├── .gitignore ├── LICENSE ├── README.rst ├── pillar.example └── sun-java ├── cacert.sls ├── env.sls ├── init.sls ├── java.sh ├── jce.sls └── settings.sls /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2014 Salt Stack Formulas 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | 15 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | ======== 2 | sun-java 3 | ======== 4 | 5 | Formula to set up and configure Java JREs and JDKs from a tarball archive sourced via URL. 6 | 7 | .. note:: 8 | 9 | See the full `Salt Formulas installation and usage instructions 10 | `_. 11 | 12 | Available states 13 | ================ 14 | 15 | .. contents:: 16 | :local: 17 | 18 | ``sun-java`` 19 | ------------ 20 | 21 | Downloads the tarball from the java:source_url configured as either a pillar or grain and will not do anything 22 | if source_url is omitted. Then unpacks the archive into java:prefix (defaults to /usr/share/java). 23 | Will use the alternatives system to link the installation to java_home. Please see the pillar.example for configuration. 24 | 25 | ``sun-java.jce`` 26 | ---------------- 27 | 28 | Downloads and installs the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. Will include/extend the sun-java state. 29 | 30 | ``sun-java.env`` 31 | ---------------- 32 | 33 | An addition to allow easy use - places a java profile in /etc/profile.d - this way JAVA_HOME and the PATH are set correctly for all system users. 34 | 35 | ``sun-java.cacert`` 36 | ---------------- 37 | 38 | An addition to allow install own CA certificates in defined keystore. If no keystore is defined, default in $JAVA_HOME/jre/lib/security/cacerts will be used. If default password for castore has been changed, provide new in pillars. 39 | CA certificates will only be installed if not already in keystore file. 40 | 41 | Verified on Linux and MacOS. 42 | -------------------------------------------------------------------------------- /pillar.example: -------------------------------------------------------------------------------- 1 | java_home: /usr/lib/java 2 | # See Oracle Java SE checksums page here: https://www.oracle.com/webfolder/s/digest/8u202checksum.html 3 | # Use /usr/local & /Library/Java/JavaVirtualMachines for MacOS: https://support.apple.com/en-ie/HT204899 4 | 5 | java: 6 | ## override Formula default version ## 7 | release: '8' 8 | major: '0' 9 | minor: '202' 10 | build: '' ##needed by oracle otn url (i.e. '-b13' for j8u202-b13 url) 11 | dirhash: '' ##needed by oracle otn url (i.e. '1961070e4c9b4e26a04e7f5a083f551e' for j8u202 url) 12 | 13 | ## detials for CA certificates installation 14 | cacert_keystore_password: 'changeit' ## passwort for keystore (default changeit) 15 | cacert_keystore: jre_lib_sec + '/cacerts' ## location of store for ca serts 16 | keytool_cmd: java_real_home + '/bin/keytool' ## location of keytool 17 | cacert: ## list of certs to install 18 | - alias: own-ca-cert-1 ## CA alias 19 | source: https://my-ca.com/cert.crt ## location on CA cert (for file.managed) 20 | source_hash: ## optional source hash on downloads 21 | fingeprint: 49:72:74:18:6A:54:91:19:12:BF:09:BD:F6:F1:67:E7:30:47:3E:88 ## Fingerptint for CA cert (needed to get information if it is already installed) 22 | - alias: own-ca-cert-2 23 | source: salt://own-ca-cert-2 24 | fingeprint: 49:72:74:18:6A:54:91:19:12:BF:09:BD:F6:F1:67:E7:30:47:3E:89 25 | 26 | 27 | ## tarball details 28 | prefix: /usr/share/java # ``prefix/version_name`` contains unpacked tarball content 29 | version_name: jdk1.8.0_202 # JDK; value must match top-level directory inside the tarball 30 | #version_name: jre1.8.0_202 # JRE; value must match top-level directory inside the tarball 31 | 32 | ## JDK linux ## 33 | source_url: http://download.example.com/jdk-8u202-linux-x64.tar.gz ## can be internal (non-oracle) url 34 | source_hash: sha256=9a5c32411a6a06e22b69c495b7975034409fa1652d03aeb8eb5b6f59fd4594e0 35 | 36 | ## or JDK macos ## 37 | # source_url: http://download.example.com/jdk-8u202-macosx-x64.dmg ## can be internal (non-oracle) url 38 | # source_hash: sha256=b41367948cf99ca0b8d1571f116b7e3e322dd1ebdfd4d390e959164d75b97c20 39 | 40 | ## or JRE linux ## 41 | # source_url: http://download.example.com/jre-8u202-linux-x64.tar.gz ## can be internal (non-oracle) url 42 | # source_hash: sha256=9efb1493fcf636e39c94f47bacf4f4324821df2d3aeea2dc3ea1bdc86428cb82 43 | 44 | ## or JRE macos ## 45 | # source_url: http://download.oracle.com/jre-8u202-macosx-x64.dmg ## can be internal (non-oracle) url 46 | # source_hash: sha256=a11f6b4f952470fc2cf03abd34c66cbd770902a053f3f868369ae8886c5986f4 47 | 48 | ## and JCE ## 49 | jce_url: http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip 50 | jce_hash: sha256=f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59 51 | 52 | ## Other overrides ## 53 | java_symlink: /usr/bin/java 54 | javac_symlink: /usr/bin/javac 55 | dl_opts: -b oraclelicense=accept-securebackup-cookie -L -s ## needed by oracle otn url 56 | archive_type: tar 57 | 58 | ## Linux alternatives 59 | #alt_priority: 301800111 ## value must change for all subsequent formula run 60 | 61 | -------------------------------------------------------------------------------- /sun-java/cacert.sls: -------------------------------------------------------------------------------- 1 | {%- from 'sun-java/settings.sls' import java with context %} 2 | {# only run if pillars defined #} 3 | {%- if salt.pillar.get('java:cacert') %} 4 | {%- for ca in salt['pillar.fetch']('java:cacert', default=[] ) %} 5 | 6 | {# download certificate only if not already in store #} 7 | get-{{ca.alias}}: 8 | file.managed: 9 | - name: /tmp/{{ca.alias}}.tmp 10 | - source: {{ca.source}} 11 | {%- if ca.source_hash is defined %} 12 | - source_hash: {{ca.source_hash}} 13 | {%- else %} 14 | - skip_verify: True 15 | {%- endif %} 16 | - unless: '{{java.keytool_cmd}} -list -keystore {{java.cacert_keystore}} -storepass {{java.cacert_keystore_password}} | grep -qi {{ca.fingeprint}}' 17 | - require_in: 18 | -file: delete-{{ca.alias}} 19 | {# deploy certificate if downloaded #} 20 | deploy-{{ca.alias}}: 21 | cmd.run: 22 | - name: '{{java.keytool_cmd}} -importcert -alias {{ca.alias}} -keystore {{java.cacert_keystore}} -storepass {{java.cacert_keystore_password}} -noprompt -trustcacerts -file /tmp/{{ca.alias}}.tmp' 23 | - onchanges: 24 | - file: get-{{ca.alias}} 25 | 26 | {# cleanup if deployed #} 27 | delete-{{ca.alias}}: 28 | file.absent: 29 | - name: /tmp/{{ca.alias}}.tmp 30 | 31 | {%- endfor %} 32 | {%- endif %} 33 | -------------------------------------------------------------------------------- /sun-java/env.sls: -------------------------------------------------------------------------------- 1 | {%- from 'sun-java/settings.sls' import java with context %} 2 | 3 | {% if grains.os not in ('Windows',) %} 4 | 5 | jdk-config: 6 | file.managed: 7 | - name: /etc/profile.d/java.sh 8 | - source: salt://sun-java/java.sh 9 | - template: jinja 10 | - mode: 644 11 | - user: root 12 | - group: {{ java.group }} 13 | - context: 14 | java_home: {{ java.java_home }} 15 | 16 | {% if java.alt_priority is none %} 17 | 18 | javahome-link: 19 | file.symlink: 20 | - name: {{ java.java_home }} 21 | - target: {{ java.java_real_home }} 22 | 23 | java-link: 24 | file.symlink: 25 | - name: {{ java.java_symlink }} 26 | - target: {{ java.java_realcmd }} 27 | - onlyif: test -f {{ java.java_realcmd }} 28 | - force: true 29 | - require: 30 | - file: javahome-link 31 | 32 | javac-link: 33 | file.symlink: 34 | - name: {{ java.javac_symlink }} 35 | - target: {{ java.javac_realcmd }} 36 | - onlyif: test -f {{ java.javac_realcmd }} 37 | - force: true 38 | - require: 39 | - file: java-link 40 | 41 | {% elif grains.os_family not in ('Arch', 'MacOS') %} 42 | 43 | # Add javahome to alternatives 44 | javahome-alt-install: 45 | alternatives.install: 46 | - name: java-home 47 | - link: {{ java.java_home }} 48 | - path: {{ java.java_real_home }} 49 | - priority: {{ java.alt_priority }} 50 | - retry: 51 | attempts: 2 52 | until: True 53 | 54 | # ensure javahome alternative 55 | javahome-alt-set: 56 | alternatives.set: 57 | - name: java-home 58 | - path: {{ java.java_real_home }} 59 | - require: 60 | - alternatives: javahome-alt-install 61 | - retry: 62 | attempts: 2 63 | until: True 64 | 65 | # Add java to alternatives 66 | java-alt-install: 67 | alternatives.install: 68 | - name: java 69 | - link: {{ java.java_symlink }} 70 | - path: {{ java.java_realcmd }} 71 | - priority: {{ java.alt_priority }} 72 | - require: 73 | - alternatives: javahome-alt-set 74 | - retry: 75 | attempts: 2 76 | until: True 77 | 78 | # ensure java alternative 79 | java-alt-set: 80 | alternatives.set: 81 | - name: java 82 | - path: {{ java.java_realcmd }} 83 | - require: 84 | - alternatives: java-alt-install 85 | - retry: 86 | attempts: 2 87 | until: True 88 | 89 | # Add javac to alternatives if found 90 | javac-alt-install: 91 | alternatives.install: 92 | - name: javac 93 | - link: {{ java.javac_symlink }} 94 | - path: {{ java.javac_realcmd }} 95 | - priority: {{ java.alt_priority }} 96 | - require: 97 | - alternatives: java-alt-set 98 | - onlyif: test -f {{ java.javac_realcmd }} 99 | 100 | # ensure javac alternative if found 101 | javac-alt-set: 102 | alternatives.set: 103 | - name: javac 104 | - path: {{ java.javac_realcmd }} 105 | - require: 106 | - alternatives: javac-alt-install 107 | - onlyif: test -f {{ java.javac_realcmd }} 108 | 109 | {% endif %} 110 | 111 | {% endif %} 112 | 113 | -------------------------------------------------------------------------------- /sun-java/init.sls: -------------------------------------------------------------------------------- 1 | {%- from 'sun-java/settings.sls' import java with context %} 2 | 3 | {#- require a source_url - there is no default download location for a jdk #} 4 | 5 | {%- if java.source_url is defined %} 6 | 7 | {%- set archive_file = salt['file.join'](java.tmpdir, salt['file.basename'](java.source_url)) %} 8 | 9 | java-install-dir: 10 | file.directory: 11 | - names: 12 | - {{ java.prefix }} 13 | - {{ java.tmpdir }} 14 | - user: root 15 | - group: {{ java.group }} 16 | - mode: 755 17 | - makedirs: True 18 | 19 | download-jdk-archive: 20 | cmd.run: 21 | - name: curl {{ java.dl_opts }} -o '{{ archive_file }}' '{{ java.source_url }}' 22 | - unless: test -f {{ archive_file }} 23 | - require: 24 | - file: java-install-dir 25 | {% if grains['saltversioninfo'] >= [2017, 7, 0] %} 26 | - retry: 27 | attempts: 3 28 | interval: 60 29 | until: True 30 | splay: 10 31 | {% endif %} 32 | 33 | {%- if java.source_hash %} 34 | 35 | # FIXME: We need to check hash sum separately, because 36 | # ``archive.extracted`` state does not support integrity verification 37 | # for local archives prior to and including Salt release 2016.11.6. 38 | # 39 | # See: https://github.com/saltstack/salt/pull/41914 40 | 41 | check-jdk-archive: 42 | module.run: 43 | - name: file.check_hash 44 | - path: {{ archive_file }} 45 | - file_hash: {{ java.source_hash }} 46 | - require: 47 | - cmd: download-jdk-archive 48 | - require_in: 49 | - archive: unpack-jdk-archive 50 | # Get rid of corrupted file so state rerun does fresh download. 51 | file.absent: 52 | - name: {{ archive_file }} 53 | - onfail: 54 | - module: check-jdk-archive 55 | 56 | {%- endif %} 57 | 58 | unpack-jdk-archive: 59 | {% if grains.os == 'MacOS' %} 60 | macpackage.installed: 61 | - name: '{{ archive_file }}' 62 | - store: False 63 | - dmg: True 64 | - app: False 65 | - force: True 66 | - allow_untrusted: True 67 | - require_in: 68 | {% else %} 69 | archive.extracted: 70 | - name: {{ java.prefix }} 71 | - source: file://{{ archive_file }} 72 | - archive_format: {{ java.archive_type }} 73 | - user: root 74 | - group: {{ java.group }} 75 | - unless: test "`uname`" = "Darwin" 76 | - if_missing: {{ java.java_realcmd }} 77 | - require_in: 78 | - file: update-javahome-symlink 79 | {% endif %} 80 | - require: 81 | - cmd: download-jdk-archive 82 | 83 | update-javahome-symlink: 84 | file.symlink: 85 | - name: {{ java.java_home }} 86 | - target: {{ java.java_real_home }} 87 | - force: True 88 | 89 | {%- endif %} 90 | -------------------------------------------------------------------------------- /sun-java/java.sh: -------------------------------------------------------------------------------- 1 | export JAVA_HOME={{ java_home }} 2 | export PATH=$JAVA_HOME/bin:$PATH 3 | -------------------------------------------------------------------------------- /sun-java/jce.sls: -------------------------------------------------------------------------------- 1 | {%- from 'sun-java/settings.sls' import java with context %} 2 | 3 | {%- if java.jce_url is defined %} 4 | 5 | {%- set archive_file = salt['file.join'](java.jre_lib_sec, 'UnlimitedJCEPolicy.zip') %} 6 | {%- set us_policy_jar = salt['file.join'](java.jre_lib_sec, 'US_export_policy.jar') %} 7 | {%- set local_policy_jar = salt['file.join'](java.jre_lib_sec, 'local_policy.jar') %} 8 | 9 | include: 10 | - sun-java 11 | 12 | sun-java-jce-unzip: 13 | pkg.installed: 14 | - name: unzip 15 | 16 | download-jce-archive: 17 | file.directory: 18 | - name: {{ java.jre_lib_sec }} 19 | - makedirs: True 20 | cmd.run: 21 | - name: curl {{ java.dl_opts }} -o '{{ archive_file }}' '{{ java.jce_url }}' 22 | - unless: test -f {{ archive_file }} 23 | - creates: {{ archive_file }} 24 | - onlyif: > 25 | test ! -f {{ us_policy_jar }} || 26 | test ! -f {{ us_policy_jar }}.nonjce 27 | - require: 28 | - file: download-jce-archive 29 | {% if grains['saltversioninfo'] >= [2017, 7, 0] %} 30 | - retry: 31 | attempts: 3 32 | interval: 60 33 | until: True 34 | splay: 10 35 | {% endif %} 36 | 37 | # FIXME: use ``archive.extracted`` state. 38 | # Be aware that it does not support integrity verification 39 | # for local archives prior to and including Salt release 2016.11.6. 40 | # 41 | # See: https://github.com/saltstack/salt/pull/41914 42 | 43 | {%- if java.jce_hash %} 44 | 45 | check-jce-archive: 46 | module.run: 47 | - name: file.check_hash 48 | - path: {{ archive_file }} 49 | - file_hash: {{ java.jce_hash }} 50 | - require: 51 | - cmd: download-jce-archive 52 | - require_in: 53 | - cmd: backup-non-jce-jar 54 | - cmd: unpack-jce-archive 55 | # Get rid of corrupted file so state rerun does fresh download. 56 | file.absent: 57 | - name: {{ archive_file }} 58 | - onfail: 59 | - module: check-jce-archive 60 | 61 | {%- endif %} 62 | 63 | backup-non-jce-jar: 64 | cmd.run: 65 | - names: 66 | - mv {{ us_policy_jar }} {{ us_policy_jar }}.nonjce 67 | - mv {{ local_policy_jar }} {{ local_policy_jar }}.nonjce 68 | - creates: 69 | - {{ us_policy_jar }}.nonjce 70 | - {{ local_policy_jar }}.nonjce 71 | - onlyif: 72 | - test -f {{ us_policy_jar }} 73 | - test -f {{ local_policy_jar }} 74 | - require: 75 | - cmd: download-jce-archive 76 | 77 | unpack-jce-archive: 78 | cmd.run: 79 | - name: unzip -j -o {{ archive_file }} 80 | - cwd: {{ java.jre_lib_sec }} 81 | - creates: 82 | - {{ us_policy_jar }} 83 | - {{ local_policy_jar }} 84 | - require: 85 | - pkg: unzip 86 | - cmd: download-jce-archive 87 | - cmd: backup-non-jce-jar 88 | 89 | {%- endif %} 90 | -------------------------------------------------------------------------------- /sun-java/settings.sls: -------------------------------------------------------------------------------- 1 | {% set p = salt['pillar.get']('java', {}) %} 2 | {% set g = salt['grains.get']('java', {}) %} 3 | 4 | {%- set release = p.get('release', '8') %} 5 | {%- set major = p.get('major', '0') %} 6 | {%- set minor = p.get('minor', '202') %} 7 | {%- set build = p.get('build', '') %} 8 | {%- set dirhash = p.get('dirhash', '/1961070e4c9b4e26a04e7f5a083f551e') %} 9 | 10 | {# See Oracle Java SE checksums page here: https://www.oracle.com/webfolder/s/digest/8u202checksum.html #} 11 | {%- set default_jce_hash = 'sha256=f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59' %} 12 | {%- set default_version_name = 'jdk1.' + release + '.' + major + '_' + minor %} 13 | {%- set version_name = g.get('version_name', p.get('version_name', default_version_name)) %} 14 | {%- set default_cacert_keystore_password = 'changeit' %} 15 | 16 | {% if grains.os == 'MacOS' %} 17 | {%- set archive = '-macosx-x64.dmg' %} 18 | {%- set default_source_hash = 'sha256=b41367948cf99ca0b8d1571f116b7e3e322dd1ebdfd4d390e959164d75b97c20' %} 19 | {%- set group = 'wheel' %} 20 | {%- set archive_type = g.get('archive_type', p.get('archive_type', 'dmg' )) %} 21 | {%- set java_home = salt['grains.get']('java_home', salt['pillar.get']('java_home', '/usr/local/lib/java')) %} 22 | {%- set prefix = g.get('prefix', p.get('prefix', '/Library/Java/JavaVirtualMachines')) %} 23 | {%- set default_symlink = '/usr/local/bin/java' %} 24 | {%- set java_real_home = g.get('java_real_home', p.get('java_real_home', prefix + '/' + version_name + '.jdk/Contents/Home' )) %} 25 | {% else %} 26 | {%- set archive = '-linux-x64.tar.gz' %} 27 | {%- set default_source_hash = 'sha256=9a5c32411a6a06e22b69c495b7975034409fa1652d03aeb8eb5b6f59fd4594e0' %} 28 | {%- set group = 'root' %} 29 | {%- set