718069 - Install Java unlimited strength jurisdiction files on Jenkins server

Status: VERIFIED FIXED

(mozilla.org Graveyard :: Server Operations, task)

Description

[Gregory Szorc [:gps]]

When compiling Android Sync on ci.jenkins.org, we're getting a bunch of errors in the Java crypto stack as seen at https://ci.mozilla.org/job/sync-android/org.mozilla.gecko$android-sync/28/testReport/org.mozilla.android.sync.test/TestCollectionKeys/testSetKeysFromWBO/

Internet sleuthing has revealed that the problem is that Sun^H^H^HOracle's Java crypto libraries are handicapped by default to satisfy ancient export laws. And, Sync's crypto is beyond this threshold.

To work around this, you need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files available from http://www.oracle.com/technetwork/java/javase/downloads/index.html. Basically, copy the files from the downloaded archive into $JAVA_HOME/jre/lib/security (likely overwriting existing files).

I'm not sure if RHEL has a package to manage this.

Alternatively, you may consider changing the Java install on the Jenkins server to one of the open source ones. You will likely be doing this in the next few months anyway, as Java SE from Oracle won't be free after July this year.

Whatever you do, Jenkins will probably require a restart to pick up the changes.

Comment 1

[Shyam Mani [:fox2mike]]

(In reply to Gregory Szorc [:gps] from comment #0)

> Alternatively, you may consider changing the Java install on the Jenkins
> server to one of the open source ones. You will likely be doing this in the
> next few months anyway, as Java SE from Oracle won't be free after July this
> year.

We already run openjdk, I'm not sure which version(s) you were referring to.

[root@jenkins1.dmz.phx1 ~]# java -version
java version "1.6.0_22"
Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
Java HotSpot(TM) 64-Bit Server VM (build 17.1-b03, mixed mode)

[root@jenkins1.dmz.phx1 ~]# rpm -qa | grep -i java
java-1.6.0-openjdk-devel-1.6.0.0-1.42.1.10.4.el6_2.x86_64
java-1.6.0-sun-devel-1.6.0.22-1jpp.1.el6.x86_64
java-1.6.0-openjdk-1.6.0.0-1.42.1.10.4.el6_2.x86_64
java-1.5.0-gcj-1.5.0.0-29.1.el6.x86_64
java_cup-0.10k-5.el6.x86_64
java-1.6.0-sun-1.6.0.22-1jpp.1.el6.x86_64
tzdata-java-2011h-3.el6.noarch
 

So it seems like we have the openjdk and the sun jre installed. I'm not sure don't know who added the jre to the machine...

Comment 2

[Gregory Szorc [:gps]]

https://ci.mozilla.org/systemInfo seems to indicate Sun JRE is in use by Jenkins.

Comment 3

[Gregory Szorc [:gps]]

Is there an ETA on this bug? The current state is leading to false test failures in the Android Sync project and makes it difficult to diagnose regressions.

Comment 4

[Shyam Mani [:fox2mike]]

Sorry, I was away travelling and on PTO. 

I dug around some more and found some interesting stuff.

