debops.java default variables
Sections
Java distribution flavor
- java__flavor
The Java distribution flavor to install on the host. By default the
Debian-provided OpenJDK packages are used (openjdk). Set this to
temurin to install Eclipse Temurin (Adoptium) JDK/JRE instead.
When temurin is selected, the extrepo role is used to enable
the Adoptium APT repository before the Java packages are installed.
java__flavor: 'openjdk'
- java__architecture_map
Mapping between Ansible architecture names and Debian architecture names used in the Temurin package names and JDK installation paths.
java__architecture_map:
x86_64: 'amd64'
aarch64: 'arm64'
armv7l: 'armhf'
ppc64le: 'ppc64el'
s390x: 's390x'
- java__architecture
The Debian architecture name corresponding to the target host's architecture.
java__architecture: '{{ java__architecture_map[ansible_architecture] | d("amd64") }}'
- java__temurin_version_map
Default Temurin major version per Debian release. When
java__flavor is set to temurin and
java__temurin_version is not overridden, the version appropriate for
the host's Debian release is used automatically.
java__temurin_version_map:
buster: '11'
bullseye: '11'
bookworm: '17'
trixie: '21'
- java__temurin_version
The Temurin major version to install. Set this explicitly (e.g. 8 for
Elasticsearch 6.x, 17, 21) to pin a specific version regardless of
the Debian release default.
java__temurin_version: '{{ java__temurin_version_map[ansible_distribution_release]
| d("17") }}'
Java APT packages
- java__install_jdk
By default the role installs only the Java Runtime Environment (JRE) packages. Other Ansible roles can request installation of the compatible Java Development Kit (JDK) by enabling this variable.
java__install_jdk: False
# ]]]
- java__temurin_package_type
Package type suffix used in Temurin package names and installation paths.
Resolves to jdk when java__install_jdk is enabled, jre
otherwise. Only applies when java__flavor is temurin.
java__temurin_package_type: '{{ "jdk" if (java__install_jdk | bool) else "jre" }}'
# ]]]
- java__base_packages
List of default APT packages which should be installed for Java Runtime Environment.
java__base_packages: '{{ (["temurin-" + java__temurin_version + "-jre"]
if (java__flavor == "temurin")
else ["default-jre-headless", "ca-certificates-java"]) }}'
- java__jdk_packages
List of default APT packages which should be installed for Java Development Kit.
java__jdk_packages: '{{ (["temurin-" + java__temurin_version + "-jdk"]
if (java__flavor == "temurin")
else (["default-jdk"]
if (ansible_distribution_release in ["trusty"])
else ["default-jdk-headless"]))
if java__install_jdk | bool else [] }}'
- java__packages
List of APT packages which should be installed on all hosts in Ansible inventory.
java__packages: []
- java__group_packages
List of APT packages which should be installed on a group of hosts in Ansible inventory.
java__group_packages: []
- java__host_packages
List of APT packages which should be installed on specific hosts in Ansible inventory.
java__host_packages: []
- java__dependent_packages
List of APT packages requested by other Ansible roles.
java__dependent_packages: []
Java versions
- java__version
The version of Java detected by the Ansible local facts.
java__version: '{{ ansible_local.java.version | d("0.0.0") }}'
- java__major_version
The Java major version number detected by the Ansible local facts.
java__major_version: '{{ ansible_local.java.major_version | d("0") }}'
- java__alternatives
You can use this variable to select which version of Java is used system-wide by default. To find out what versions are available, use the update-java-alternatives -l command on the remote host.
java__alternatives: ''
# ]]]
# ]]]
Java Security Policy configuration
Java Security Policy defines what paths and resources can be accessed by the Java-based applications. In DebOps we want to grant access to the PKI directories managed by the debops.pki role to support encrypted communication.
- java__security_policy_path
Path to the system-wide security policy used by all Java applications.
java__security_policy_path: '{{ ("/etc/java-" + java__major_version
+ "-openjdk/security/java.policy")
if (java__flavor == "openjdk")
else ("/usr/lib/jvm/temurin-"
+ java__major_version
+ "-" + java__temurin_package_type
+ "-" + java__architecture
+ ("/jre"
if (java__install_jdk | bool)
and (java__major_version | int > 0)
and (java__major_version | int <= 8)
else "")
+ ("/lib"
if (java__major_version | int > 0)
and (java__major_version | int <= 8)
else "/conf")
+ "/security/java.policy") }}'
- java__default_security_policy
This variable contains the contents of the
/etc/java-*-openjdk/security/java.policy configuration file.
java__default_security_policy: |
// default permissions granted to all domains
grant {
// allows anyone to listen on dynamic ports
permission java.net.SocketPermission "localhost:0", "listen";
// "standard" properties that can be read by anyone
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission
"java.specification.version", "read";
permission java.util.PropertyPermission
"java.specification.maintenance.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission
"java.vm.specification.version", "read";
permission java.util.PropertyPermission
"java.vm.specification.vendor", "read";
permission java.util.PropertyPermission
"java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
// Permit access to DebOps PKI infrastructure and system-wide certificate store
permission java.io.FilePermission "{{ ansible_local.pki.base_path | d('/etc/pki/realms') }}/-", "read";
permission java.io.FilePermission "{{ ansible_local.pki.base_path | d('/etc/pki/realms') }}/", "read";
permission java.io.FilePermission "/etc/ssl/certs/-", "read";
permission java.io.FilePermission "/etc/ssl/certs/", "read";
};
Configuration for other Ansible roles
- java__extrepo__dependent_sources
Configuration for the debops.extrepo role. When java__flavor
is set to temurin, the Adoptium APT repository is enabled to provide
the Eclipse Temurin packages. The repository is disabled when the flavor is
not temurin.
java__extrepo__dependent_sources:
- name: 'temurin'
state: '{{ "present" if (java__flavor == "temurin") else "absent" }}'