Skip to content

Opt-in legacy AMI JAR signatures for sandboxed KVM child#37

Open
nesvet wants to merge 1 commit into
sciapp:developfrom
nesvet:feat/ami-legacy-jar-opt-in
Open

Opt-in legacy AMI JAR signatures for sandboxed KVM child#37
nesvet wants to merge 1 commit into
sciapp:developfrom
nesvet:feat/ami-legacy-jar-opt-in

Conversation

@nesvet

@nesvet nesvet commented Jun 28, 2026

Copy link
Copy Markdown

Summary

AMI MegaRAC JViewer on ASUS ASMB8-iKVM fails in the stock OpenJDK 8u242 child: the AMI code-signing certificate on JViewer.jar is expired and jdk.jar.disabledAlgorithms includes MD5. Without opt-in flags, javaws reports unsigned jars; with legacy allowances enabled in the child, JViewer connects.

This PR adds opt-in, default-off flags gated by child environment variables and optional host-template YAML (allow_legacy_jar_signatures, allow_insecure_jnlp_certs). Default behaviour is unchanged.

docker/Dockerfile_openjdk-8 points stretch apt sources at archive.debian.org so the child image still builds when Debian stretch mirrors are unavailable.

README documents the flags and example YAML only (ASUS EXTRNIP / download_endpoint is documented in #39).

Flags

YAML key Child env Effect
allow_legacy_jar_signatures: true ALLOW_LEGACY_JAR_SIGNATURES=true Allow MD5 in jdk.jar.disabledAlgorithms
allow_insecure_jnlp_certs: true ALLOW_INSECURE_JNLP_CERTS=true IcedTea deployment.security.itw.ignorecertissues

ALLOW_LEGACY_AMI_JARS=true remains supported as a convenience alias for both flags.

Files

  • docker/entrypoint.sh — apply JVM / IcedTea settings when flags are set
  • docker/Dockerfile_openjdk-8 — stretch archive.debian.org apt sources
  • nojava_ipmi_kvm/config.py — parse template YAML keys
  • nojava_ipmi_kvm/kvm.py — pass -e into the ephemeral child
  • README.md — example YAML and env var reference

Test plan

  • Stock child, flags unset: reproduce javaws / weak-signature failure on ASMB8
  • Both YAML flags enabled: full JViewer session inside child
  • Flags unset on other BMC templates: no regression
  • docker build -f docker/Dockerfile_openjdk-8 succeeds on a clean runner

Tested on ASUS ASMB8-iKVM firmware 1.14.2. With flags disabled, failure reproduced. With both YAML keys enabled, noVNC session loads after connect.

Closes #36

Add default-off template flags and child env passthrough for MD5 JAR
algorithms and IcedTea certificate ignore, scoped to the ephemeral KVM
container only. Point stretch child image apt sources at archive.debian.org.
@nesvet nesvet force-pushed the feat/ami-legacy-jar-opt-in branch from 53a995d to ccb9546 Compare June 28, 2026 21:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Legacy AMI JAR signatures break Java KVM in child container (ASUS ASMB8)

1 participant