From mboxrd@z Thu Jan 1 00:00:00 1970 From: Radoslav Petrov Subject: Re: After installing Java, what should I set JAVA_HOME to? Date: Sat, 12 Nov 2016 20:48:35 +0200 Message-ID: <4e5ee794-1d1a-c433-d72f-7eb4e113a60b@edno.moe> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="------------1C25400AF6CAD30BD9D6A96D" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43774) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c5dM7-0006lS-L4 for help-guix@gnu.org; Sat, 12 Nov 2016 13:48:49 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c5dM2-0005aQ-MP for help-guix@gnu.org; Sat, 12 Nov 2016 13:48:47 -0500 Received: from relay2-d.mail.gandi.net ([2001:4b98:c:538::194]:51198) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1c5dM2-0005aE-C5 for help-guix@gnu.org; Sat, 12 Nov 2016 13:48:42 -0500 Received: from mfilter28-d.gandi.net (mfilter28-d.gandi.net [217.70.178.159]) by relay2-d.mail.gandi.net (Postfix) with ESMTP id EDE72C5A53 for ; Sat, 12 Nov 2016 19:48:40 +0100 (CET) Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194]) by mfilter28-d.gandi.net (mfilter28-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id YyM8-4cHPKe7 for ; Sat, 12 Nov 2016 19:48:38 +0100 (CET) Received: from [192.168.27.7] (client-140-212.speedy-net.bg [78.159.140.212]) (Authenticated sender: rado@edno.moe) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id C9B0EC5A46 for ; Sat, 12 Nov 2016 19:48:38 +0100 (CET) List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: help-guix@gnu.org This is a multi-part message in MIME format. --------------1C25400AF6CAD30BD9D6A96D Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Hi, all. Apologises for the bad formatting but I wasn't member of the mailing list when this message was sent. | Downloading https://services.gradle.org/distributions/gradle-3.0-bin.zip | | Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: |java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty |(further stacktrace elided) | When I run `sudo ./gradlew clean`, it works fine. My suspicion is that it's related to $JAVA_HOME being symlinked to something not owned by my current user (/home/zck/.guix-profile is a symlink to /var/guix/profiles/per-user/zck/guix-profile/, | which is a symlink to /var/guix/profiles/per-user/zck/guix-profile-20-link/, which is a symlink to /gnu/store/c483gnpwwcmcwdbdba25q3c7x1g79mzm-profile/, which is owned by root/guixbuild, although this directory has permissions to read and execute for all users). | | Further supporting my suspicion that JAVA_HOME shouldn't be the guix profile is that I would think either guix or java should manage the directory, but not both. | |So my question is: what's going on here? What do I need to change to be able to run gradle as my current user? Thanks. Two weeks ago I was playing with GuixSD and decided to try to run Apache Tomcat on it. I've downloaded the Linux binary archive and installed icedtea3 JDK (Java 8). I've hit the same problem described above: Java is available and able to compile/run various code, but Tomcat was throwing exceptions and was not able to start. After some trials, errors and reading I've found the problem: IcedTea is configured to use NSS service for handling the cryptography operations. The default install/config of the IcedTea in Guix configures "jdk_base_dir/jre/lib/security/nss.cfg" file correctly. Mine looks like this: name = NSS nssLibraryDirectory = /gnu/store/p2d98rbmb5sl7xgca8rf96k6zq51cww6-nss-3.27.1/lib/nss nssDbMode = noDb attributes = compatibility handleStartupErrors = ignoreMultipleInitialisation However this settings to take effect the JDK needs one more setting in another file: "jdk_base_dir/jre/lib/security/java.security" i.e. the same directory as "nss.cfg". Read the comments in the begging of the file to get a glimpse of what is configured there. If you look VERY closely around "List of providers and their security settings" you will see this: security.provider.9=sun.security.pkcs11.SunPKCS11*${java.home}/lib/security/nss.cfg * This file exists(I'm not sure about this - I think I've found some file without the setting) in Guix but doesn't have the correct location of the NSS library set. My workaround was to manually override the JDK security settings by creating "nss.cfg" and "java.security" files in Tomcat "tomcat_base/bin" dir and point them to the correct locations. Here is the JDK cmd option (setting it through /bin/setenv.sh): -Djava.security.properties=java.security The contents of the custom "java.security" are copied from the original file. Only the line for the "nss.cfg" is changed: security.provider.9=sun.security.pkcs11.SunPKCS11 nss.cfg The contents of the custom "nss.cfg" name=NSS nssLibraryDirectory=/var/guix/profiles/per-user/zloster/guix-profile/lib/nss nssDbMode=noDb attributes=compatibility Most probably this is not the most appropriate way to configure the JDK/NSS relation in Guix but for a workaround it is fine. Here is a screenshot of Tomcat running (glorious moment for me:) ): https://www.edno.moe/image-share/2016-11-11-210342_1920x1080_scrot.png About a proper fix: IMO iced3 JDK Guix definition needs to process "java.security" file for the SunPKCS11 provider to override the JAVA_HOME definition with the file in the current version/dir/instance of the Guix package (I'm not sure for the correct term). But this have to be done on each update/upgrade of NSS package. So I'm not so sure about the proper way to fix this packaging problem. -- Поздрави, | Best regards, Радослав Петров | Radoslav Petrov --------------1C25400AF6CAD30BD9D6A96D Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit Hi, all. Apologises for the bad formatting but I wasn't member of the mailing list when this message was sent.
|    Downloading https://services.gradle.org/distributions/gradle-3.0-bin.zip
|  
|    Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: |java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
|(further stacktrace elided)

