev/./urandom
# Specifying this system property will override the securerandom.source
[root@<host> ~]# cat /app/java/jdk1.8.0_25/jre/lib/security/java.security | grep securerandom
# specified by the "securerandom.source" Security property.  If an
# "securerandom.source" Security property.
securerandom.source=file:/dev/random
securerandom.strongAlgorithms=NativePRNGBlocking:SUN

Is there possibly a problem with the unless statement or the sed replacement in later Java versions (8+)?

adamjk-dev commented 9 years ago

I think the issue might be the default value for the JDK 8 version that gets extracted, the sed replacement command seems too restrictive:

The java.security file as comes out of the JDK 8 tarball:

[root@<host> jdk]# cat /app/java/jdk1.8.0_25/jre/lib/security/java.security | grep securerandom
# specified by the "securerandom.source" Security property.  If an
# "securerandom.source" Security property.
securerandom.source=file:/dev/random
securerandom.strongAlgorithms=NativePRNGBlocking:SUN

So, the fine starts with: "/dev/random", but the sed replacement looks for "/dev/urandom", and it doesn't seem to catch.

Should we consider moving the sed replacement to be more open, to something like:

command => "sed -i -e's/securerandom.source=file:\\/dev\\/*random/securerandom.source=file:\\/dev\\/.\\/urandom/g' ${javaHomes}/${fullVersion}/jre/lib/security/java.security",
adamjk-dev commented 9 years ago

Also, I wonder why we move the file from /dev/urandom to /dev/./urandom, aren't these effectively the same thing?

Shouldn't we just point the file to /dev/urandom regardless of what it started out as?

biemond commented 9 years ago

This is a quickfix for java ( and dev/./ works even when it is the same ), it won't help you with openssl etc.

so install the rng service instead of the urandomfix this will fix entropy for all programs. class { 'jdk7::urandomfix' :}

adamjk-dev commented 9 years ago

http://docs.oracle.com/cd/E13209_01/wlcp/wlss30/configwlss/jvmrand.html

We should just be able to update the sed call too though, right?

biemond commented 9 years ago

http://theheat.dk/blog/?p=1539 this is better

adamjk-dev commented 9 years ago

So, if you do the rng daemon, does the setting in the java.security file still take place? In other words, with or without the RNG daemon running, do we need to set the right value in the java.security file (since it fails to match with JDK 8 who starts with /dev/random)?

biemond commented 9 years ago

No need for that when you got the rng service. It will will monitor the entropy and add new ones when it almost goes empty

adamjk-dev commented 9 years ago

I would think we would still want to fix the sed command right, since it fails either way, and it is up to the consumer of the module as to whether or not they use the RNG daemon?

Something like this ought to cover all cases I would imagine:

command => "sed -i -e's/^securerandom.source=.*/securerandom.source=file:\\/dev\\/.\\/urandom/g' ${javaHomes}/${fullVersion}/jre/lib/security/java.security",

I got the above to work.

biemond commented 9 years ago

Done,

thanks again. I pushed a new version

adamjk-dev commented 9 years ago

Great, thank you sir. I have a local module so I updated mine. We stole your code and worked from there :)

nanliu commented 9 years ago

@biemond, blacksmith bumped the version, but release v0.4.11 git tag have not been pushed to github.

biemond commented 9 years ago

yeah I did that wrong. Everything is there on git and forge but I will push it again.