Date: Mon, 04 Dec 2023 14:18:40 +0000 From: bugzilla-noreply@freebsd.org To: java@FreeBSD.org Subject: [Bug 274964] java/openjdk21 Dual-stack IPv4/IPv6 applications no longer work with sysctl net.inet6.ip6.v6only=1 Message-ID: <bug-274964-8522-ypvwibWKcJ@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-274964-8522@https.bugs.freebsd.org/bugzilla/> References: <bug-274964-8522@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274964 --- Comment #4 from Daniel Neades <djn@araxis.com> --- Hello Michael, thank you for your interest in this issue. I hope the follow= ing information will prove helpful. I initially reported the problem with our host running FreeBSD 13.2-RELEASE= -p3. I have just upgraded to FreeBSD 13.2-RELEASE-p6 (though the kernel is showi= ng p4) and can confirm that the problem still exists. Our host has a number of jails. Jail id 3 contains the Tomcat application; = jail id 11 contains the Scala application. The following commands were run direc= tly on the host (i.e. not inside a jail): ``` # uname -a FreeBSD <redacted> 13.2-RELEASE-p4 FreeBSD 13.2-RELEASE-p4 GENERIC amd64 # freebsd-version -kru -j 3 -j 11 13.2-RELEASE-p4 13.2-RELEASE-p4 13.2-RELEASE-p6 13.2-RELEASE-p6 13.2-RELEASE-p6 # sysctl net.inet6.ip6.v6only net.inet6.ip6.v6only: 1 ``` With OpenJDK 17, the Scala application listens on a dual-stack socket. The following commands were run within jail id 11 with the Scala application running on OpenJDK 17: ``` # pkg version -v | grep jdk openjdk17-17.0.9+9.1 =3D up-to-date with index # service portal restart && sleep 5 && sockstat -l -6 -4 -p 8443 Stopping portal. Waiting for PIDS: 43983. Starting portal. USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS portal java 44346 10 tcp46 *:8443 *:* # ps -axww | grep openjdk | head -n 1 # show command used to run application 53030 - IJ 0:05.07 /usr/local/openjdk17/bin/java -Djava.net.preferIPv4Stack=3Dfalse -Xms32m -Xmx64m -Djdk.tls.ephemeralDHKeySize=3D2048 -Djdk.tls.server.enableStatusRequestExtension=3Dtrue -Dlogback.configurationFile=3D/usr/local/portal/etc/logback.xml -jar /usr/local/portal/lib/Portal2023.0.34.jar --dbHost=3D10.12.12.11 --dbPort= =3D6432 ``` With OpenJDK 21, the Scala application listens only on an IPv6 socket. The following commands were run within the jail id 11, this time running the Sc= ala application on OpenJDK 21: ``` # pkg version -v | grep jdk openjdk21-21.0.1+12.1 =3D up-to-date with index # service portal restart && sleep 5 && sockstat -l -6 -4 -p 8443 Stopping portal. Waiting for PIDS: 48749. Starting portal. USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS portal java 49590 10 tcp6 <redacted>::7546:0:c:8443 *:* # ps -axww | grep openjdk | head -n 1 # show command used to run application 49590 - IJ 0:06.86 /usr/local/openjdk21/bin/java -Djava.net.preferIPv4Stack=3Dfalse -Xms32m -Xmx64m -Djdk.tls.ephemeralDHKeySize=3D2048 -Djdk.tls.server.enableStatusRequestExtension=3Dtrue -Dlogback.configurationFile=3D/usr/local/portal/etc/logback.xml -jar /usr/local/portal/lib/Portal2023.0.34.jar --dbHost=3D10.12.12.11 --dbPort= =3D6432 ``` Now, to repeat the same exercise but using the Tomcat application running in jail 3 =E2=80=A6 With OpenJDK 17, Tomcat listens on a dual-stack socket. The following comma= nds were run within jail id 3 with Tomcat running on OpenJDK 17 (OpenJDK 11 and= 8 are installed as Tomcat/APR dependencies): ``` # pkg version -v | grep -E '(openjdk|tomcat)'=20 openjdk11-11.0.21+9.1 =3D up-to-date with index openjdk17-17.0.9+9.1 =3D up-to-date with index openjdk8-8.392.08.1 =3D up-to-date with index tomcat-native-1.2.38 =3D up-to-date with index tomcat101-10.1.16 =3D up-to-date with index # service tomcat101 restart && sleep 5 && sockstat -l -6 -4 -p 8443,8180 Stopping