Open dwservice opened 4 years ago
Grant permission of the netty-tcnative library file to the non-root user.
Is it OpenSSL Dynamic, OpenSSL Static or BoringSSL Static?
OpenSSL Static
Maven project?
No. I've compile it
Did you try chmod 777
on OpenSSL-Static, test.crt
and test.key
?
Yes for test.crt and test.key but OpenSSL-Static is embedded in netty-tcnative.jar. I've take a look to netty-tcnative source and the issue don't seem when read the certificate but just when initialize io.netty.handler.ssl.OpenSsl for first time. Anyway my application work fine and certificate is loaded correctly.
Add this code on the top OpenSsl.ensureAvailability();
I get same warning but stack trace is shortest:
WARNING: Failed to get the list of available OpenSSL cipher suites.
java.lang.Exception: Invalid format (error:0200100D:system library:fopen:Permission denied)
at io.netty.internal.tcnative.SSL.parseX509Chain(Native Method)
at io.netty.handler.ssl.OpenSsl.
Use Log4j2 at DEBUG Level with Root Logger, Log everything and put it in a file and upload here.
Ok. Anyway the error is when inizialize OpenSsl. So now the test example to riproduce it is this:
import io.netty.handler.ssl.*;
public class Test {
public static void main(String[] ar) {
OpenSsl.ensureAvailability();
}
}
Tried reproducing with the latest commit and it works fine. Can you try with 2.0.30.Final release?
I've compiled it a week ago without choose tag/snapshot, so It's the lastest version I think:
git clone https://github.com/netty/netty-tcnative.git
cd netty-tcnative
./mvnw clean install
have you run your test as NOT root user?
Sorry for the delay. Little busy temporarily. I'll test it as non-root user soon and let you know.
Working fine as non-root user.
Thanks for your test. What is your software configuration? Here my configuration: LINUX: CentOS Linux release 7.7.1908 (Core) JAVA: OpenJDK 1.8.0_242 (IcedTea 3.15.0) NETTY: 4.1.48 NETTY TCNATIVE: 2.0.31 (openssl-static 1.1.1e)
Linux hyperxpro 5.3.0-46-generic #38~18.04.1-Ubuntu SMP Tue Mar 31 04:17:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux openjdk version "11.0.6" 2020-01-14 LTS Netty 4.1.48.Final Netty-TCNative 2.0.30 (openssl-static 1.1.1f)
SELinux is disabled btw
I've tried a new configuration but warning still:
Linux Centos 8 (4.1.18-147.5.1.el8_1) openjdk version "11.0.6" 2020-01-14 LTS Netty 4.1.48.Final Netty-TCNative 2.0.30 (openssl-static 1.1.1f) SELinux disabled Linux user not root
Anyway this warning seems don't cause problems to application. So I don't consider it. Thanks for your help.
@normanmaurer Can you have a look?
@dwservice you probably have /tmp mounted as noexec, try setting java.io.tmpdir to a path that your user has permissions to eg. java.io.tmpdir=/home/my_user/tmp
Netty is suppose to have io.netty.util.internal.NativeLibraryLoader.NoexecVolumeDetector but it doesn't seem to be doing its job.
@johnou I've tried it, unfortunately it doesn't solve the problem.
can you provide a docker image that reproduces this issue @dwservice ?
@normanmaurer here the docker image:
https://www.dwservice.net/5ro495x7m4sanytb0y2362vg8r7q1p1c3qwonj7r.dlk (Public Folder / dockerimage.gz)
su test cd /home/test/ ./run.sh
tnk
I met the same and looks like the reason is that the directory where building netty-tcnative-openssl-static
the program runner user has no auth to read.
If you build the netty-tcnative-openssl-static
under /root
. And run the program with user admin
for example, the exception permission deny
comes out.
The openssl would try to read some files under /root
and here is the exception comes out. Looks like it's about the openssldir
in pom. For me it's /root/netty-tcnative-netty-tcnative-parent-2.0.61.Final/openssl-static/target/openssl
.
I guess this is where openssl try to read the file openssl.cnf
.
/* Return default config file name */
char *CONF_get1_default_config_file(void)
{
const char *t;
char *file;
size_t size;
if ((file = ossl_safe_getenv("OPENSSL_CONF")) != NULL)
return OPENSSL_strdup(file);
t = X509_get_default_cert_area();
size = strlen(t) + strlen("/") + strlen(OPENSSL_CONF) + 1;
file = OPENSSL_malloc(size);
if (file == NULL)
return NULL;
BIO_snprintf(file, size, "%s/%s", t, OPENSSL_CONF);
return file;
}
I don't have the details of how and why openssl code try to read the /root/netty-tcnative-netty-tcnative-parent-2.0.61.Final/openssl-static/target/openssl/openssl.cnf
. Maybe someone can comment it.
Btw, mine is 2.0.61.Final
.
@normanmaurer @dwservice @hyperxpro
Hi, I get a warning when I run my application as NOT root user under Linux CentOS 7 and OpenJDK 1.8.0_242 (IcedTea 3.15.0). I use netty-tcnative openssl-static 1.1.1e This is the warning:
WARNING: Failed to get the list of available OpenSSL cipher suites. java.lang.Exception: Invalid format (error:0200100D:system library:fopen:Permission denied) at io.netty.internal.tcnative.SSL.parseX509Chain(Native Method) at io.netty.handler.ssl.OpenSsl.(OpenSsl.java:242)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext.(ReferenceCountedOpenSslContext.java:196)
at io.netty.handler.ssl.OpenSslContext.(OpenSslContext.java:43)
at io.netty.handler.ssl.OpenSslServerContext.(OpenSslServerContext.java:346)
at io.netty.handler.ssl.OpenSslServerContext.(OpenSslServerContext.java:334)
at io.netty.handler.ssl.SslContext.newServerContextInternal(SslContext.java:471)
at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:571)
at Test.main(Test.java:11)
The application seem work fine but I wonder if possible avoid this warning? or never mind? Here a simple example in order to reproduce the issue:
COMPILE IT: javac -cp netty.jar:netty-tcnative.jar Test.java
RUN IT (Important NOT root user): java -cp netty.jar:netty-tcnative.jar:. Test
Thank you, Danilo