Its not just a main / Jetty 12 issue. This should be backported to 9.x as well where security manager isn't going away.
Kevin Risden On Thu, May 22, 2025 at 11:22 AM Rahul Goswami <rahul196...@gmail.com> wrote: > Great find Kevin! That makes sense. Can confirm that starting with > --jvm-opts "-Djava.io.tmpdir=$(cd $TMPDIR; pwd -P)" works too. Also, thanks > for the PR! > > I'd say that fixing this by passing "pwd -P" in the start opts in bin/solr > _seems_ like the right way to go. But I am also conflicted on whether > disabling security manager altogether is the solution that could be > considered here (?). Especially since it's going away in Java 24 anyway. > > Rahul > > On Wed, May 21, 2025 at 10:07 PM Kevin Risden <kris...@apache.org> wrote: > > > The underlying issue is that /tmp is a symlink on Mac. Java security > > manager permissions need the ability to read the symlink AND the > underlying > > directory. Since we only have > > > > permission java.io.FilePermission "${java.io.tmpdir}", "read,write"; > > permission java.io.FilePermission "${java.io.tmpdir}${/}-", > > "read,write,delete"; > > > > in security.policy it by default is just the symlink. > > > > We actually do similar fixes in our bin/solr script already using `pwd > -P` > > to ensure that we don't have symlinks in the path. See SOLR-16457 / > > https://github.com/apache/solr/pull/1282 > > > > an example that works: > > > > ./bin/solr start -f --jvm-opts "-Djava.io.tmpdir=$(cd $TMPDIR; pwd -P)" > > > > This takes the existing TMPDIR environment variable and forces > > `java.io.tmpdir` to not be a symlink anymore using the `pwd -P` > expansion. > > > > This can be done in bin/solr as well if we want and set tmpdir in say > > SOLR_START_OPTS. Here is a PR to show how this could be done > > https://github.com/apache/solr/pull/3359 > > > > As you already found out you can also just disable the security manager - > > here is a one liner that doesn't require changing any files either. > > > > SOLR_SECURITY_MANAGER_ENABLED=false ./bin/solr start -f > > > > As a final note this is not new to Jetty 12 but has been an issue in the > > past - see https://issues.apache.org/jira/browse/SOLR-17542. It might be > > new how its popping up now with Jetty 12 doing something with the temp > > directory but there are other ways to hit it. > > > > Kevin Risden > > > > > > On Wed, May 21, 2025 at 5:52 PM Rahul Goswami <rahul196...@gmail.com> > > wrote: > > > > > That worked. Thanks Christos! > > > > > > On Wed, May 21, 2025 at 5:30 PM Christos Malliaridis < > > > malliari...@apache.org> > > > wrote: > > > > > > > I have faced the same issue recently. > > > > > > > > There is a configuration option in bin/solr.in.sh <http://sole.in.sh > > > > > for > > > > the security manager: > > > > > > > > #SOLR_SECURITY_MANAGER_ENABLED=true > > > > > > > > Removing the comment and setting it to false worked for me. > > > > > > > > On Wed, 21 May 2025, 23:19 Rahul Goswami, <rahul196...@gmail.com> > > wrote: > > > > > > > > > Sanjay, > > > > > Thanks for looking into this. I also tried disabling the security > > > manager > > > > > on MacOS by running "solr start -e techproducts > > > > > -Djdk.security.manager=disallow" and still see the same behavior > with > > > the > > > > > same stacktrace in log. > > > > > > > > > > -Rahul > > > > > > > > > > On Tue, May 20, 2025 at 11:55 PM sanjay dutt < > > > > > sanjaydutt.unoffic...@gmail.com> wrote: > > > > > > > > > > > Recently I merged changes related to jetty upgrade. I will look > > into > > > > it. > > > > > > https://github.com/apache/solr/pull/2876 > > > > > > > > > > > > On Wed, May 21, 2025 at 5:44 AM Rahul Goswami < > > rahul196...@gmail.com > > > > > > > > > > wrote: > > > > > > > > > > > > > For additional context, this is working fine on Windows. > Failing > > > > > > > consistently on MacOS. > > > > > > > > > > > > > > Thanks, > > > > > > > Rahul > > > > > > > > > > > > > > > > > > > > > On Tue, May 20, 2025 at 5:32 PM Rahul Goswami < > > > rahul196...@gmail.com > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > I checked out main, and then "gradlew dev". Tried running the > > > > > > > techproducts > > > > > > > > example, but it seems to get into some exception with > > > initializing > > > > > the > > > > > > > > context (hitting 503 error). > > > > > > > > > > > > > > > > > > > > > > > > Logs are complaining about AccessControlException while > trying > > to > > > > > > access > > > > > > > a > > > > > > > > temp location. I have tried the example flow in the past and > > > never > > > > > hit > > > > > > > this > > > > > > > > permission issue. Needless to say, bats tests are failing > too. > > > > > > > > > > > > > > > > > > > > > > > > Is anybody else seeing this too? Bad commit or an > environmental > > > > > issue? > > > > > > > > Thanks for any insights. > > > > > > > > > > > > > > > > > > > > > > > > rahulgoswami@MacBookPro bin % ./solr start -e techproducts > > > > > > > > > > > > > > > > *** [WARN] *** Your Max Processes Limit is currently 2784. > > > > > > > > > > > > > > > > It should be set to 65000 to avoid operational disruption. > > > > > > > > > > > > > > > > If you no longer wish to see this warning, set > > > SOLR_ULIMIT_CHECKS > > > > to > > > > > > > > false in your profile or solr.in.sh > > > > > > > > > > > > > > > > > > > > > > > > Starting