RFR: 8349546: Linux support for Kerberos "nativeccache" functionality [v13]

Nick Hall duke at openjdk.org
Thu Dec 4 11:31:47 UTC 2025 

On Mon, 1 Dec 2025 14:54:40 GMT, Erik Joelsson <erikj at openjdk.org> wrote:

>>> If you want to drive adoption, or even think about making this mandatory at build time, then at the very least you need to make sure the devkits produced by the makefiles under `make/devkit/...` contain the necessary build time dependencies and generally work with this feature. At least at Oracle we rely on these for our builds and my impression is that at least some other vendors do too.
>> 
>> Thanks.  I had a go at this today, but am struggling to build a devkit (even without any changes).  Can you recommend a suitable host OS for building one, and which OS targets I should use to build the devkits to test?
>> 
>> (I've tried building a devkit for Fedora 41 using both RHEL8 and Fedora 41 as host OSes, but am getting a variety of issues in the build)
>
>> Thanks. I had a go at this today, but am struggling to build a devkit (even without any changes). Can you recommend a suitable host OS for building one, and which OS targets I should use to build the devkits to test?
>> 
>> (I've tried building a devkit for Fedora 41 using both RHEL8 and Fedora 41 as host OSes, but am getting a variety of issues in the build)
> 
> I haven't used this myself in a while, but I believe our internal kits use Oracle Linux 7 as host (in a container) and Oracle Linux 6 as target. RHEL should be equivalent to Oracle Linux, at least in this context. These are quite old, but the motivation for us to use devkits is to guarantee compatibility with old Linux versions. The host OS dictates the oldest where the kit itself can be used and the target dictates the oldest where the subsequently built JDK can be used. 
> 
> That said, getting a devkit to compile can be finicky for all sorts of reasons. The important part in this case is the sysroot, which is what you are going to change here, by adding extra packages. At least in theory, you could generate just a sysroot and supply that to the JDK build to verify this. I don't think there is a readily available make target for that though.

@erikj79 after a little playing around, I've managed to get this to work.

I can now build an Oracle Linux 6 devkit (from RHEL8) and can build a JDK wih my changes from this devkit.  It required a few changes beyond just the packages for libkrb5 - there was a missing library (ISL) required for the newer gcc, and a bug causing some of the files to attempt to install in /usr/local (missing `--prefix`).  I'm not sure if this was exactly what you're looking for, but it's all on the latest commit on this branch for your review.  I'm not sure how to test beyond the tests I've done locally.

[`e3d9c23` (#28075)](https://github.com/openjdk/jdk/pull/28075/commits/e3d9c23b9f724abbac02cef225e6749ffb97e76d)

-------------

PR Comment: https://git.openjdk.org/jdk/pull/28075#issuecomment-3611689545

More information about the security-dev mailing list