openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #14569
[Bug 2019908] Re: openjdk-17-jre-headless:arm64 Package ca-certificates-java is not configured yet
old patch (extra whitespace present)
** Description changed:
[Impact]
Due to OpenJDK changes[1] it is impossible to install JRE 17 in
supported releases below Lunar (Kinetic, Jammy, Focal, Bionic) on amd64,
arm64 platform due to the configuration order (see comment)
A system with a pre-installed default JRE (e.g. JRE 11 in Jammy) is not
affected.
[Suggested Fix]
Backport
- https://code.launchpad.net/~vpa1977/ubuntu/+source/ca-certificates-java/+git/ca-certificates-java/+merge/438150
This merge proposal:
- removes dependency on JRE
- fixes command line for keytool call
- add autopkgtests
[Test Plan]
- autopkgtests must pass for all platforms
+ - Test package install in lxc container and ensure that race condition is reproduced for each release - ca-certificates java are configured before openjdk
+
+ ----------------------cut------------------------------------
+ for release in bionic focal jammy kinetic; do
+ echo !!!!!!!!!!!!!!${release}!!!!!!!!!!!!!!!!!!!!
+ lxc launch images:ubuntu/${release} lp2019908
+ lxc exec lp2019908 -- apt install software-properties-common
+ lxc exec lp2019908 -- add-apt-repository ppa:vpa1977/ca-certificates-java-patch
+ lxc exec lp2019908 -- apt-get update
+ lxc exec lp2019908 -- apt-get -y install openjdk-17-jre-headless
+ lxc stop lp2019908
+ lxc delete lp2019908
+ echo !!!!!!TEST DONE for ${release}!!!!!!!!!
+ done
+ ----------------------cut------------------------------------
[Where problems could occur]
- A java version which does not contain a call to ca-certificates-java trigger will not update/refresh certificates.
- Those are 13(focal), 16 (focal) 18 (jammy and up), 19 (jammy and up). They are no longer supported and this behaviour can be ignored.
+ The fix copies java.security but do not touch other files.
+ While this release can be tested, we are not protected from similiar regressions.
+
[Original report]
From May-16 below is failing:
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install --yes --no-install-recommends \
openjdk-17-jre-headless
#7 111.8 head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory
#7 111.9 Exception in thread "main" java.lang.InternalError: Error loading java.security file
#7 111.9 at java.base/java.security.Security.initialize(Security.java:106)
#7 111.9 at java.base/java.security.Security$1.run(Security.java:84)
#7 111.9 at java.base/java.security.Security$1.run(Security.java:82)
#7 111.9 at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
#7 111.9 at java.base/java.security.Security.<clinit>(Security.java:82)
#7 111.9 at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178)
#7 111.9 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
#7 111.9 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
#7 111.9 at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
#7 111.9 at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
#7 111.9 at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
#7 111.9 at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
#7 111.9 at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
#7 111.9 at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
#7 111.9 at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
#7 111.9 at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
#7 111.9 dpkg: error processing package ca-certificates-java (--configure):
#7 111.9 installed ca-certificates-java package post-installation script subprocess returned error exit status 1
#7 111.9 dpkg: dependency problems prevent configuration of openjdk-17-jre-headless:arm64:
#7 111.9 openjdk-17-jre-headless:arm64 depends on ca-certificates-java (>= 20190405~); however:
#7 111.9 Package ca-certificates-java is not configured yet.
#7 111.9
#7 111.9 dpkg: error processing package openjdk-17-jre-headless:arm64 (--configure):
#7 111.9 dependency problems - leaving unconfigured
#7 111.9 Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
#7 111.9 Processing triggers for ca-certificates (20211016ubuntu0.22.04.1) ...
#7 111.9 Updating certificates in /etc/ssl/certs...
#7 112.2 0 added, 0 removed; done.
#7 112.2 Running hooks in /etc/ca-certificates/update.d...
#7 112.2
#7 112.2 Exception in thread "main" java.lang.InternalError: Error loading java.security file
#7 112.2 at java.base/java.security.Security.initialize(Security.java:106)
#7 112.2 at java.base/java.security.Security$1.run(Security.java:84)
#7 112.2 at java.base/java.security.Security$1.run(Security.java:82)
#7 112.2 at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
#7 112.2 at java.base/java.security.Security.<clinit>(Security.java:82)
#7 112.2 at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178)
#7 112.2 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
#7 112.2 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
#7 112.2 at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
#7 112.2 at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
#7 112.2 at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
#7 112.2 at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
#7 112.2 at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
#7 112.2 at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
#7 112.2 at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
#7 112.2 at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
#7 112.2 E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
#7 112.2 done.
#7 112.3 Errors were encountered while processing:
#7 112.3 ca-certificates-java
#7 112.3 openjdk-17-jre-headless:arm64
#7 112.3 E: Sub-process /usr/bin/dpkg returned an error code (1)
========================
looks like packages are updated on May-16 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-17/
and its causing issues
[1]
https://github.com/openjdk/jdk17u/commit/4be52ee572e4fd65f2ac66d5e78c711c8eb6a61e#diff-4d6411695be3dc177d5f0e85c5051c7cfca24c54e22518281b7d26fd858d1893
** Patch added: "ca-certificates-java-jammy.patch"
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/2019908/+attachment/5673653/+files/ca-certificates-java-jammy.patch
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to ca-certificates-java in Ubuntu.
https://bugs.launchpad.net/bugs/2019908
Title:
openjdk-17-jre-headless:arm64 Package ca-certificates-java is not
configured yet
Status in ca-certificates-java package in Ubuntu:
Confirmed
Bug description:
[Impact]
Due to OpenJDK changes[1] it is impossible to install JRE 17 in
supported releases below Lunar (Kinetic, Jammy, Focal, Bionic) on
amd64, arm64 platform due to the configuration order (see comment)
A system with a pre-installed default JRE (e.g. JRE 11 in Jammy) is
not affected.
