[
https://issues.apache.org/jira/browse/CASSANDRA-19001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17783625#comment-17783625
]
Paulo Motta edited comment on CASSANDRA-19001 at 11/7/23 1:35 PM:
------------------------------------------------------------------
{quote}I do not see now the security manager warnings on startup, only on
compile.
{quote}
It's possible to reproduce this by running the official cassandra docker image
with:
{noformat}
$ docker run --name test --rm -it cassandra:5.0-alpha2
$ docker logs test | grep "WARNING:" | grep -v "Unknown"
{noformat}
But in fact it doesn't look like it's possible to disable this startup warning
according to [this
code|https://github.com/openjdk/jdk/blob/d22e368cb5dbd6812f1584c47c44b9b754a222af/src/java.base/share/classes/java/lang/System.java#L419].
I will maybe submit a openjdk ticket to allow this to be overriden when the
issue is known and is going to be addressed :)
Perhaps we could log a message before initializing the security manager on
JDK17 for users to ignore the Java ThreadAwareSecurityManager warning since
it's going to be addressed on CASSANDRA-18711 ? Not sure if that's really
needed or we can just ignore it for now :)
bq. 2) SJK cannot run sjk hh if not run with JDK.
It's possible to reproduce the SJK issue with the official 4.1 and 5.0 images,
so indeed this is not a new issue:
{noformat}
$ docker run --rm -it cassandra:latest nodetool sjk jps
$ docker run --rm -it cassandra:5.0-alpha2 nodetool sjk jps
{noformat}
But the "Uknown module" warnings show up on JRE17 even when running non-sjk
commands:
{noformat}
$ docker run --rm -it cassandra:5.0-alpha2 nodetool help
WARNING: Unknown module: jdk.attach specified to --add-exports
WARNING: Unknown module: jdk.compiler specified to --add-exports
WARNING: Unknown module: jdk.compiler specified to --add-opens
usage: nodetool [(-pwf <passwordFilePath> | --password-file <passwordFilePath>)]
[(-p <port> | --port <port>)] [(-h <host> | --host <host>)]
[(-pp | --print-port)] [(-pw <password> | --password <password>)]
[(-u <username> | --username <username>)] <command> [<args>]
{noformat}
The warning above also shows up when launching the cassandra process:
{noformat}
$ docker run --name test --rm -it cassandra:5.0-alpha2
$ docker logs test | grep "WARNING: Unknown"
{noformat}
To me the JDK is an optional dependency only to support "nodetool sjk", but not
needed to run standard nodetool commands or cassandra server AFAIU (correct me
if wrong). So we could:
1) Remove the following optional lines from "jvm11-(client|server).options" and
"jvm17-(client|server).options".
{noformat}
--add-exports jdk.attach/sun.tools.attach=ALL-UNNAMED
--add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED
--add-opens jdk.compiler/com.sun.tools.javac=ALL-UNNAMED
{noformat}
2) Dynamically add these lines on cassandra-env.sh when a JDK is detected.
3) Print a friendly message when "nodetool sjk" is executed but no JDK is
present.
WDYT?
was (Author: paulo):
{quote}I do not see now the security manager warnings on startup, only on
compile.
{quote}
It's possible to reproduce this by running the official cassandra docker image
with:
{noformat}
$ docker run --name test --rm -it cassandra:5.0-alpha2
$ docker logs test | grep "WARNING:" | grep -v "Unknown"
{noformat}
But in fact it doesn't look like it's possible to disable this startup warning
according to [this
code|https://github.com/openjdk/jdk/blob/d22e368cb5dbd6812f1584c47c44b9b754a222af/src/java.base/share/classes/java/lang/System.java#L419].
I will maybe submit a openjdk ticket to allow this to be overriden when the
issue is known and is going to be addressed :)
Perhaps we could log a message before initializing the security manager on
JDK17 for users to ignore the Java ThreadAwareSecurityManager warning since
it's going to be addressed on CASSANDRA-18711 ? Not sure if that's really
needed or we can just ignore it for now :)
> 2) SJK cannot run sjk hh if not run with JDK.
