I am able to run Solr with branch_9x without the patch from
https://github.com/apache/solr/pull/3359 and it seems that it works without
errors. Are you sure Solr 9x is affected by this? No objection in
backporting this though, just making sure we are not trying to fix
something that is not an issue in 9x.
Christos
On Thu, May 22, 2025 at 7:02 PM Kevin Risden <kris...@apache.org> wrote:
> Its not just a main / Jetty 12 issue. This should be backported to 9.x as
> well where security manager isn't going away.
>
> Kevin Risden
>
>
> On Thu, May 22, 2025 at 11:22 AM Rahul Goswami <rahul196...@gmail.com>
> wrote:
>
> > Great find Kevin! That makes sense. Can confirm that starting with
> > --jvm-opts "-Djava.io.tmpdir=$(cd $TMPDIR; pwd -P)" works too. Also,
> thanks
> > for the PR!
> >
> > I'd say that fixing this by passing "pwd -P" in the start opts in
> bin/solr
> > _seems_ like the right way to go. But I am also conflicted on whether
> > disabling security manager altogether is the solution that could be
> > considered here (?). Especially since it's going away in Java 24 anyway.
> >
> > Rahul
> >
> > On Wed, May 21, 2025 at 10:07 PM Kevin Risden <kris...@apache.org>
> wrote:
> >
> > > The underlying issue is that /tmp is a symlink on Mac. Java security
> > > manager permissions need the ability to read the symlink AND the
> > underlying
> > > directory. Since we only have
> > >
> > > permission java.io.FilePermission "${java.io.tmpdir}", "read,write";
> > > permission java.io.FilePermission "${java.io.tmpdir}${/}-",
> > > "read,write,delete";
> > >
> > > in security.policy it by default is just the symlink.
> > >
> > > We actually do similar fixes in our bin/solr script already using `pwd
> > -P`
> > > to ensure that we don't have symlinks in the path. See SOLR-16457 /
> > > https://github.com/apache/solr/pull/1282
> > >
> > > an example that works:
> > >
> > > ./bin/solr start -f --jvm-opts "-Djava.io.tmpdir=$(cd $TMPDIR; pwd -P)"
> > >
> > > This takes the existing TMPDIR environment variable and forces
> > > `java.io.tmpdir` to not be a symlink anymore using the `pwd -P`
> > expansion.
> > >
> > > This can be done in bin/solr as well if we want and set tmpdir in say
> > > SOLR_START_OPTS. Here is a PR to show how this could be done
> > > https://github.com/apache/solr/pull/3359
> > >
> > > As you already found out you can also just disable the security
> manager -
> > > here is a one liner that doesn't require changing any files either.
> > >
> > > SOLR_SECURITY_MANAGER_ENABLED=false ./bin/solr start -f
> > >
> > > As a final note this is not new to Jetty 12 but has been an issue in
> the
> > > past - see https://issues.apache.org/jira/browse/SOLR-17542. It might
> be
> > > new how its popping up now with Jetty 12 doing something with the temp
> > > directory but there are other ways to hit it.
> > >
> > > Kevin Risden
> > >
> > >
> > > On Wed, May 21, 2025 at 5:52 PM Rahul Goswami <rahul196...@gmail.com>
> > > wrote:
> > >
> > > > That worked. Thanks Christos!
> > > >
> > > > On Wed, May 21, 2025 at 5:30 PM Christos Malliaridis <
> > > > malliari...@apache.org>
> > > > wrote:
> > > >
> > > > > I have faced the same issue recently.
> > > > >
> > > > > There is a configuration option in bin/solr.in.sh <
> http://sole.in.sh
> > >
> > > > for
> > > > > the security manager:
> > > > >
> > > > > #SOLR_SECURITY_MANAGER_ENABLED=true
> > > > >
> > > > > Removing the comment and setting it to false worked for me.