archive_type = g.get('archive_type', p.get('archive_type', 'tar' )) %} 30 | {%- set java_home = salt['grains.get']('java_home', salt['pillar.get']('java_home', '/usr/lib/java')) %} 31 | {%- set prefix = g.get('prefix', p.get('prefix', '/usr/share/java')) %} 32 | {%- set default_symlink = '/usr/bin/java' %} 33 | {%- set java_real_home = g.get('java_real_home', p.get('java_real_home', prefix + '/' + version_name )) %} 34 | {% endif %} 35 | {%- set tmpdir = g.get('tmpdir', p.get('tmpdir', '/tmp/saltstack-formulas/sun-java')) %} 36 | 37 | {%- set uri = 'http://download.oracle.com/otn-pub/java/' %} 38 | {%- set default_source_url = uri + 'jdk/' + release + 'u' + minor + build + dirhash + '/jdk-' + release + 'u' + minor + archive %} 39 | {%- set default_jce_url = uri + 'jce/' + release + '/jce_policy-' + release + '.zip' %} 40 | {%- set default_dl_opts = '-b oraclelicense=accept-securebackup-cookie -L -s' %} 41 | 42 | {%- set source_url = g.get('source_url', p.get('source_url', default_source_url)) %} 43 | 44 | {%- if source_url == default_source_url %} 45 | {%- set source_hash = default_source_hash %} 46 | {%- else %} 47 | {%- set source_hash = g.get('source_hash', p.get('source_hash', default_source_hash )) %} 48 | {%- endif %} 49 | 50 | {%- set jce_url = g.get('jce_url', p.get('jce_url', default_jce_url)) %} 51 | 52 | {%- if jce_url == default_jce_url %} 53 | {%- set jce_hash = default_jce_hash %} 54 | {%- else %} 55 | {%- set jce_hash = g.get('jce_hash', p.get('jce_hash', default_jce_hash )) %} 56 | {%- endif %} 57 | 58 | {%- set dl_opts = g.get('dl_opts', p.get('dl_opts', default_dl_opts)) %} 59 | {%- set jre_lib_sec = g.get('jre_lib_sec', p.get('jre_lib_sec', java_real_home + '/jre/lib/security' )) %} 60 | {%- set java_symlink = g.get('java_symlink', p.get('java_symlink', default_symlink )) %} 61 | {%- set java_realcmd = g.get('realcmd', p.get('realcmd', java_real_home + '/bin/java' )) %} 62 | {%- set javac_symlink = java_symlink + 'c' %} 63 | {%- set javac_realcmd = java_realcmd + 'c' %} 64 | {%- set alt_priority = g.get('alt_priority', p.get('alt_priority', None)) %} 65 | 66 | {# Variables for deployment own CA certificates #} 67 | {%- set cacert_keystore = p.get('cacert_keystore', jre_lib_sec + '/cacerts') %} 68 | {%- set cacert_keystore_password = p.get('cacert_keystore_password', 'changeit' ) %} 69 | {%- set keytool_cmd = p.get('keytool_cmd', java_real_home + '/bin/keytool' ) %} 70 | 71 | {%- set java = {} %} 72 | {%- do java.update( { 'release' : release, 73 | 'major' : major, 74 | 'minor' : minor, 75 | 'build' : build, 76 | 'dirhash' : dirhash, 77 | 'version_name' : version_name, 78 | 'source_url' : source_url, 79 | 'source_hash' : source_hash, 80 | 'jce_url' : jce_url, 81 | 'jce_hash' : jce_hash, 82 | 'dl_opts' : dl_opts, 83 | 'java_home' : java_home, 84 | 'prefix' : prefix, 85 | 'tmpdir' : tmpdir, 86 | 'group' : group, 87 | 'java_real_home' : java_real_home, 88 | 'jre_lib_sec' : jre_lib_sec, 89 | 'archive_type' : archive_type, 90 | 'java_symlink' : java_symlink, 91 | 'java_realcmd' : java_realcmd, 92 | 'javac_symlink' : javac_symlink, 93 | 'javac_realcmd' : javac_realcmd, 94 | 'alt_priority' : alt_priority, 95 | 'cacert_keystore' : cacert_keystore, 96 | 'cacert_keystore_password' : cacert_keystore_password, 97 | 'keytool_cmd' : keytool_cmd, 98 | } ) %} 99 | --------------------------------------------------------------------------------