Frustration with Support model/RPM versioning of updates
[N.B.: My name isn't 'William Stromberg'. 3 of us share this account; he is the Contracts contact person, so his name is on it.]
I work at a U.S. Government facility that requires us to lock down and "freeze" some of our Linux environments.
As a result, right now we are a shop that is mostly RHEL 5.4, a few RHEL 5.10, a few RHEL 6.3 and some RHEL 6.5 systems (plus a couple of RHEL 7.0 sandboxes).
We are constrained to these choices and upgrading to 5.11 or 6.6 is not an option for us.
I was tasked with upgrading Java in our environment by adding Java 1.7.
(We also have Solaris 10 systems and we'd like to have matching versions if possible.)
I discovered that there are the separate "Thirdparty Oracle Java" RHN channels available so I added them.
When I looked to see what was available for, say, 32-bit RHEL 6.3 and 6.5, I'm presented with these choices:
java-1.7.0-oracle-1.7.0.15-1jpp.1.el6_3:1.i686 Oracle Java Runtime Environment
java-1.7.0-oracle-1.7.0.17-1jpp.1.el6_4:1.i686 Oracle Java Runtime Environment
java-1.7.0-oracle-1.7.0.21-1jpp.1.el6:1.i686 Oracle Java Runtime Environment
java-1.7.0-oracle-1.7.0.25-1jpp.2.el6_4:1.i686 Oracle Java Runtime Environment
java-1.7.0-oracle-1.7.0.45-1jpp.2.el6_4:1.i686 Oracle Java Runtime Environment
java-1.7.0-oracle-1.7.0.51-1jpp.1.el6_5:1.i686 Oracle Java Runtime Environment
java-1.7.0-oracle-1.7.0.55-1jpp.1.el6_5:1.i686 Oracle Java Runtime Environment
java-1.7.0-oracle-1.7.0.65-1jpp.1.el6_5:1.i686 Oracle Java Runtime Environment
java-1.7.0-oracle-1.7.0.72-1jpp.2.el6:1.i686 Oracle Java Runtime Environment
java-1.7.0-oracle-1.7.0.75-1jpp.1.el6:1.i686 Oracle Java Runtime Environment
This underlines something that really bothers me about the current Red Hat support model.
It seems like in general, RPM updates are only produced for the current OS release that is out at the time.
That pretty much screws those of us who can't run 5.11 or 6.6 or 7.0.
Yet there are a few cases - like with 1.7.0_21, 1.7.0_72 and 1.7.0_75 here - where it looks like that 'policy' isn't the case.
Those 3 RPM names are 'generic' and don't indicate what OS they were built on. I presume it's an older version than the current one.
(I don't understand why this policy isn't consistent. Why not always put the OS version into the RPM name, or else why not build all versions against an older revision? Pick one, please.)
So if I'm sitting here wanting to upgrade Oracle Java on one of my 6.3 systems, which version do I choose?
Do I choose 1.7.0_15, because I know it was built on RHEL 6.3?
Or do I choose 1.7.0_75, because the RPM name says "el6" and not "el6_6", so maybe it was built against an older version like 6.3 - or even earlier?
Similarly for RHEL 5.x. The 1.7.0_72 and 1.7.0_75 RPMs were built on RHEL 5.11. Do I dare install 1.7.0_75 on 5.10 and pray it doesn't break? What about on RHEL 5.4?
Or do I fall back to the 'safe' 1.7.0_65 that I know was built on 5.10 and will be compatible with it? Similarly for 5.4 - do I use the 'safe' 1.7.0_21?
Before someone says "Oh, you can install any of these on any RHEL 5/6.x machine!", I don't believe it.
Why? Because I took the most recent "Critical" Firefox 31.5.0 release - built on 5.11 - and rebuilt the SRPM on 5.10. That worked.
