Open pki-bot opened 3 years ago
Comment from frenaud (@flo-renaud) at 2020-07-02 03:31:24
Also happened in PR #268 using fedora 32 + updates repo. Logs availble here
Comment from frenaud (@flo-renaud) at 2020-07-07 04:36:07
Comment from frenaud (@flo-renaud) at 2020-08-01 08:08:27
Also in PR #319 during the KRA installation. Logs available here
Comment from frenaud (@flo-renaud) at 2020-08-10 03:35:55
Similar issue seen in PR #335 during ipa-kra-install (setup of a clone KRA), using ipa-4-8 on fedora32 with the following logs:
java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/share/pki/server/webapps/pki/WEB-INF/lib/pki-cmsbundle.jar" "read")
Comment from frenaud (@flo-renaud) at 2020-08-20 03:15:03
Comment from frenaud (@flo-renaud) at 2020-08-26 13:39:30
@SilleBille @cipherboy the issue is not always happening but has been seen multiple times over the last 2 months. Do you have any idea what could be the root cause?
Comment from cipherboy (@cipherboy) at 2020-08-27 11:12:24
No; I've looked out for it when trying ipa-server-install
and pkispawn
across F31, F32, F32->F33 upgrades, and clean rawhide (F33/F34) installs as well. I've not been able to reproduce it on any of my virtual machines. They all start from a "clean" base image I keep with a minimal set of packages and users installed to allow me to run ansible scripts against them.
Endi has a similar error that manifested after I merged some v10.9
patches for JDK11 support, but his are on F31 running JDK8:
2020-08-24 09:49:24 [main] WARNING: Failed to scan [file:/usr/share/java/glassfish-jaxb/txw2-2.2.11.jar] from classloader hierarchy
java.io.FileNotFoundException: /usr/share/java/glassfish-jaxb/txw2-2.2.11.jar (No such file or directory)
at java.util.zip.ZipFile.open(Native Method)
at java.util.zip.ZipFile.<init>(ZipFile.java:225)
at java.util.zip.ZipFile.<init>(ZipFile.java:155)
at java.util.jar.JarFile.<init>(JarFile.java:166)
at java.util.jar.JarFile.<init>(JarFile.java:130)
...
This is because we now include an intentionally broken symlink on F31/F32:
lrwxrwxrwx. 1 root root system_u:object_r:lib_t:s0 22 Aug 27 10:00 jaxb-impl.jar -> JAXB_IMPL_JAR-NOTFOUND
However, I haven't been able to reproduce his issue either; all I get on my machines is:
Aug 27 10:44:00 fedora31-base server[47022]: WARNING: Problem with JAR file [/usr/share/pki/server/common/lib/jaxb-impl.jar], exists: [false], canRead: [false]
And there is no associated stack trace. The above message shows up in journalctl
, and no related messages show up under /var/log/pki
.
If either of you can get a VM with this issue reproducible, I'd be happy to take a look.
Comment from cipherboy (@cipherboy) at 2020-08-27 11:12:25
Metadata Update from @cipherboy:
Comment from cipherboy (@cipherboy) at 2020-08-27 11:14:50
(To clarify, by "now include ... on F31/F32" -- this is in upstream COPR; I have intentions of pushing a build to F31->F34 with these changes once we fix the upgrade path from {F31,F32} -> F33+).
Comment from frenaud (@flo-renaud) at 2020-08-28 04:20:03
Please see an additional failure in https://pagure.io/freeipa/issue/8476 with initial investigations. This time, the permission issue is reported on /usr/share/pki/server/webapps/pki/WEB-INF/lib/pki-cmsbundle.jar.
Comment from fcami (@fcami) at 2020-09-03 04:07:04
This is identical to https://pagure.io/dogtagpki/issue/3208
Comment from edewata (@edewata) at 2020-09-03 10:11:23
@csutherl, have you seen this intermittent AccessControlException when loading web application libraries? Any idea what might have caused it?
Comment from csutherl at 2020-09-03 14:52:19
I don't think I've ever seen an intermittent AccessControlException. In my experience as long as the java security policy allows the file to be read it works :) Maybe there is something going on in the classloading that's causing that to be missed somehow though; I'll look into it a bit and see what I can find.
This issue was migrated from Pagure Issue #3182. Originally filed by frenaud (@flo-renaud) on 2020-06-29 10:39:14:
The nightly tests for freeipa (using the repo updates-testing) failed in ipa-ca-install on the replica, in the pkispawn step. See the PR 262 with the logs for test_clrgen_manage test.
Logs on the replica for pki-ca-spawn :
Logs on the master for the corresponding call pki/pki-tomcat/pki/debug:
Please note the exception also reported in the master's journal:
Installed versions: