I haven't looked too closely at this, but if I recall correctly, when using the launcher with a .far it seemed like the logged count of local artifacts was more than double the number before so I'm not sure if it is ignored completely? It seemed like it was counting the artifacts inside the .far and the artifacts in the local maven repo too even if they were duplicates. I thought that was weird, but it didn't bother me enough to look further.
Are you saying that running with a non-empty "-u" argument that completely replaces the default repository urls is unable to run? For example, if your -u arguments are just the zip containing the feix framework with something like below, is it able to find the artifacts that exist inside the far archive? java -jar org.apache.sling.feature.launcher.jar -f org.apache.sling.starter-12-oak_tar_far.far -u 'jar:file:felixcontainer.zip!' Regards, -Eric On Wed, Mar 16, 2022 at 10:59 AM Dr. Hans-Peter Störr <[email protected]> wrote: > Hi! > > I'm wondering about use usage of feature archives in the Sling feature > launcher, especially in a setting without a network and > $HOME/.m2/repository. > > https://github.com/apache/sling-org-apache-sling-feature/blob/master/docs/feature-archives.md > says the feature archives, such as the > org.apache.sling.starter-12-oak_tar_far.far produced by the Sling Starter > https://github.com/apache/sling-org-apache-sling-starter , are meant to > contain the actual artifacts needed to run the system. Yet, when you start > the system like this: > > java -jar org.apache.sling.feature.launcher.jar -f > org.apache.sling.starter-12-oak_tar_far.far -v > > the log shows that the artifacts in the FAR are completely ignored - it > takes these from $HOME/.m2/repository or, failing that, they are downloaded > from https://repo.maven.apache.org/maven2 . That seems not only a waste > of network resources, but it has its problems. First in intranets or in a > DMZ it's not guaranteed that you have internet access. Even worse: on > production systems you don't want the starter to access the network or > getting files from $HOME/.m2/repository, since that offers various attack > avenues for injecting code into the system. So I'm wondering: shouldn't the > feature launcher first check the FAR for the artifact and use that? Or even > only use the code contained in a FAR? > > > That said: there actually is a way to start the launcher without using the > network, but in a quite cumbersome way. The feature launcher allows > specifying the repository URLs, and you can give a jar file URL as > repository URL: > > java -jar org.apache.sling.feature.launcher.jar -f > org.apache.sling.starter-12-oak_tar_far.far -u > 'jar:file:org.apache.sling.starter-12-oak_tar_far.far!' -u > 'jar:file:felixcontainer.zip!' > > This also adds a second zip I created as a repository for the felix > framework, which is required by the launcher, and just contains the file > > org/apache/felix/org.apache.felix.framework/7.0.1/org.apache.felix.framework-7.0.1.jar > > This works completely without network access, but it does feel like a > workaround. So, is that actually the intended solution for this usecase, or > are there plans to extend the feature launcher in some way? Or am I missing > something? > > Thank you all for the good work and the many advances with this! > > Best regards, > > Hans-Peter > > PS: I was almost jumping up and down when I saw the tag > org.apache.sling.starter-12 in the maven repo. Thanks for finally fixing > something that can become release 12 of the Sling Starter ! I'm looking > forward for it to appear in the maven repository. >