It's possible to reproduce the SJK issue with the official 4.1 and 5.0 images,
so indeed this is not a new issue:
{noformat}
$ docker run --rm -it cassandra:latest nodetool sjk jps
$ docker run --rm -it cassandra:5.0-alpha2 nodetool sjk jps
{noformat}
But the "Uknown module" warnings show up on JRE17 even when running non-sjk
commands:
{noformat}
$ docker run --rm -it cassandra:5.0-alpha2 nodetool help
WARNING: Unknown module: jdk.attach specified to --add-exports
WARNING: Unknown module: jdk.compiler specified to --add-exports
WARNING: Unknown module: jdk.compiler specified to --add-opens
usage: nodetool [(-pwf <passwordFilePath> | --password-file <passwordFilePath>)]
[(-p <port> | --port <port>)] [(-h <host> | --host <host>)]
[(-pp | --print-port)] [(-pw <password> | --password <password>)]
[(-u <username> | --username <username>)] <command> [<args>]
{noformat}
The warning above also shows up when launching the cassandra process:
{noformat}
$ docker run --name test --rm -it cassandra:5.0-alpha2
$ docker logs test | grep "WARNING: Unknown"
{noformat}
To me the JDK is an optional dependency only to support "nodetool sjk", but not
needed to run standard nodetool commands or cassandra server AFAIU (correct me
if wrong). So we could:
1) Remove the following optional lines from "jvm11-(client|server).options" and
"jvm17-(client|server).options".
{noformat}
--add-exports jdk.attach/sun.tools.attach=ALL-UNNAMED
--add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED
--add-opens jdk.compiler/com.sun.tools.javac=ALL-UNNAMED
{noformat}
2) Dynamically add these lines on cassandra-env.sh when a JDK is detected.
3) Print a friendly message when "nodetool sjk" is executed but no JDK is
present.
WDYT?
> Check whether the startup warnings for unknown modules represent a legit
> problem or cosmetic issue
> --------------------------------------------------------------------------------------------------
>
> Key: CASSANDRA-19001
> URL: https://issues.apache.org/jira/browse/CASSANDRA-19001
> Project: Cassandra
> Issue Type: Bug
> Components: Local/Other
> Reporter: Ekaterina Dimitrova
> Assignee: Ekaterina Dimitrova
> Priority: Normal
> Fix For: 4.0.x, 4.1.x, 5.0-beta
>
>
> During the 5.0 alpha 2 release
> [vote|https://lists.apache.org/thread/lt3x0obr5cpbcydf5490pj6b2q0mz5zr],
> [~paulo] raised the following concerns:
> {code:java}
> Launched a tarball-based 5.0-alpha2 container on top of
> "eclipse-temurin:17-jre-focal" and the server starts up fine, can run
> nodetool and cqlsh.
> I got these seemingly harmless JDK17 warnings during startup and when
> running nodetool (no warnings on JDK11):
> WARNING: Unknown module: jdk.attach specified to --add-exports
> WARNING: Unknown module: jdk.compiler specified to --add-exports
> WARNING: Unknown module: jdk.compiler specified to --add-opens
> WARNING: A terminally deprecated method in java.lang.System has been called
> WARNING: System::setSecurityManager has been called by
> org.apache.cassandra.security.ThreadAwareSecurityManager
> (file:/opt/cassandra/lib/apache-cassandra-5.0-alpha2-SNAPSHOT.jar)
> WARNING: Please consider reporting this to the maintainers of
> org.apache.cassandra.security.ThreadAwareSecurityManager
> WARNING: System::setSecurityManager will be removed in a future release
> Anybody knows if these warnings are legit/expected ? We can create
> follow-up tickets if needed.
> $ java --version
> openjdk 17.0.9 2023-10-17
> OpenJDK Runtime Environment Temurin-17.0.9+9 (build 17.0.9+9)
> OpenJDK 64-Bit Server VM Temurin-17.0.9+9 (build 17.0.9+9, mixed mode,
> sharing)
> {code}
> {code:java}
> Clarification: - When running nodetool only the "Unknown module" warnings
> show up. All warnings show up during startup.{code}
> We need to verify whether this presents a real problem in the features where
> those modules are expected to be used, or if it is a false alarm.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