But when I tried to rebuild the exact same SRPM on 5.4, it failed in at least 3 places. So what will happen when the compiled 5.11 binaries run those same bits of code on 5.4 that builds on 5.10 and 5.11, but does not build on 5.4? I'd expect "undefined behavior" at best, and a crash at worst.
I never assume backwards compatibility with binaries. So I would not install a RHEL 5.11-built RPM on a 5.4 system, much less a 5.1.
I would really appreciate someone (preferably from Redhat) straightening this out for me.
Thanks in advance,
Greg
Responses
Greg,
The package NVRs don't contain the RHEL X.Y version that they were built on for two reasons:
1 - The packages aren't really built by Red Hat. The binaries are complied by Oracle, and Red Hat only does the packaging part. If you had the spec file, you would see that it just instructs rpmbuild to extract the upstream tarball and distribute the files across the file system appropriately.
2 - You can install and run the JDK on any RHEL version. Oracle links the binaries with libraries that are generally present everywhere.
In conclusion, you can safely assume backwards compatibility. If you cannot install the packages because yum/rpm complains about missing dependencies, or if you can install them but the binaries won't run due to missing library symbols, let me know and I'll try to figure out where the problem might be.
Radek
You're welcome. The dist tag isn't used very consistently with these package, which is something for our packagers to think about, but in general it can be ignored. The original intention was to ensure a correct upgrade path from RHEL X.Y Extended Update Support to Y+1 even in the cases where the version and release don't change, but that's not applicable here. Feel free to use the latest available build of java-1.7.0-oracle, and if you want, file a bug against the package for the inconsistent values of %dist.
The dist tag can be ignored in the case of the Oracle Java package because there are no separate (and different) builds for the individual Y-streams. Otherwise, it's another string in the Release field and RPM does not ignore it.
AFAIK, none of the java-1.7.0-oracle (sub)packages requires unixODBC-libs, and they should all be installable on older Y-stream versions of RHEL 5. I don't have RHEL 5.4 here because it's no longer supported, but I have 5.6 "Long Life", and RPM seems happy with java-1.7.0-oracle-1.7.0.75-1jpp.1.el5_11.x86_64.rpm and its subpackages.
It's strange that the packages for RHEL 7 can't be found in the web UI. That looks like a bug. Anyway, you can still use "yumdownloader java-1.7.0-oracle" on the systems to get the package, right?
The unixODBC package was split into the main package and -libs in RHEL 5.8, yes. So if your system is missing unixODBC completely and tries to install the latest version, or if it sees the new version-release as an update, it will try to pull in the -libs subpackage. Anyway, an older version should be fine.
I don't know why there's no custom java-1.8.0-oracle package for RHEL 5. That would be a question for product management. Technically, however, it is possible that the binaries in the upstream tarball are too new. This is what I got when I tried to install the RHEL-6 package on a RHEL-5 system, in addition to unsatisfied requirements of a newer RPM:
libgio-2.0.so.0()(64bit) is needed by java-1.8.0-oracle-1.8.0.31-1jpp.1.el6.x86_64
libc.so.6(GLIBC_2.11)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libc.so.6(GLIBC_2.7)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libc.so.6(GLIBC_2.8)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libgio-2.0.so.0()(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libstdc++.so.6(GLIBCXX_3.4.11)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libstdc++.so.6(GLIBCXX_3.4.9)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libxml2.so.2(LIBXML2_2.4.30)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libxml2.so.2(LIBXML2_2.6.0)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libxml2.so.2(LIBXML2_2.6.6)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libxslt.so.1(LIBXML2_1.0.11)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libxslt.so.1(LIBXML2_1.0.22)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libxslt.so.1(LIBXML2_1.0.24)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
libxslt.so.1(LIBXML2_1.1.9)(64bit) is needed by java-1.8.0-oracle-javafx-1.8.0.31-1jpp.1.el6.x86_64
Which JDK version do you have? I was looking at 1.8.0_31 as we have in RHEL 6. Oracle now has 8u40, and I'm not sure where to get 31 from (or why we haven't updated the packages to 40 yet), so I can't really compare the binaries. Anyway, there's a difference between the way Oracle and Red Hat creates the RPM packages. Although the tarball is the same, our packages contain real dependencies of all the binaries and shared objects. So, although it is possible to install the upstream RPM on RHEL 5, I'm afraid some parts of the JDK won't run. Here's an example:
ldd /usr/java/jdk1.8.0_40/jre/lib/amd64/libglass.so
...