tomcat101. Waiting for PIDS: 58204. Starting tomcat101. USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www jsvc 59982 44 tcp46 *:8180 *:* www jsvc 59982 48 tcp46 *:8443 *:* # ps -axww | grep jsvc | head -n1 # show command used to run application 59981 - IsJ 0:00.00 /usr/local/bin/jsvc -java-home /usr/local/openjdk17 -server -user www -umask 0077 -pidfile /var/run/tomcat101.pid -wait 30 -out= file /usr/local/apache-tomcat-10.1/logs/catalina.out -errfile &1 -classpath /usr/local/apache-tomcat-10.1/bin/bootstrap.jar:/usr/local/share/java/class= es/commons-daemon.jar:/usr/local/apache-tomcat-10.1/bin/tomcat-juli.jar -Djava.util.logging.manager=3Dorg.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=3D/usr/local/apache-tomcat-10.1/conf/loggin= g.properties -Xms128m -Xmx256m -Djava.net.preferIPv4Stack=3Dfalse -Dcatalina.home=3D/usr/local/apache-tomcat-10.1 -Dcatalina.base=3D/usr/local/apache-tomcat-10.1 -Djava.io.tmpdir=3D/usr/local/apache-tomcat-10.1/temp org.apache.catalina.startup.Bootstrap ``` With OpenJDK 21, Tomcat listens only an IPv6 socket. The following commands were run within jail id 3 with Tomcat running on OpenJDK 21: ``` # pkg version -v | grep -E '(openjdk|tomcat)' openjdk11-11.0.21+9.1 =3D up-to-date with index openjdk21-21.0.1+12.1 =3D up-to-date with index openjdk8-8.392.08.1 =3D up-to-date with index tomcat-native-1.2.38 =3D up-to-date with index tomcat101-10.1.16 =3D up-to-date with index # service tomcat101 restart && sleep 5 && sockstat -l -6 -4 -p 8443,8180 Stopping tomcat101. Waiting for PIDS: 62706. Starting tomcat101. USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS www jsvc 63327 45 tcp6 <redacted>::7546:0:3:8180 *:* www jsvc 63327 49 tcp6 <redacted>::7546:0:3:8443 *:* # ps -axww | grep jsvc | head -n1 # show command used to run application 63326 - IsJ 0:00.00 /usr/local/bin/jsvc -java-home /usr/local/openjdk21 -server -user www -umask 0077 -pidfile /var/run/tomcat101.pid -wait 30 -out= file /usr/local/apache-tomcat-10.1/logs/catalina.out -errfile &1 -classpath /usr/local/apache-tomcat-10.1/bin/bootstrap.jar:/usr/local/share/java/class= es/commons-daemon.jar:/usr/local/apache-tomcat-10.1/bin/tomcat-juli.jar -Djava.util.logging.manager=3Dorg.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=3D/usr/local/apache-tomcat-10.1/conf/loggin= g.properties -Xms128m -Xmx256m -Djava.net.preferIPv4Stack=3Dfalse -Dcatalina.home=3D/usr/local/apache-tomcat-10.1 -Dcatalina.base=3D/usr/local/apache-tomcat-10.1 -Djava.io.tmpdir=3D/usr/local/apache-tomcat-10.1/temp org.apache.catalina.startup.Bootstrap ``` Here is the connector for the 8443 HTTPS socket from the Tomcat `server.xml` file showing the use of the APR-provided OpenSSL implementation: ``` <Connector protocol=3D"org.apache.coyote.http11.Http11Nio2Protocol" =20=20=20=20=20=20=20=20=20=20=20=20=20=20 sslImplementationName=3D"org.apache.tomcat.util.net.openssl.OpenSSLImplemen= tation" scheme=3D"https" port=3D"8443" maxThreads=3D"150" URIEncoding=3D"UTF-8" secure=3D"true" SSLEnabled=3D"true"> <SSLHostConfig protocols=3D"TLSv1.2+TLSv1.3" disableCompression=3D"true" disableSessionTickets=3D"true" honorCipherOrder=3D"false" =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 ciphers=3D"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-= ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-PO= LY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256= -GCM-SHA384"> <Certificate certificateFile=3D"redacted.crt" certificateChainFile=3D"redacted.issuer.crt" certificateKeyFile=3D"redacted.key"/> </SSLHostConfig> <UpgradeProtocol className=3D"org.apache.coyote.http2.Http2Protocol" overheadDataThreshold=3D"0" /> </Connector> ``` --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-274964-8522-ypvwibWKcJ>