> > > > >
> > > > > On Wed, 21 May 2025, 23:19 Rahul Goswami, <rahul196...@gmail.com>
> > > wrote:
> > > > >
> > > > > > Sanjay,
> > > > > > Thanks for looking into this. I also tried disabling the security
> > > > manager
> > > > > > on MacOS by running "solr start -e techproducts
> > > > > > -Djdk.security.manager=disallow" and still see the same behavior
> > with
> > > > the
> > > > > > same stacktrace in log.
> > > > > >
> > > > > > -Rahul
> > > > > >
> > > > > > On Tue, May 20, 2025 at 11:55 PM sanjay dutt <
> > > > > > sanjaydutt.unoffic...@gmail.com> wrote:
> > > > > >
> > > > > > > Recently I merged changes related to jetty upgrade. I will look
> > > into
> > > > > it.
> > > > > > > https://github.com/apache/solr/pull/2876
> > > > > > >
> > > > > > > On Wed, May 21, 2025 at 5:44 AM Rahul Goswami <
> > > rahul196...@gmail.com
> > > > >
> > > > > > > wrote:
> > > > > > >
> > > > > > > > For additional context, this is working fine on Windows.
> > Failing
> > > > > > > > consistently on MacOS.
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Rahul
> > > > > > > >
> > > > > > > >
> > > > > > > > On Tue, May 20, 2025 at 5:32 PM Rahul Goswami <
> > > > rahul196...@gmail.com
> > > > > >
> > > > > > > > wrote:
> > > > > > > >
> > > > > > > > > I checked out main, and then "gradlew dev". Tried running
> the
> > > > > > > > techproducts
> > > > > > > > > example, but it seems to get into some exception with
> > > > initializing
> > > > > > the
> > > > > > > > > context (hitting 503 error).
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Logs are complaining about AccessControlException while
> > trying
> > > to
> > > > > > > access
> > > > > > > > a
> > > > > > > > > temp location. I have tried the example flow in the past
> and
> > > > never
> > > > > > hit
> > > > > > > > this
> > > > > > > > > permission issue. Needless to say, bats tests are failing
> > too.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Is anybody else seeing this too? Bad commit or an
> > environmental
> > > > > > issue?
> > > > > > > > > Thanks for any insights.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > rahulgoswami@MacBookPro bin % ./solr start -e techproducts
> > > > > > > > >
> > > > > > > > > *** [WARN] *** Your Max Processes Limit is currently 2784.
> > > > > > > > >
> > > > > > > > > It should be set to 65000 to avoid operational disruption.
> > > > > > > > >
> > > > > > > > > If you no longer wish to see this warning, set
> > > > SOLR_ULIMIT_CHECKS
> > > > > to
> > > > > > > > > false in your profile or solr.in.sh
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > Starting up Solr on port 8983 using command:
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/bin/solr"
> > > > > > > > > start -p 8983 --solr-home
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/solr"
> > > > > > > > > --server-dir
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> "/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server"
> > > > > > > > > -Dsolr.modules=clustering,extraction,langid,ltr,scripting
> > > > > > > > > -Dsolr.ltr.enabled=true -Dsolr.clustering.enabled=true
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > *** [WARN] *** Your Max Processes Limit is currently 2784.
> > > > > > > > >
> > > > > > > > > It should be set to 65000 to avoid operational disruption.