libgio-2.0.so.0 => not found
(In RHEL 6, libgio-2.0.so.0 is part of glib2 2.28.) Or:
ldd /usr/java/jdk1.8.0_40/jre/lib/amd64/libjfxwebkit.so
/usr/java/jdk1.8.0_40/jre/lib/amd64/libjfxwebkit.so: /usr/lib64/libstdc++.so.6: version `GLIBCXX_3.4.11' not found (required by /usr/java/jdk1.8.0_40/jre/lib/amd64/libjfxwebkit.so)
As for the differences, could it be prelink? Here's what I got:
]# ll javaws.*
-rwxr-xr-x 1 uucp 143 109083 Dec 18 00:05 javaws.ora
-rwxr-xr-x 1 root root 110855 Mar 11 11:45 javaws.rh
]# prelink javaws.ora
]# ll javaws.*
-rwxr-xr-x 1 uucp 143 110855 Dec 18 00:05 javaws.ora
-rwxr-xr-x 1 root root 110855 Mar 11 11:45 javaws.rh
(javaws.ora was taken from jdk-8u31-linux-i586.tar.gz)
I have a similar complaint regarding the RHEL version suffix on packages, namely sssd. If you look at the SSSD changelog, the changelog version doesn't match the package name version because the RHEL version is being added (inserted) to the package name... why is this?
eg.
Package: sssd-1.11.6-30.el6_6.4.x86_64.rpm
Changelog: 1.11.6-30.4
Why is this not expressed in the following way if Red Hat are appending RHEL version numbers (ie. why is the revision not appended to the version rather than after el6_6?
sssd-1.11.6-30.4.el6_6.x86_64.rpm
You're right that the NVR in the changelog rarely matches the actual package NVR with the dist tag. I've noticed that some package maintainers use it in the changelog, but most don't. Here's an exception (libcurl):
* Thu Jan 15 2015 Kamil Dudka <kdudka@redhat.com> 7.19.7-40.el6_6.4
- do not crash if MD5 fingerprint is not provided by libssh2 (#1008178)
* Mon Dec 01 2014 Kamil Dudka <kdudka@redhat.com> 7.19.7-40.el6_6.3
- fix occasional SIGSEGV during SSL handshake (#1169357)
I guess the reason is, in theory, you can have a single source RPM (with a hardcoded changelog) and build it for multiple EUS/Z streams. Then the only difference is the dist tag in the "release" part of the NVR. So if the changlog contained a particular unconditional dist tag, it would then be the same in all those EUS/Z streams, which would be wrong. Or worse, if the dist tag was written conditionally, it would change with every rebuild; IOW, when we move to the next stream, historical records in the changelog would change.
Thanks for the response Radek,
Changelog aside, why is the ".4" in the example put after the RHEL release (6_6).
ie. why is it:
sssd-1.11.6-30.el6_6.4.x86_64.rpm
and not (notice .4 is placed after 30, which is where it should be to make up the version number)
sssd-1.11.6-30.4.el6_6.x86_64.rpm
When moved, the version matches the changelog version. The RHEL release (if added at all) should be a suffix that is added after the version and before the arch. As it stands, it appears to be wedged into the version/release.
You're welcome. The number behind the dist tag differs if it's a subsequent build for the same version-release.zstream. So instead of increasing 30 to 31, we bump the very last suffix. This makes sure the NVR is higher in this Y-Stream (6.6) while remaining lower than a potential next Y-Stream update with its own Release: number.