1) /usr/bin/java was a symlink to /etc/alternatives/java and
2) [root@jenkins1.dmz.phx1 ~]# alternatives --display java
java - status is auto.
 link currently points to /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/java
/usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java - priority 16000
 slave javaws: (null)
 slave keytool: /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/keytool
 slave orbd: /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/orbd
 slave pack200: /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/pack200
 slave policytool: (null)
 slave rmid: /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/rmid
 slave rmiregistry: /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/rmiregistry
 slave servertool: /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/servertool
 slave tnameserv: /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/tnameserv
 slave unpack200: /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/unpack200
 slave jre_exports: /usr/lib/jvm-exports/jre-1.6.0-openjdk.x86_64
 slave jre: /usr/lib/jvm/jre-1.6.0-openjdk.x86_64
 slave java.1.gz: /usr/share/man/man1/java-java-1.6.0-openjdk.1.gz
 slave javaws.1.gz: (null)
 slave keytool.1.gz: /usr/share/man/man1/keytool-java-1.6.0-openjdk.1.gz
 slave orbd.1.gz: /usr/share/man/man1/orbd-java-1.6.0-openjdk.1.gz
 slave pack200.1.gz: /usr/share/man/man1/pack200-java-1.6.0-openjdk.1.gz
 slave policytool.1.gz: (null)
 slave rmid.1.gz: /usr/share/man/man1/rmid-java-1.6.0-openjdk.1.gz
 slave rmiregistry.1.gz: /usr/share/man/man1/rmiregistry-java-1.6.0-openjdk.1.gz
 slave servertool.1.gz: /usr/share/man/man1/servertool-java-1.6.0-openjdk.1.gz
 slave tnameserv.1.gz: /usr/share/man/man1/tnameserv-java-1.6.0-openjdk.1.gz
 slave unpack200.1.gz: /usr/share/man/man1/unpack200-java-1.6.0-openjdk.1.gz
/usr/lib/jvm/jre-1.5.0-gcj/bin/java - priority 1500
 slave javaws: (null)
 slave keytool: /usr/lib/jvm/jre-1.5.0-gcj/bin/keytool
 slave orbd: (null)
 slave pack200: (null)
 slave policytool: (null)
 slave rmid: (null)
 slave rmiregistry: /usr/lib/jvm/jre-1.5.0-gcj/bin/rmiregistry
 slave servertool: (null)
 slave tnameserv: (null)
 slave unpack200: (null)
 slave jre_exports: /usr/lib/jvm-exports/jre-1.5.0-gcj
 slave jre: /usr/lib/jvm/jre-1.5.0-gcj
 slave java.1.gz: (null)
 slave javaws.1.gz: (null)
 slave keytool.1.gz: (null)
 slave orbd.1.gz: (null)
 slave pack200.1.gz: (null)
 slave policytool.1.gz: (null)
 slave rmid.1.gz: (null)
 slave rmiregistry.1.gz: (null)
 slave servertool.1.gz: (null)
 slave tnameserv.1.gz: (null)
 slave unpack200.1.gz: (null)
/usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/java - priority 160022
 slave javaws: /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/javaws
 slave keytool: /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/keytool
 slave orbd: /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/orbd
 slave pack200: (null)
 slave policytool: /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/policytool
 slave rmid: /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/rmid
 slave rmiregistry: /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/rmiregistry
 slave servertool: /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/servertool
 slave tnameserv: /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/tnameserv
 slave unpack200: (null)
 slave jre_exports: /usr/lib/jvm-exports/jre-1.6.0-sun.x86_64
 slave jre: /usr/lib/jvm/jre-1.6.0-sun.x86_64
 slave java.1.gz: /usr/share/man/man1/java-java-1.6.0-sun.x86_64.1.gz
 slave javaws.1.gz: /usr/share/man/man1/javaws-java-1.6.0-sun.1.gz
 slave keytool.1.gz: /usr/share/man/man1/keytool-java-1.6.0-sun.x86_64.1.gz
 slave orbd.1.gz: /usr/share/man/man1/orbd-java-1.6.0-sun.x86_64.1.gz
 slave pack200.1.gz: (null)
 slave policytool.1.gz: /usr/share/man/man1/policytool-java-1.6.0-sun.x86_64.1.gz
 slave rmid.1.gz: /usr/share/man/man1/rmid-java-1.6.0-sun.x86_64.1.gz
 slave rmiregistry.1.gz: /usr/share/man/man1/rmiregistry-java-1.6.0-sun.x86_64.1.gz
 slave servertool.1.gz: /usr/share/man/man1/servertool-java-1.6.0-sun.x86_64.1.gz
 slave tnameserv.1.gz: /usr/share/man/man1/tnameserv-java-1.6.0-sun.x86_64.1.gz
 slave unpack200.1.gz: (null)
Current `best' version is /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/java.

Which is why we had the jre running instead of the jdk.

I then did the following :

[root@jenkins1.dmz.phx1 ~]# alternatives --config java

There are 3 programs which provide 'java'.

  Selection    Command
-----------------------------------------------
   1           /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java
   2           /usr/lib/jvm/jre-1.5.0-gcj/bin/java
*+ 3           /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/java

Enter to keep the current selection[+], or type selection number: 1
[root@jenkins1.dmz.phx1 ~]# alternatives --config java

There are 3 programs which provide 'java'.

  Selection    Command
-----------------------------------------------
 + 1           /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java
   2           /usr/lib/jvm/jre-1.5.0-gcj/bin/java
*  3           /usr/lib/jvm/jre-1.6.0-sun.x86_64/bin/java

Enter to keep the current selection[+], or type selection number: 
[root@jenkins1.dmz.phx1 ~]# alternatives --display java
java - status is manual.
 link currently points to /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java

So it's now pointed back at the jdk. 

I've since forced jenkins to use this jdk and not be intelligent and pick it's own :)

Jenkins has been restarted and now shows openjdk in use. Let me know if this fixes the issue for you, please feel free to reopen if it doesn't. Sorry this took a bit to get to :)

Comment 5

[Gregory Szorc [:gps]]

Crypto tests are passing now! W00t.