Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "add default security settings" due to bottlerocket-os/bottlerocket 1.26.0 release #215

Merged
merged 1 commit into from
Oct 24, 2024
Merged

Revert "add default security settings" due to bottlerocket-os/bottlerocket 1.26.0 release #215

merged 1 commit into from
Oct 24, 2024

Conversation

KCSesh
Copy link
Contributor

@KCSesh KCSesh commented Oct 24, 2024
edited
Loading

This reverts commit 1395a0c.

Issue number:
bottlerocket-os/bottlerocket#4253
bottlerocket-os/bottlerocket#4260
bottlerocket-os/bottlerocket#4261
bottlerocket-os/bottlerocket#4262

Description of changes:

As a part of the Bottlerocket 1.26.0 release, this commit was identified as an issue.

Testing done:

With the commit:

=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /opt/jboss/wildfly

  JAVA: /usr/lib/jvm/java/bin/java

  JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

=========================================================================

OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00007f6179700000, 2555904, 1) failed; error='Operation not permitted' (errno=1)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 2555904 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /opt/jboss/hs_err_pid61.log

Without the commit:

=========================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: /opt/jboss/wildfly

  JAVA: /usr/lib/jvm/java/bin/java

  JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true  --add-exports=java.desktop/sun.awt=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.management/javax.management=ALL-UNNAMED --add-opens=java.naming/javax.naming=ALL-UNNAMED

=========================================================================

06:40:23,001 INFO  [org.jboss.modules] (main) JBoss Modules version 1.12.0.Final
06:40:23,488 INFO  [org.jboss.msc] (main) JBoss MSC version 1.4.13.Final
06:40:23,497 INFO  [org.jboss.threads] (main) JBoss Threads version 2.4.0.Final
...
06:40:26,484 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: WildFly Full 25.0.0.Final (WildFly Core 17.0.1.Final) started in 3855ms - Started 298 of 538 services (337 services are lazy, passive or on-demand)
06:40:26,486 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management
06:40:26,486 INFO  [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

bcressey
bcressey approved these changes Oct 24, 2024
View reviewed changes
Copy link
Contributor

@bcressey bcressey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It'd be good to add more detail to the revert commit message to explain that this sets up a process restriction that persists for all child processes, including containers launched by runc.

@KCSesh
Revert "add default security settings"
7c95edd 
This reverts commit 1395a0c. This sets
up a process restriction that persists for all child processes,
including containers launched by runc.
@KCSesh KCSesh marked this pull request as ready for review October 24, 2024 15:27
@KCSesh
Copy link
Contributor Author

KCSesh commented Oct 24, 2024

Updated the commit message with additional details.

@larvacea
Copy link
Member

The revised commit message does explain the effect of the change. It's a problem for any JIT compiler (such as most Java implementations) since they first write then execute out of the same page.

@KCSesh KCSesh merged commit 65ba1e2 into bottlerocket-os:develop Oct 24, 2024
2 checks passed
@arnaldo2792 arnaldo2792 mentioned this pull request Oct 24, 2024
Merged
@ginglis13 ginglis13 mentioned this pull request Oct 24, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@larvacea larvacea larvacea approved these changes

@bcressey bcressey bcressey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KCSesh @larvacea @bcressey