The underlying issue is that /tmp is a symlink on Mac. Java security
manager permissions need the ability to read the symlink AND the underlying
directory. Since we only have
permission java.io.FilePermission "${java.io.tmpdir}", "read,write";
permission java.io.FilePermission "${java.io.tmpdir}${/}-",
"read,write,delete";
in security.policy it by default is just the symlink.
We actually do similar fixes in our bin/solr script already using `pwd -P`
to ensure that we don't have symlinks in the path. See SOLR-16457 /
https://github.com/apache/solr/pull/1282
an example that works:
./bin/solr start -f --jvm-opts "-Djava.io.tmpdir=$(cd $TMPDIR; pwd -P)"
This takes the existing TMPDIR environment variable and forces
`java.io.tmpdir` to not be a symlink anymore using the `pwd -P` expansion.
This can be done in bin/solr as well if we want and set tmpdir in say
SOLR_START_OPTS. Here is a PR to show how this could be done
https://github.com/apache/solr/pull/3359
As you already found out you can also just disable the security manager -
here is a one liner that doesn't require changing any files either.
SOLR_SECURITY_MANAGER_ENABLED=false ./bin/solr start -f
As a final note this is not new to Jetty 12 but has been an issue in the
past - see https://issues.apache.org/jira/browse/SOLR-17542. It might be
new how its popping up now with Jetty 12 doing something with the temp
directory but there are other ways to hit it.
Kevin Risden
On Wed, May 21, 2025 at 5:52 PM Rahul Goswami <rahul196...@gmail.com> wrote:
> That worked. Thanks Christos!
>
> On Wed, May 21, 2025 at 5:30 PM Christos Malliaridis <
> malliari...@apache.org>
> wrote:
>
> > I have faced the same issue recently.
> >
> > There is a configuration option in bin/solr.in.sh <http://sole.in.sh>
> for
> > the security manager:
> >
> > #SOLR_SECURITY_MANAGER_ENABLED=true
> >
> > Removing the comment and setting it to false worked for me.
> >
> > On Wed, 21 May 2025, 23:19 Rahul Goswami, <rahul196...@gmail.com> wrote:
> >
> > > Sanjay,
> > > Thanks for looking into this. I also tried disabling the security
> manager
> > > on MacOS by running "solr start -e techproducts
> > > -Djdk.security.manager=disallow" and still see the same behavior with
> the
> > > same stacktrace in log.
> > >
> > > -Rahul
> > >
> > > On Tue, May 20, 2025 at 11:55 PM sanjay dutt <
> > > sanjaydutt.unoffic...@gmail.com> wrote:
> > >
> > > > Recently I merged changes related to jetty upgrade. I will look into
> > it.
> > > > https://github.com/apache/solr/pull/2876
> > > >
> > > > On Wed, May 21, 2025 at 5:44 AM Rahul Goswami <rahul196...@gmail.com
> >
> > > > wrote:
> > > >
> > > > > For additional context, this is working fine on Windows. Failing
> > > > > consistently on MacOS.
> > > > >
> > > > > Thanks,
> > > > > Rahul
> > > > >
> > > > >
> > > > > On Tue, May 20, 2025 at 5:32 PM Rahul Goswami <
> rahul196...@gmail.com
> > >
> > > > > wrote:
> > > > >
> > > > > > I checked out main, and then "gradlew dev". Tried running the
> > > > > techproducts
> > > > > > example, but it seems to get into some exception with
> initializing
> > > the
> > > > > > context (hitting 503 error).
> > > > > >
> > > > > >
> > > > > > Logs are complaining about AccessControlException while trying to
> > > > access
> > > > > a
> > > > > > temp location. I have tried the example flow in the past and
> never
> > > hit
> > > > > this
> > > > > > permission issue. Needless to say, bats tests are failing too.
> > > > > >
> > > > > >
> > > > > > Is anybody else seeing this too? Bad commit or an environmental
> > > issue?
> > > > > > Thanks for any insights.
> > > > > >
> > > > > >
> > > > > > rahulgoswami@MacBookPro bin % ./solr start -e techproducts
> > > > > >
> > > > > > *** [WARN] *** Your Max Processes Limit is currently 2784.
> > > > > >
> > > > > > It should be set to 65000 to avoid operational disruption.
> > > > > >
> > > > > > If you no longer wish to see this warning, set
> SOLR_ULIMIT_CHECKS
> > to
> > > > > > false in your profile or solr.in.sh
> > > > > >
> > > > > >
> > > > > > Starting up Solr on port 8983 using command:
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/bin/solr"
> > > > > > start -p 8983 --solr-home
> > > > > >
> > > > >
> > > >
> > >
> >
> "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/solr"
> > > > > > --server-dir
> > > > > >
> > > > >
> > > >
> > >
> >
> "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server"
> > > > > > -Dsolr.modules=clustering,extraction,langid,ltr,scripting
> > > > > > -Dsolr.ltr.enabled=true -Dsolr.clustering.enabled=true
> > > > > >
> > > > > >
> > > > > > *** [WARN] *** Your Max Processes Limit is currently 2784.