[Suggested Fix]
Immediate fix:
- copy java.security.dpkg-new to java.security if .dpkg-new file is present but java.security is not.
Long term fix:
Backport
- https://code.launchpad.net/~vpa1977/ubuntu/+source/ca-certificates-java/+git/ca-certificates-java/+merge/438150
This merge proposal:
- removes dependency on JRE
- fixes command line for keytool call
- add autopkgtests
[Test Plan]
- autopkgtests must pass for all platforms
- Test package install in lxc container and ensure that race condition is reproduced for each release - ca-certificates java are configured before openjdk
----------------------cut------------------------------------
for release in bionic focal jammy kinetic; do
echo !!!!!!!!!!!!!!${release}!!!!!!!!!!!!!!!!!!!!
lxc launch images:ubuntu/${release} lp2019908
lxc exec lp2019908 -- apt install software-properties-common
lxc exec lp2019908 -- add-apt-repository ppa:vpa1977/ca-certificates-java-patch
lxc exec lp2019908 -- apt-get update
lxc exec lp2019908 -- apt-get -y install openjdk-17-jre-headless
lxc stop lp2019908
lxc delete lp2019908
echo !!!!!!TEST DONE for ${release}!!!!!!!!!
done
----------------------cut------------------------------------
[Where problems could occur]
The fix copies java.security but do not touch other files.
While this release can be tested, we are not protected from similiar regressions.
[Original report]
From May-16 below is failing:
RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install --yes --no-install-recommends \
openjdk-17-jre-headless
#7 111.8 head: cannot open '/etc/ssl/certs/java/cacerts' for reading: No such file or directory
#7 111.9 Exception in thread "main" java.lang.InternalError: Error loading java.security file
#7 111.9 at java.base/java.security.Security.initialize(Security.java:106)
#7 111.9 at java.base/java.security.Security$1.run(Security.java:84)
#7 111.9 at java.base/java.security.Security$1.run(Security.java:82)
#7 111.9 at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
#7 111.9 at java.base/java.security.Security.<clinit>(Security.java:82)
#7 111.9 at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178)
#7 111.9 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
#7 111.9 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
#7 111.9 at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
#7 111.9 at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
#7 111.9 at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
#7 111.9 at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
#7 111.9 at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
#7 111.9 at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
#7 111.9 at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
#7 111.9 at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
#7 111.9 dpkg: error processing package ca-certificates-java (--configure):
#7 111.9 installed ca-certificates-java package post-installation script subprocess returned error exit status 1
#7 111.9 dpkg: dependency problems prevent configuration of openjdk-17-jre-headless:arm64:
#7 111.9 openjdk-17-jre-headless:arm64 depends on ca-certificates-java (>= 20190405~); however:
#7 111.9 Package ca-certificates-java is not configured yet.
#7 111.9
#7 111.9 dpkg: error processing package openjdk-17-jre-headless:arm64 (--configure):
#7 111.9 dependency problems - leaving unconfigured
#7 111.9 Processing triggers for libc-bin (2.35-0ubuntu3.1) ...
#7 111.9 Processing triggers for ca-certificates (20211016ubuntu0.22.04.1) ...
#7 111.9 Updating certificates in /etc/ssl/certs...
#7 112.2 0 added, 0 removed; done.
#7 112.2 Running hooks in /etc/ca-certificates/update.d...
#7 112.2
#7 112.2 Exception in thread "main" java.lang.InternalError: Error loading java.security file
#7 112.2 at java.base/java.security.Security.initialize(Security.java:106)
#7 112.2 at java.base/java.security.Security$1.run(Security.java:84)
#7 112.2 at java.base/java.security.Security$1.run(Security.java:82)
#7 112.2 at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
#7 112.2 at java.base/java.security.Security.<clinit>(Security.java:82)
#7 112.2 at java.base/sun.security.jca.ProviderList.<init>(ProviderList.java:178)
#7 112.2 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:96)
#7 112.2 at java.base/sun.security.jca.ProviderList$2.run(ProviderList.java:94)
#7 112.2 at java.base/java.security.AccessController.doPrivileged(AccessController.java:318)
#7 112.2 at java.base/sun.security.jca.ProviderList.fromSecurityProperties(ProviderList.java:93)
#7 112.2 at java.base/sun.security.jca.Providers.<clinit>(Providers.java:55)
#7 112.2 at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:156)
#7 112.2 at java.base/java.security.cert.CertificateFactory.getInstance(CertificateFactory.java:193)
#7 112.2 at org.debian.security.KeyStoreHandler.<init>(KeyStoreHandler.java:50)
#7 112.2 at org.debian.security.UpdateCertificates.<init>(UpdateCertificates.java:65)
#7 112.2 at org.debian.security.UpdateCertificates.main(UpdateCertificates.java:51)
#7 112.2 E: /etc/ca-certificates/update.d/jks-keystore exited with code 1.
#7 112.2 done.
#7 112.3 Errors were encountered while processing:
#7 112.3 ca-certificates-java
#7 112.3 openjdk-17-jre-headless:arm64
#7 112.3 E: Sub-process /usr/bin/dpkg returned an error code (1)
========================
looks like packages are updated on May-16 http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-17/
and its causing issues
[1]
https://github.com/openjdk/jdk17u/commit/4be52ee572e4fd65f2ac66d5e78c711c8eb6a61e#diff-4d6411695be3dc177d5f0e85c5051c7cfca24c54e22518281b7d26fd858d1893
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates-java/+bug/2019908/+subscriptions
References