Java 1.6.0_19 & Hadoop

[Steve Loughran <st...@apache.org>]

I know everyone has had bad experiences w/ Java 1.6.0_18 and was 
sticking with JVM releases they trusted, but the set of security patches 
that have come out with the _19 release change the situation. There are 
enough server-side vulnerabilities there to make upgrading something to 
consider if you are working with untrusted data.

Has anyone tried the latest release at scale and got any good/bad 
experiences to share?

One interesting feature is it does actually disable Escape Analysis, 
which I believe was one of the troublespots. When I start a JVM with the 
following options

-XX:+UseCompressedOops
-XX:+DoEscapeAnalysis
-XX:+UseParallelGC
-XX:+AggressiveOpts

On
java version "1.6.0_19"
Java(TM) SE Runtime Environment (build 1.6.0_19-b04)
Java HotSpot(TM) 64-Bit Server VM (build 16.2-b04, mixed mode)

I get told off:

Java HotSpot(TM) 64-Bit Server VM warning: Escape Analysis is disabled 
in this release.

Was it Escape Analysis that was hurting people in the _18 version?

-steve

Re: Java 1.6.0_19 & Hadoop

[Allen Wittenauer <aw...@linkedin.com>]

I seem to be ok with the little bit of _20 I've been using.

On Jul 21, 2010, at 5:58 AM, Bill Au wrote:

> Now that jdk 1.6.0_21 is out, has anyone been running it with Hadoop?  We
> have also had problem running Hadoop with 1.6.0_18.  So what version of
> 1.6.0 would people recommend for use with Hadoop?
> 
> Bill
> 
> On Tue, Apr 6, 2010 at 12:09 PM, Steve Loughran <st...@apache.org> wrote:
> 
>> Todd Lipcon wrote:
>> 
>>> I was seeing errors in 18 without escape analysis explicitly enabled. So
>>> unless it became enabled by default in 18, I don't think that was the
>>> issue.
>>> 
>> 
>> That's not good. The security fixes in this JVM do hint it's something to
>> deploy sooner rather than later.
>> 
>> http://isc.sans.org/diary.html?storyid=8572
>> 
>> http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
>> 
>> "Due to the threat posed by a successful attack, Oracle strongly recommends
>> that customers apply CPU fixes as soon as possible.  This Critical Patch
>> Update contains 27 new security fixes across all products."
>> 
>> There's something involving imageIO, which may imply JPEG or other image
>> processing as a vulnerability; the other details are too vague to be sure
>> what the implications are.
>> 

Re: Java 1.6.0_19 & Hadoop

[Bill Au <bi...@gmail.com>]

Now that jdk 1.6.0_21 is out, has anyone been running it with Hadoop?  We
have also had problem running Hadoop with 1.6.0_18.  So what version of
1.6.0 would people recommend for use with Hadoop?

Bill

On Tue, Apr 6, 2010 at 12:09 PM, Steve Loughran <st...@apache.org> wrote:

> Todd Lipcon wrote:
>
>> I was seeing errors in 18 without escape analysis explicitly enabled. So
>> unless it became enabled by default in 18, I don't think that was the
>> issue.
>>
>
> That's not good. The security fixes in this JVM do hint it's something to
> deploy sooner rather than later.
>
> http://isc.sans.org/diary.html?storyid=8572
>
> http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
>
> "Due to the threat posed by a successful attack, Oracle strongly recommends
> that customers apply CPU fixes as soon as possible.  This Critical Patch
> Update contains 27 new security fixes across all products."
>
> There's something involving imageIO, which may imply JPEG or other image
> processing as a vulnerability; the other details are too vague to be sure
> what the implications are.
>

Re: Java 1.6.0_19 & Hadoop

[Steve Loughran <st...@apache.org>]

Todd Lipcon wrote:
> I was seeing errors in 18 without escape analysis explicitly enabled. So
> unless it became enabled by default in 18, I don't think that was the issue.

That's not good. The security fixes in this JVM do hint it's something 
to deploy sooner rather than later.

http://isc.sans.org/diary.html?storyid=8572
http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html

"Due to the threat posed by a successful attack, Oracle strongly 
recommends that customers apply CPU fixes as soon as possible.  This 
Critical Patch Update contains 27 new security fixes across all products."

There's something involving imageIO, which may imply JPEG or other image 
processing as a vulnerability; the other details are too vague to be 
sure what the implications are.

Re: Java 1.6.0_19 & Hadoop

[Todd Lipcon <to...@cloudera.com>]

I was seeing errors in 18 without escape analysis explicitly enabled. So
unless it became enabled by default in 18, I don't think that was the issue.

-Todd

On Tue, Apr 6, 2010 at 5:48 AM, Steve Loughran <st...@apache.org> wrote:

>
> I know everyone has had bad experiences w/ Java 1.6.0_18 and was sticking
> with JVM releases they trusted, but the set of security patches that have
> come out with the _19 release change the situation. There are enough
> server-side vulnerabilities there to make upgrading something to consider if
> you are working with untrusted data.
>
> Has anyone tried the latest release at scale and got any good/bad
> experiences to share?
>
> One interesting feature is it does actually disable Escape Analysis, which
> I believe was one of the troublespots. When I start a JVM with the following
> options
>
> -XX:+UseCompressedOops
> -XX:+DoEscapeAnalysis
> -XX:+UseParallelGC
> -XX:+AggressiveOpts
>
> On
> java version "1.6.0_19"
> Java(TM) SE Runtime Environment (build 1.6.0_19-b04)
> Java HotSpot(TM) 64-Bit Server VM (build 16.2-b04, mixed mode)
>
> I get told off:
>
> Java HotSpot(TM) 64-Bit Server VM warning: Escape Analysis is disabled in
> this release.
>
> Was it Escape Analysis that was hurting people in the _18 version?
>
> -steve
>
>


-- 
Todd Lipcon
Software Engineer, Cloudera