Hello Greg,
If you need RHEL 5.4, RHEL 6.5 or any non current minor release specific rpms you need ELS or EUS support.
These are extra subscriptions.
Most Red Hat maintained products are supported under ELS and EUS. I do not know about the Oracle third party java rpms.
Contact your Red Hat reseller, Red Hat distributor or Red Hat sales (which apply) about ELS or EUS subscriptions and the support for Oracle/Sun java..
So updating to the current minor release or Red Hat Enterprise Linux is not always needed.
Kind regarsds,
Jan Gerrit Kootstra
Hoi Greg,
EUS => Extends a minor release. 5.x, 6.x
ELS => Extend the last minor release after the "version" is out of support, like 4.9 since the end of support of RHEL 4.
I understand your feeling about the time period that a EUS support is usable for a minor release.
I cannot do anything about that.
I work for an advanced partner in Europe, not for Red Hat.
If you have a Satellite server, EUS appears as a couple of RHEL ... 6.x.z base channel after you update the Satellite certificate.
here a snippet from my satellite-sync -l output
17:37:06 . rhel-x86_64-server-6.0.z 4151
17:37:06 . rhel-x86_64-server-6.1.z 5819
17:37:06 . rhel-x86_64-server-6.2.z 7545
17:37:06 . rhel-x86_64-server-6.3.z 9198
17:37:06 . rhel-x86_64-server-6.4.z 11447
17:37:06 . rhel-x86_64-server-6.5.z 13151
17:37:06 . rhel-x86_64-server-6.6.z 14622
and a list of RHEL 6.6.z subchannels will look like this:
17:37:09 rhel-x86_64-server-6.6.z:
17:37:09 . rhel-x86_64-server-6.6.z-debuginfo 5920
17:37:09 . rhel-x86_64-server-6.6.z-thirdparty-oracle-java 257
17:37:09 . rhel-x86_64-server-dts2-6.6.z 469
17:37:09 . rhel-x86_64-server-dts2-6.6.z-debuginfo 37
17:37:09 . rhel-x86_64-server-ha-6.6.z 454
17:37:09 . rhel-x86_64-server-ha-6.6.z-debuginfo 198
17:37:09 . rhel-x86_64-server-lb-6.6.z 48
17:37:09 . rhel-x86_64-server-lb-6.6.z-debuginfo 27
17:37:09 . rhel-x86_64-server-optional-6.6.z 8673
17:37:09 . rhel-x86_64-server-optional-6.6.z-debuginfo 3621
17:37:09 . rhel-x86_64-server-rs-6.6.z 482
17:37:09 . rhel-x86_64-server-rs-6.6.z-debuginfo 214
17:37:09 . rhel-x86_64-server-sfs-6.6.z 46
17:37:09 . rhel-x86_64-server-sfs-6.6.z-debuginfo 18
17:37:09 . rhel-x86_64-server-sjis-6.6.z 6
17:37:09 . rhel-x86_64-server-sjis-6.6.z-debuginfo 4
17:37:09 . rhel-x86_64-server-supplementary-6.6.z 480
17:37:09 . rhel-x86_64-server-supplementary-6.6.z-debuginfo 18
17:37:09 . rhn-tools-rhel-x86_64-server-6.6.z 170
17:37:09 . rhn-tools-rhel-x86_64-server-6.6.z-debuginfo 4
be aware end of support does not mean, end of availability.
and critical CVE' vulnerabilities may still be patched. Like some patches for RHEL 4.9 this quarter.
Kind regards,
Jan Gerrit
Greg,
As our customers do not use Workstation I did not order the EUS and/or ELS channels for our test and production Satellite.
Do not ask me for prices, please for Government agencies in the US can get special offers from Red Hat sales or their Red Hat partner. The prices on shop.redhat.com might cause confusion.
We are an European Datacenter specialized Partner so we use a sales model that does not apply to you.
Kind regards,
Jan Gerrit Kootstra
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
