What's new in Apache Karaf runtime 4.3.2 ?

Apache Karaf runtime 4.3.2 has been released and available on https://karaf.apache.org.

You can have take a look on the Release Notes.

Let's take a quick tour on this new Karaf release.

Support R7 configutation factory and fix on json check

Karaf 4.3.x introduced both suppport of OSGi Spec R7 and json configuration support (in addition of the "regular" cfg/properties format).

We identify an issue in the configuration json format: when the json contains an array, then it was always considered as updated. For instance, the following configuration:

 "foo": [ "bar" ]

was considered as always updated. We can see in the log:

2021-05-07T23:01:45,924 | INFO  | fileinstall-/[...]/karaf/etc | JsonConfigInstaller              | 25 - org.apache.karaf.config.core - 4.3.1 | Updating configuration from my.config.json
2021-05-07T23:03:45,924 | INFO  | fileinstall-/[...]/karaf/etc | JsonConfigInstaller              | 25 - org.apache.karaf.config.core - 4.3.1 | Updating configuration from my.config.json

The root cause of the problem is that we compared "old" configuration (as a map) with the "new" one. To do that, we use Map.equals(). Map.equals() doesn't work when the value type is array, as an array's equals() method compares identity and not the contents of the array.

So, equals directly on array compare "instance", not values. In our case, we want to check the array values are the same. So, we change the comparison method using deep compare on map values. It's what I fixed in Karaf 4.3.2.

Regarding configuration (both cfg or json), we also added support of R7 factory style. In OSGi R7, a new factory PID has been introduced using the ~ char.

It means you can now use configuration factory with both - or ~.

Before Karaf 4.3.1, only configuration factory format was R6 like, meaning factoryPid-pid, so, a corresponding configuration file looks like etc/my.factory-pid.cfg.

Now, you can use the R7 "format", meaning etc/my.factory~pid.cfg.

Karaf 4.3.2 supports both.

Security improvements

We did two improvements about security.

First, we decided to comment the default karaf user in etc/users.properties. The purpose is to "force" user to enable the karaf user (and probably change the password).

So, basically, etc/users.properties now looks like:

#karaf = karaf,_g_:admingroup
#_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh

If you want to enable the karaf user (as before) (with karaf as password), you just have to uncomment these two lines. I recommend to change the default password:

karaf = mypassword,_g_:admingroup
_g_\:admingroup = group,admin,manager,viewer,systembundles,ssh

Another security improvement is about the Karaf SSHd server. By default, when you connect to the SSHd server for the first time, Karaf generates etc/host.key file. This file was generated to read and write permissions for everyone.

In order to be more secure, Karaf 4.3.2 generated this file with read and write permissions only for the owner (basically the user launching the karaf process).

JMX, shell and other minor fixes

Since Karaf 4.3.1, Karaf doesn't set JVM com.sun.management.jmxremote. The problem is that this property is mandatory for the RMI stub, and prevent "direct" use of clients like jconsole or jvisualvm.

Karaf 4.3.2 fixes that by reading rmiServerHost from etc/org.apache.karaf.management.cfg configuration file, and set the property then.

We also did some fixes and improvements in the shell and more:

  • shell tables have now a clean rendering on Windows and Unix when using --no-format option
  • maven:* commands don't throw NullPointerException if ~/.m2/settings.xml doesn't exist
  • JDK16 support thanks (with required eecap)
  • improvement on the scheduler to support scheduler properties containing array
  • use of ~/.karaf/karaf.history instead of ~/.karaf/karaf41.history
  • fix on the logging default pattern layout (to avoid encoded character rendering)
  • thanks to xbean 4.19, we fixed issue about WAR file support (in Pax Web) built with JDK 11+

Dependency upgrades

Like any Karaf release, Karaf 4.3.2 brings bunch of dependency updates:
  • Pax Web 7.3.5 with Jetty 9.4.40.v20210413
  • Pax Logging 2.0.9 fixing "bad" OSGi headers
  • xbean 4.19 for the reason explained before
  • updated Spring versions (5.3.6, spring security 5.4.5, ...)
  • Aries proxy 1.1.10 supporting JDK 16
  • and much more ...


Popular posts from this blog

Quarkus and "meta" extension

Getting started with Apache Karaf Minho

Using Apache Karaf with Kubernetes