> > > > > >
> > > > > > It should be set to 65000 to avoid operational disruption.
> > > > > >
> > > > > > If you no longer wish to see this warning, set
> SOLR_ULIMIT_CHECKS
> > to
> > > > > > false in your profile or solr.in.sh
> > > > > >
> > > > > > Waiting up to 180 seconds to see Solr running on port 8983 [|]
> > > > > >
> > > > > > *Started Solr server on port 8983 (pid=25521). Happy searching!*
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > *ERROR: Did not see Solr at http://localhost:8983/solr
> > > > > > <http://localhost:8983/solr> come online within 30 seconds!*
> > > > > >
> > > > > >
> > > > > >
> > > > > > rahulgoswami@MacBookPro bin % ulimit -u
> > > > > >
> > > > > > 4176
> > > > > >
> > > > > >
> > > > > >
> > > > > > solr.log
> > > > > >
> > > > > > ========
> > > > > >
> > > > > > 2025-05-20 17:29:35.210 WARN (main) [c: s: r: x: t:]
> > > > > > o.e.j.x.XmlConfiguration Deprecated method public void
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.addServerClassMatcher(org.eclipse.jetty.ee10.webapp.ClassMatcher)
> > > > > > in
> > > > > >
> > > > >
> > > >
> > >
> >
> file:///Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/contexts/solr-jetty-context.xml
> > > > > >
> > > > > > 2025-05-20 17:29:35.228 WARN (main) [c: s: r: x: t:]
> > > > > > o.e.j.e.w.WebAppContext Failed startup of context
> > > > > > oeje10w.WebAppContext@4beddc56
> > > > > >
> > > > >
> > > >
> > >
> >
> {solr-jetty-context,/solr,b=null,a=STOPPED,h=oeje10s.SessionHandler@79b663b3
> > > > >
> > > >
> > >
> >
> {STOPPED}}{/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/solr-webapp/webapp}
> > > > > > => *java.security.AccessControlException: access denied
> > > > > > ("java.io.FilePermission"
> > > > > >
> > > > >
> > > >
> > >
> >
> "/private/var/folders/j3/z8sqwjzx7n51bqx4qsw1_szw0000gn/T/jetty-127_0_0_1-8983-webapp-_solr-any-17333184592629858469"
> > > > > > "read")*
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
> > > > > >
> > > > > > java.security.AccessControlException: access denied
> > > > > > ("java.io.FilePermission"
> > > > > >
> > > > >
> > > >
> > >
> >
> "/private/var/folders/j3/z8sqwjzx7n51bqx4qsw1_szw0000gn/T/jetty-127_0_0_1-8983-webapp-_solr-any-17333184592629858469"
> > > > > > "read")
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
> > > > > > ~[?:?]
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.security.AccessController.checkPermission(AccessController.java:1085)
> > > > > > ~[?:?]
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
> > > > > > ~[?:?]
> > > > > >
> > > > > > at
> > > > > >
> > > java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:742)
> > > > > > ~[?:?]
> > > > > >
> > > > > > at java.base/java.io.File.exists(File.java:831) ~[?:?]
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.server.handler.ContextHandler.createTempDirectory(ContextHandler.java:787)
> > > > > > ~[jetty-server-12.0.19.jar:12.0.19]
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.createTempDirectory(WebAppContext.java:480)
> > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebInfConfiguration.preConfigure(WebInfConfiguration.java:62)
> > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.Configurations.preConfigure(Configurations.java:487)
> > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.preConfigure(WebAppContext.java:462)
> > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:503)
> > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
> > > > > > ~[jetty-util-12.0.19.jar:12.0.19]
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> > > > > > ~[jetty-util-12.0.19.jar:12.0.19]
> > > > > >
> > > > > > at
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:120)
> > > > > > ~[jetty-util-12.0.19.jar:12.0.19]
> > > > > >
> > > > > > at
> > > > > >
> org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:491)
> > > > > > ~[jetty-server-12.0.19.jar:12.0.19]
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > request.log
> > > > > >
> > > > > > ===========
> > > > > >
> > > > > > 127.0.0.1 - - [20/May/2025:17:30:02 +0000] "GET
> > > > > > /solr/admin/info/system?wt=javabin HTTP/2.0" 503 405
> > > > > >
> > > > > > 127.0.0.1 - - [20/May/2025:17:30:04 +0000] "GET
> > > > > > /solr/admin/info/system?wt=javabin HTTP/2.0" 503 405
> > > > > >
> > > > >
> > > >
> > >
> >
>