up Solr on port 8983 using command: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/bin/solr" > > > > > > > > start -p 8983 --solr-home > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/solr" > > > > > > > > --server-dir > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server" > > > > > > > > -Dsolr.modules=clustering,extraction,langid,ltr,scripting > > > > > > > > -Dsolr.ltr.enabled=true -Dsolr.clustering.enabled=true > > > > > > > > > > > > > > > > > > > > > > > > *** [WARN] *** Your Max Processes Limit is currently 2784. > > > > > > > > > > > > > > > > It should be set to 65000 to avoid operational disruption. > > > > > > > > > > > > > > > > If you no longer wish to see this warning, set > > > SOLR_ULIMIT_CHECKS > > > > to > > > > > > > > false in your profile or solr.in.sh > > > > > > > > > > > > > > > > Waiting up to 180 seconds to see Solr running on port 8983 > [|] > > > > > > > > > > > > > > > > *Started Solr server on port 8983 (pid=25521). Happy > > searching!* > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *ERROR: Did not see Solr at http://localhost:8983/solr > > > > > > > > <http://localhost:8983/solr> come online within 30 seconds!* > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > rahulgoswami@MacBookPro bin % ulimit -u > > > > > > > > > > > > > > > > 4176 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > solr.log > > > > > > > > > > > > > > > > ======== > > > > > > > > > > > > > > > > 2025-05-20 17:29:35.210 WARN (main) [c: s: r: x: t:] > > > > > > > > o.e.j.x.XmlConfiguration Deprecated method public void > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.eclipse.jetty.ee10.webapp.WebAppContext.addServerClassMatcher(org.eclipse.jetty.ee10.webapp.ClassMatcher) > > > > > > > > in > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > file:///Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/contexts/solr-jetty-context.xml > > > > > > > > > > > > > > > > 2025-05-20 17:29:35.228 WARN (main) [c: s: r: x: t:] > > > > > > > > o.e.j.e.w.WebAppContext Failed startup of context > > > > > > > > oeje10w.WebAppContext@4beddc56 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > {solr-jetty-context,/solr,b=null,a=STOPPED,h=oeje10s.SessionHandler@79b663b3 > > > > > > > > > > > > > > > > > > > > > > > > > > > > {STOPPED}}{/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/solr-webapp/webapp} > > > > > > > > => *java.security.AccessControlException: access denied > > > > > > > > ("java.io.FilePermission" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/private/var/folders/j3/z8sqwjzx7n51bqx4qsw1_szw0000gn/T/jetty-127_0_0_1-8983-webapp-_solr-any-17333184592629858469" > > > > > > > > "read")* > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488) > > > > > > > > > > > > > > > > java.security.AccessControlException: access denied > > > > > > > > ("java.io.FilePermission" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > "/private/var/folders/j3/z8sqwjzx7n51bqx4qsw1_szw0000gn/T/jetty-127_0_0_1-8983-webapp-_solr-any-17333184592629858469" > > > > > > > > "read") > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488) > > > > > > > > ~[?:?] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > java.base/java.security.AccessController.checkPermission(AccessController.java:1085) > > > > > > > > ~[?:?] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411) > > > > > > > > ~[?:?] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:742) > > > > > > > > ~[?:?] > > > > > > > > > > > > > > > > at java.base/java.io.File.exists(File.java:831) > ~[?:?] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.eclipse.jetty.server.handler.ContextHandler.createTempDirectory(ContextHandler.java:787) > > > > > > > > ~[jetty-server-12.0.19.jar:12.0.19] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.eclipse.jetty.ee10.webapp.WebAppContext.createTempDirectory(WebAppContext.java:480) > > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.eclipse.jetty.ee10.webapp.WebInfConfiguration.preConfigure(WebInfConfiguration.java:62) > > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.eclipse.jetty.ee10.webapp.Configurations.preConfigure(Configurations.java:487) > > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.eclipse.jetty.ee10.webapp.WebAppContext.preConfigure(WebAppContext.java:462) > > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:503) > > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93) > > > > > > > > ~[jetty-util-12.0.19.jar:12.0.19] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) > > > > > > > > ~[jetty-util-12.0.19.jar:12.0.19] > > > > > > > > > > > > > > > > at > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:120) > > > > > > > > ~[jetty-util-12.0.19.jar:12.0.19] > > > > > > > > > > > > > > > > at > > > > > > > > > > > org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:491) > > > > > > > > ~[jetty-server-12.0.19.jar:12.0.19] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > request.log > > > > > > > > > > > > > > > > =========== > > > > > > > > > > > > > > > > 127.0.0.1 - - [20/May/2025:17:30:02 +0000] "GET > > > > > > > > /solr/admin/info/system?wt=javabin HTTP/2.0" 503 405 > > > > > > > > > > > > > > > > 127.0.0.1 - - [20/May/2025:17:30:04 +0000] "GET > > > > > > > > /solr/admin/info/system?wt=javabin HTTP/2.0" 503 405 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >