From ccb95465870e779c89d492213be03566c49179fb Mon Sep 17 00:00:00 2001 From: Eugene Nesvetaev Date: Mon, 29 Jun 2026 00:51:30 +0400 Subject: [PATCH] Opt-in legacy AMI JAR signatures for sandboxed KVM child Add default-off template flags and child env passthrough for MD5 JAR algorithms and IcedTea certificate ignore, scoped to the ephemeral KVM container only. Point stretch child image apt sources at archive.debian.org. --- README.md | 23 +++++++++++++++++++++++ docker/Dockerfile_openjdk-8 | 5 +++++ docker/entrypoint.sh | 29 +++++++++++++++++++++++++++++ nojava_ipmi_kvm/config.py | 16 +++++++++++++++- nojava_ipmi_kvm/kvm.py | 4 ++++ 5 files changed, 76 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9973f20..5a34122 100644 --- a/README.md +++ b/README.md @@ -240,6 +240,29 @@ zplug install Clone this repository and source `nojava_ipmi_kvm_completion.plugin.zsh` in your `.zshrc`. +## Legacy AMI firmware (opt-in) + +Some AMI MegaRAC BMCs (Supermicro X9/X10, ASUS ASMB8) ship `JViewer.jar` signed with legacy algorithms and HTTPS certificates that modern OpenJDK builds reject inside the KVM child container. + +Opt-in template flags (default **off**) pass environment variables to the ephemeral `sciapp/nojava-ipmi-kvm` child only: + +| YAML key | Child env | Effect | +|---|---|---| +| `allow_legacy_jar_signatures: true` | `ALLOW_LEGACY_JAR_SIGNATURES=true` | Allow MD5 in `jdk.jar.disabledAlgorithms` | +| `allow_insecure_jnlp_certs: true` | `ALLOW_INSECURE_JNLP_CERTS=true` | IcedTea `deployment.security.itw.ignorecertissues` | +| (manual) | `ALLOW_LEGACY_AMI_JARS=true` | Both flags in the child image | + +Example: + +```yaml +templates: + ami-megarac-openjdk-8: + allow_legacy_jar_signatures: true + allow_insecure_jnlp_certs: true + download_endpoint: Java/jviewer.jnlp + java_version: 8u242 +``` + ## Acknowledgement - Special thanks to @mheuwes for adding the new YAML config file format and adding HTML5 support! diff --git a/docker/Dockerfile_openjdk-8 b/docker/Dockerfile_openjdk-8 index a64e88a..b670bb6 100644 --- a/docker/Dockerfile_openjdk-8 +++ b/docker/Dockerfile_openjdk-8 @@ -1,6 +1,11 @@ FROM debian:stretch LABEL maintainer="Ingo Meyer " +# Debian stretch is archived; keep apt working for CI and fresh builds. +RUN sed -i 's|deb.debian.org|archive.debian.org|g' /etc/apt/sources.list && \ + sed -i 's|security.debian.org|archive.debian.org|g' /etc/apt/sources.list && \ + sed -i '/stretch-updates/d' /etc/apt/sources.list + # Install needed packages and Java dependencies (second `apt-get install` call) RUN apt-get update && \ apt-get install -y --no-install-recommends ca-certificates curl eterm fluxbox net-tools procps python-numpy \ diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index c404cb0..b3cfba9 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,5 +1,24 @@ #!/bin/bash +# Opt-in legacy AMI JViewer support (ephemeral child container only). +# ALLOW_LEGACY_AMI_JARS=true enables both ALLOW_LEGACY_JAR_SIGNATURES and ALLOW_INSECURE_JNLP_CERTS. +allow_legacy_jar_signatures() { + local java_security="$1" + if [[ -f "${java_security}" ]]; then + sed -i '/^jdk\.jar\.disabledAlgorithms=/ s/MD5, //; s/, MD5//; s/ MD5//' "${java_security}" + fi +} + +legacy_jar_signatures_enabled() { + [[ "${ALLOW_LEGACY_JAR_SIGNATURES:-false}" == "true" ]] || \ + [[ "${ALLOW_LEGACY_AMI_JARS:-false}" == "true" ]] +} + +insecure_jnlp_certs_enabled() { + [[ "${ALLOW_INSECURE_JNLP_CERTS:-false}" == "true" ]] || \ + [[ "${ALLOW_LEGACY_AMI_JARS:-false}" == "true" ]] +} + read -r -s PASSWD echo "${PASSWD}" | /usr/local/bin/get_java_viewer -o /tmp/launch.jnlp "$@" return_code="$?" @@ -19,6 +38,7 @@ if [[ "${JAVA_VERSION%-oracle}" != "${JAVA_VERSION}" ]]; then JAVA_VERSION="${JAVA_VERSION%-oracle}" JAVA_MAJOR_VERSION="${JAVA_VERSION%%u*}" JAVA_PATCH_LEVEL="${JAVA_VERSION#*u}" + ORACLE_JRE="/opt/oracle/jre1.${JAVA_MAJOR_VERSION}.0_${JAVA_PATCH_LEVEL}" mkdir -p /opt/oracle && \ tar -C/opt/oracle/ -xvf "/opt/java_packages/${JAVA_VERSION}/jre-${JAVA_VERSION}-linux-x64.tar.gz" && \ ln -s "/opt/oracle/jre1.${JAVA_MAJOR_VERSION}.0_${JAVA_PATCH_LEVEL}/bin/javaws" /usr/local/bin/javaws && \ @@ -28,6 +48,9 @@ if [[ "${JAVA_VERSION%-oracle}" != "${JAVA_VERSION}" ]]; then echo "deployment.security.level=MEDIUM" >> "/root/.java/deployment/deployment.properties" || return export PATH="/opt/oracle/jre1.${JAVA_MAJOR_VERSION}.0_${JAVA_PATCH_LEVEL}/bin:${PATH}" export JAVA_SECURITY_DIR="/root/.java/deployment/security" + if legacy_jar_signatures_enabled; then + allow_legacy_jar_signatures "${ORACLE_JRE}/lib/security/java.security" + fi else JAVA_VERSION="${JAVA_VERSION%-openjdk}" JAVA_MAJOR_VERSION="${JAVA_VERSION%%u*}" @@ -46,6 +69,12 @@ else fi #itweb-settings set deployment.security.notinca.warning false itweb-settings set deployment.security.expired.warning false + if insecure_jnlp_certs_enabled; then + itweb-settings set deployment.security.itw.ignorecertissues true + fi + if legacy_jar_signatures_enabled; then + allow_legacy_jar_signatures "/etc/java-${JAVA_MAJOR_VERSION}-openjdk/security/java.security" + fi export JAVA_SECURITY_DIR="/root/.config/icedtea-web/security" fi mkdir -p "${JAVA_SECURITY_DIR}" diff --git a/nojava_ipmi_kvm/config.py b/nojava_ipmi_kvm/config.py index 27989c8..2e7972e 100644 --- a/nojava_ipmi_kvm/config.py +++ b/nojava_ipmi_kvm/config.py @@ -108,13 +108,27 @@ def __init__( download_endpoint="cgi/url_redirect.cgi?url_name=ikvm&url_type=jwsk", java_version="7u181", format_jnlp=False, + allow_legacy_jar_signatures=False, + allow_insecure_jnlp_certs=False, **kwargs, ): - # type: (Text, Text, Text, Text, bool, **Any) -> None + # type: (Text, Text, Text, Text, bool, bool, bool, **Any) -> None super().__init__(short_hostname, full_hostname, **kwargs) self._download_endpoint = download_endpoint self._java_version = java_version self._format_jnlp = format_jnlp + self._allow_legacy_jar_signatures = allow_legacy_jar_signatures + self._allow_insecure_jnlp_certs = allow_insecure_jnlp_certs + + @property + def allow_legacy_jar_signatures(self): + # type: () -> bool + return self._allow_legacy_jar_signatures + + @property + def allow_insecure_jnlp_certs(self): + # type: () -> bool + return self._allow_insecure_jnlp_certs @property def download_endpoint(self): diff --git a/nojava_ipmi_kvm/kvm.py b/nojava_ipmi_kvm/kvm.py index c8b422b..a14c16a 100644 --- a/nojava_ipmi_kvm/kvm.py +++ b/nojava_ipmi_kvm/kvm.py @@ -234,6 +234,10 @@ def create_java_docker_args(host_config, login_password, selected_resolution): "-e", "KVM_HOSTNAME={}".format(host_config.full_hostname), ] + if host_config.allow_legacy_jar_signatures: + environment_variables.extend(["-e", "ALLOW_LEGACY_JAR_SIGNATURES=true"]) + if host_config.allow_insecure_jnlp_certs: + environment_variables.extend(["-e", "ALLOW_INSECURE_JNLP_CERTS=true"]) java_provider = "oraclejre" if host_config.java_version.endswith("-oracle") else "openjdk" java_major_version = host_config.java_version.split("u")[0]