setcap and openjdk

ivansaez

New Member
Joined
Aug 17, 2023
Messages
6
Reaction score
1
Credits
83
Hi,

I'm using setcap to enable java (openjdk) to bind port 443. So with setcap I can avoid using a privileged (root/wheel) account/group. And it works great but after a yum update openjdk is most of the time updated also and that breaks my setcap settings because setcap has to be set on the java binary itself. For example:
setcap 'cap_net_bind_service=+ep' /usr/lib/jvm/java-11-openjdk-11.0.17.0.8-2.0.1.el9_0.x86_64/bin/java
and putting /usr/lib/jvm/java-11-openjdk-11.0.17.0.8-2.0.1.el9_0.x86_64/lib/jli in /etc/ld.so.conf.d/java.conf

So after an update I have to set the setcap again and update java.conf. I've created an script to help me with that:


JAVAP=/sbin/update-alternatives --list |awk -- '$1=="java" {print $3}'
setcap 'cap_net_bind_service=+ep' $JAVAP
getcap $JAVAP
JAVAL=echo $JAVAP|sed -e 's/bin\/java/lib\/jli/'
echo $JAVAL > /etc/ld.so.conf.d/java.conf
ldconfig
ldconfig -p|grep libjli



Is there someother way to do this? with less human intervation? (I'm not keen on creating a crontab jon or something like that).

By the way: I'm using Oracle Linux 9. OL is a "clone" of Red Hat.

regards,

Ivan
 


You could do this is a systemd service file. ( i.e. openjdk.service )
and it would do it for you after every reboot. However the script would
have to be edited everytime you did an update ( the binary path with the version would change ).

The crontab isn't all bad. You can create a crontab to do this at boot.

Or, as you have already done.. write a bash script, and run it after every update.
 

Staff online

Members online


Top