Closed adamjk-dev closed 9 years ago
I think the issue might be the default value for the JDK 8 version that gets extracted, the sed replacement command seems too restrictive:
The java.security file as comes out of the JDK 8 tarball:
[root@<host> jdk]# cat /app/java/jdk1.8.0_25/jre/lib/security/java.security | grep securerandom
# specified by the "securerandom.source" Security property. If an
# "securerandom.source" Security property.
securerandom.source=file:/dev/random
securerandom.strongAlgorithms=NativePRNGBlocking:SUN
So, the fine starts with: "/dev/random", but the sed replacement looks for "/dev/urandom", and it doesn't seem to catch.
Should we consider moving the sed replacement to be more open, to something like:
command => "sed -i -e's/securerandom.source=file:\\/dev\\/*random/securerandom.source=file:\\/dev\\/.\\/urandom/g' ${javaHomes}/${fullVersion}/jre/lib/security/java.security",
Also, I wonder why we move the file from /dev/urandom to /dev/./urandom, aren't these effectively the same thing?
Shouldn't we just point the file to /dev/urandom regardless of what it started out as?
This is a quickfix for java ( and dev/./ works even when it is the same ), it won't help you with openssl etc.
so install the rng service instead of the urandomfix this will fix entropy for all programs. class { 'jdk7::urandomfix' :}
http://docs.oracle.com/cd/E13209_01/wlcp/wlss30/configwlss/jvmrand.html
We should just be able to update the sed call too though, right?
http://theheat.dk/blog/?p=1539 this is better
So, if you do the rng daemon, does the setting in the java.security file still take place? In other words, with or without the RNG daemon running, do we need to set the right value in the java.security file (since it fails to match with JDK 8 who starts with /dev/random)?
No need for that when you got the rng service. It will will monitor the entropy and add new ones when it almost goes empty
I would think we would still want to fix the sed command right, since it fails either way, and it is up to the consumer of the module as to whether or not they use the RNG daemon?
Something like this ought to cover all cases I would imagine:
command => "sed -i -e's/^securerandom.source=.*/securerandom.source=file:\\/dev\\/.\\/urandom/g' ${javaHomes}/${fullVersion}/jre/lib/security/java.security",
I got the above to work.
Done,
thanks again. I pushed a new version
Great, thank you sir. I have a local module so I updated mine. We stole your code and worked from there :)
@biemond, blacksmith bumped the version, but release v0.4.11 git tag have not been pushed to github.
yeah I did that wrong. Everything is there on git and forge but I will push it again.
So,
I am using a module very similar to this one, does the same things with urandomfix etc. When I run with jdk 1.7.0_67, urandomfix stuff only executes once (the first run). But, running with jdk 1.8.0_25 , urandomfix executes each run.
Is there possibly a problem with the unless statement or the sed replacement in later Java versions (8+)?