| When I run `sudo ./gradlew clean`, it works fine. My suspicion is that it's related to $JAVA_HOME being symlinked to  something not owned by my current user (/home/zck/.guix-profile is a symlink to /var/guix/profiles/per-user/zck/guix-profile/, | which is a symlink to /var/guix/profiles/per-user/zck/guix-profile-20-link/, which is a symlink to /gnu/store/c483gnpwwcmcwdbdba25q3c7x1g79mzm-profile/, which is owned by root/guixbuild, although this directory has permissions to read and execute for all users).
|
| Further supporting my suspicion that JAVA_HOME shouldn't be the guix profile is that I would think either guix or java should manage the directory, but not both.
|
|So my question is: what's going on here? What do I need to change to be able to run gradle as my current user? Thanks.

Two weeks ago I was playing with GuixSD and decided to try to run Apache Tomcat on it. I've downloaded the Linux binary archive and installed icedtea3 JDK (Java 8). I've hit the same problem described above: Java is available and able to compile/run various code, but Tomcat was throwing exceptions and was not able to start.
After some trials, errors and reading I've found the problem:
  IcedTea is configured to use NSS service for handling the cryptography operations. The default install/config of the IcedTea in Guix configures "jdk_base_dir/jre/lib/security/nss.cfg" file correctly. Mine looks like this:
name = NSS
nssLibraryDirectory = /gnu/store/p2d98rbmb5sl7xgca8rf96k6zq51cww6-nss-3.27.1/lib/nss
nssDbMode = noDb
attributes = compatibility
handleStartupErrors = ignoreMultipleInitialisation
However this settings to take effect the JDK needs one more setting in another file: "jdk_base_dir/jre/lib/security/java.security" i.e. the same directory as "nss.cfg". Read the comments in the begging of the file to get a glimpse of what is configured there. If you look VERY closely around "List of providers and their security settings" you will see this:
security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
This file exists(I'm not sure about this - I think I've found some file without the setting) in Guix but doesn't have the correct location of the NSS library set.
My workaround was to manually override the JDK security settings by creating "nss.cfg" and "java.security" files in Tomcat "tomcat_base/bin" dir and point them to the correct locations. Here is the JDK cmd option (setting it through /bin/setenv.sh):
 -Djava.security.properties=java.security
The contents of the custom "java.security" are copied from the original file. Only the line for the "nss.cfg" is changed:
security.provider.9=sun.security.pkcs11.SunPKCS11 nss.cfg
The contents of the custom "nss.cfg"
name=NSS
nssLibraryDirectory=/var/guix/profiles/per-user/zloster/guix-profile/lib/nss
nssDbMode=noDb
attributes=compatibility
Most probably this is not the most appropriate way to configure the JDK/NSS relation in Guix but for a workaround it is fine.

Here is a screenshot of Tomcat running (glorious moment for me:) ): https://www.edno.moe/image-share/2016-11-11-210342_1920x1080_scrot.png

About a proper fix: IMO iced3 JDK Guix definition needs to process "java.security" file for the SunPKCS11 provider to override the JAVA_HOME definition with the file in the current version/dir/instance of the Guix package (I'm not sure for the correct term). But this have to be done on each update/upgrade of NSS package. So I'm not so sure about the proper way to fix this packaging problem.
-- 
Поздрави,       | Best regards,
Радослав Петров | Radoslav Petrov
--------------1C25400AF6CAD30BD9D6A96D--