> > > > > > > > >
> > > > > > > > > If you no longer wish to see this warning, set
> > > > SOLR_ULIMIT_CHECKS
> > > > > to
> > > > > > > > > false in your profile or solr.in.sh
> > > > > > > > >
> > > > > > > > > Waiting up to 180 seconds to see Solr running on port 8983
> > [|]
> > > > > > > > >
> > > > > > > > > *Started Solr server on port 8983 (pid=25521). Happy
> > > searching!*
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > *ERROR: Did not see Solr at http://localhost:8983/solr
> > > > > > > > > <http://localhost:8983/solr> come online within 30
> seconds!*
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > rahulgoswami@MacBookPro bin % ulimit -u
> > > > > > > > >
> > > > > > > > > 4176
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > solr.log
> > > > > > > > >
> > > > > > > > > ========
> > > > > > > > >
> > > > > > > > > 2025-05-20 17:29:35.210 WARN (main) [c: s: r: x: t:]
> > > > > > > > > o.e.j.x.XmlConfiguration Deprecated method public void
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.addServerClassMatcher(org.eclipse.jetty.ee10.webapp.ClassMatcher)
> > > > > > > > > in
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> file:///Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/contexts/solr-jetty-context.xml
> > > > > > > > >
> > > > > > > > > 2025-05-20 17:29:35.228 WARN (main) [c: s: r: x: t:]
> > > > > > > > > o.e.j.e.w.WebAppContext Failed startup of context
> > > > > > > > > oeje10w.WebAppContext@4beddc56
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> {solr-jetty-context,/solr,b=null,a=STOPPED,h=oeje10s.SessionHandler@79b663b3
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> {STOPPED}}{/Users/rahulgoswami/Desktop/OpenSource_Repos/Solr-RG/solr/solr/packaging/build/dev/server/solr-webapp/webapp}
> > > > > > > > > => *java.security.AccessControlException: access denied
> > > > > > > > > ("java.io.FilePermission"
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> "/private/var/folders/j3/z8sqwjzx7n51bqx4qsw1_szw0000gn/T/jetty-127_0_0_1-8983-webapp-_solr-any-17333184592629858469"
> > > > > > > > > "read")*
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
> > > > > > > > >
> > > > > > > > > java.security.AccessControlException: access denied
> > > > > > > > > ("java.io.FilePermission"
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> "/private/var/folders/j3/z8sqwjzx7n51bqx4qsw1_szw0000gn/T/jetty-127_0_0_1-8983-webapp-_solr-any-17333184592629858469"
> > > > > > > > > "read")
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:488)
> > > > > > > > > ~[?:?]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.security.AccessController.checkPermission(AccessController.java:1085)
> > > > > > > > > ~[?:?]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
> > > > > > > > > ~[?:?]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > >
> > > java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:742)
> > > > > > > > > ~[?:?]
> > > > > > > > >
> > > > > > > > > at java.base/java.io.File.exists(File.java:831)
> > ~[?:?]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.server.handler.ContextHandler.createTempDirectory(ContextHandler.java:787)
> > > > > > > > > ~[jetty-server-12.0.19.jar:12.0.19]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.createTempDirectory(WebAppContext.java:480)
> > > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebInfConfiguration.preConfigure(WebInfConfiguration.java:62)
> > > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.Configurations.preConfigure(Configurations.java:487)
> > > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.preConfigure(WebAppContext.java:462)
> > > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:503)
> > > > > > > > > ~[jetty-ee10-webapp-12.0.19.jar:12.0.19]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:93)
> > > > > > > > > ~[jetty-util-12.0.19.jar:12.0.19]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
> > > > > > > > > ~[jetty-util-12.0.19.jar:12.0.19]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:120)
> > > > > > > > > ~[jetty-util-12.0.19.jar:12.0.19]
> > > > > > > > >
> > > > > > > > > at
> > > > > > > > >
> > > > org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:491)
> > > > > > > > > ~[jetty-server-12.0.19.jar:12.0.19]
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > request.log
> > > > > > > > >
> > > > > > > > > ===========
> > > > > > > > >
> > > > > > > > > 127.0.0.1 - - [20/May/2025:17:30:02 +0000] "GET
> > > > > > > > > /solr/admin/info/system?wt=javabin HTTP/2.0" 503 405
> > > > > > > > >
> > > > > > > > > 127.0.0.1 - - [20/May/2025:17:30:04 +0000] "GET
> > > > > > > > > /solr/admin/info/system?wt=javabin HTTP/2.0" 503 405
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
