Opt-in legacy AMI JAR signatures for sandboxed KVM child#37
Open
nesvet wants to merge 1 commit into
Open
Conversation
b872ee6 to
53a995d
Compare
Add default-off template flags and child env passthrough for MD5 JAR algorithms and IcedTea certificate ignore, scoped to the ephemeral KVM container only. Point stretch child image apt sources at archive.debian.org.
53a995d to
ccb9546
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
AMI MegaRAC JViewer on ASUS ASMB8-iKVM fails in the stock OpenJDK 8u242 child: the AMI code-signing certificate on
JViewer.jaris expired andjdk.jar.disabledAlgorithmsincludes MD5. Without opt-in flags, javaws reports unsigned jars; with legacy allowances enabled in the child, JViewer connects.This PR adds opt-in, default-off flags gated by child environment variables and optional host-template YAML (
allow_legacy_jar_signatures,allow_insecure_jnlp_certs). Default behaviour is unchanged.docker/Dockerfile_openjdk-8points stretch apt sources atarchive.debian.orgso the child image still builds when Debian stretch mirrors are unavailable.README documents the flags and example YAML only (ASUS
EXTRNIP/download_endpointis documented in #39).Flags
allow_legacy_jar_signatures: trueALLOW_LEGACY_JAR_SIGNATURES=truejdk.jar.disabledAlgorithmsallow_insecure_jnlp_certs: trueALLOW_INSECURE_JNLP_CERTS=truedeployment.security.itw.ignorecertissuesALLOW_LEGACY_AMI_JARS=trueremains supported as a convenience alias for both flags.Files
docker/entrypoint.sh— apply JVM / IcedTea settings when flags are setdocker/Dockerfile_openjdk-8— stretcharchive.debian.orgapt sourcesnojava_ipmi_kvm/config.py— parse template YAML keysnojava_ipmi_kvm/kvm.py— pass-einto the ephemeral childREADME.md— example YAML and env var referenceTest plan
docker build -f docker/Dockerfile_openjdk-8succeeds on a clean runnerTested on ASUS ASMB8-iKVM firmware 1.14.2. With flags disabled, failure reproduced. With both YAML keys enabled, noVNC session loads after connect.
Closes #36