Minor issue in docker file for jvm and fast-jar.

[Jonas Flygare]

While debugging an crypto issue with connecting to a legacy system I found a minor error in the docker file provided with the project.

The RUN command ends with ensuring /dev/urandom is used as seen below:

RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \
(...)

    && echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/lib/security/java.security

The problem with this is that java.security lives in another location nowadays, /lib/jvm/default-java/conf/security/java.security

This creates an "dead" java.security with just the line "securerandom.source=file:/dev/urandom" that is not used by the JDK/JRE and the intended configuration is lost as the file will not be used.

On an additional note, openJDK introduces one extra security policy file in /etc/crypto-policies/back-ends/java.config that is read after the conf/security/java.security and any overriding file given by -Djava.security.properties=<URL> on command line.
This extra file is usually not present in a standard system, but it IS present in the image used to run Java, which means that any attempt to override the crypto policies "the normal way" will be overriden by the system java.config file.

There's a good writeup on the system java.config file here:
https://asamalik.fedorapeople.org/fedora-docs-antora/en_US/fedora/rawhide/r
elease-notes/sysadmin/Security/

[Emmanuel Bernard]

Thanks Jonas for this detailed write up, do you mind opening a GitHub issue so we are properly following this?

--
You received this message because you are subscribed to the Google Groups "Quarkus Development mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to quarkus-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/quarkus-dev/7ea70697-c61c-4f0a-b55a-4c6dad688acfn%40googlegroups.com.

[Guillaume Smet]

On Tue, Apr 13, 2021 at 12:30 PM Jonas Flygare <jonas....@gmail.com> wrote:

The problem with this is that java.security lives in another location nowadays, /lib/jvm/default-java/conf/security/java.security

When you say "nowadays", it includes the UBI image we are using?

Maybe you could even come up with a PR given it seems you have it all figured out? :)

Thanks!

--

Guillaume

[Jonas Flygare]

I've made an attempt, first issue for me in GitHub so I hope it's readable.

--

--
It is never too late to have a happy childhood.

[Max Rydahl Andersen]

On 13 Apr 2021, at 14:16, Jonas Flygare wrote:

> I've made an attempt, first issue for me in GitHub so I hope it's
> readable.

thanks Jonas - https://github.com/quarkusio/quarkus/issues/16471 is the
issue. lets continue discussion there.

/max

>>> <https://groups.google.com/d/msgid/quarkus-dev/7ea70697-c61c-4f0a-b55a-4c6dad688acfn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .

>>>
>>
>
> --
>
> --
> It is never too late to have a happy childhood.
>

> --
> You received this message because you are subscribed to the Google
> Groups "Quarkus Development mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to quarkus-dev...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/quarkus-dev/CAPvNg-GcoB-u2qu8xwTDu5KOQHP1BH3C0BsOT9mZ3D8u-3J_Ag%40mail.gmail.com.


/max
https://xam.dk/about