Issues with capabilities and OpenJDK linking
Andrew John Hughes
ahughes at redhat.com
Wed May 5 13:15:05 PDT 2010
There is an issue with the linking of the libraries in the JVM due to
its use of $ORIGIN in the runtime path:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6919633
$ readelf -d /usr/lib/jvm/icedtea6/bin/java -V
Dynamic section at offset 0x9ed0 contains 31 entries:
Tag Type Name/Value
0x00000001 (NEEDED) Shared library: [libz.so.1]
0x00000001 (NEEDED) Shared library: [libpthread.so.0]
0x00000001 (NEEDED) Shared library: [libjli.so]
0x00000001 (NEEDED) Shared library: [libdl.so.2]
0x00000001 (NEEDED) Shared library: [libc.so.6]
0x0000000e (SONAME) Library soname: [lib.so]
0x0000000f (RPATH) Library rpath:
[$ORIGIN/../lib/ppc/jli:$ORIGIN/../jre/lib/ppc/jli]
0x0000001d (RUNPATH) Library runpath:
[$ORIGIN/../lib/ppc/jli:$ORIGIN/../jre/lib/ppc/jli]
When capabilities are added to the java binary:
setcap cap_net_bind_service=+epi java
glibc no longer allows relative paths and the expansion of $ORIGIN
when the binary is run as a normal user
(http://sources.redhat.com/bugzilla/show_bug.cgi?id=11570). So we
get:
/usr/lib/jvm/icedtea6/bin/java: error while loading shared libraries:
libjli.so: cannot open shared object file: No such file or directory
due to:
13919 open("$ORIGIN/../lib/ppc/jli/libjli.so", O_RDONLY) = -1 ENOENT
(No such file or directory)
Such a capability needs to be added to allow Java to bind ports below
1024 as an unprivileged user.
A number of possible solutions exist:
1. Statically link java
2. Hardcode the install path of the libraries into the runtime path
3. Add the install path to ld.so.conf (which would require the
libraries to be properly versioned to avoid conflicts)
4. Move the libraries onto the existing library path (again, requires
versioning)
I don't think any of these solutions are ideal. Does anyone have any
suggestions or better solutions?
Note that this seems unrelated to the use (or not) of LD_LIBRARY_PATH
( http://blogs.sun.com/darcy/entry/purging_ld_library_path) as it
occurs in both 6 and 7.
--
Andrew :-)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the distro-pkg-dev
mailing list