Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-02-09 20:38:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1898 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime"
Wed Feb 9 20:38:36 2022 rev:14 rq:952217 version:6.3.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-01-29
20:57:40.936424405 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.1898/keylime.changes
2022-02-09 20:39:12.126376267 +0100
@@ -1,0 +2,9 @@
+Mon Feb 7 16:28:22 UTC 2022 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Change back agent_uuid to hostname
+- Set tpm_hash_alg to sha256 by default
+- Update version.diff patch to point to the correct version number
+- Fix issue with Tornado, when multiple workers are started
+ * Add cloud_verifier_tornado-use-fork_processes.patch (bsc#1195605)
+
+-------------------------------------------------------------------
New:
----
cloud_verifier_tornado-use-fork_processes.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ keylime.spec ++++++
--- /var/tmp/diff_new_pack.EjcBwT/_old 2022-02-09 20:39:12.934378200 +0100
+++ /var/tmp/diff_new_pack.EjcBwT/_new 2022-02-09 20:39:12.942378219 +0100
@@ -38,6 +38,8 @@
Patch2: keylime.conf.diff
# PATCH-FIX-OPENSUSE config-libefivars.diff
Patch3: config-libefivars.diff
+# PATCH-FIX-UPSTREAM cloud_verifier_tornado-use-fork_processes.patch
(gh#keylime/keylime!880)
+Patch4: cloud_verifier_tornado-use-fork_processes.patch
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
++++++ cloud_verifier_tornado-use-fork_processes.patch ++++++
>From 3ffdf86d6e3f2377520a07da0202cd6ba4c6f711 Mon Sep 17 00:00:00 2001
From: Alberto Planas <apla...@suse.com>
Date: Mon, 7 Feb 2022 17:00:02 +0100
Subject: [PATCH 1/2] cloud_verifier_tornado: use fork_processes
If the cloud_verifier/multiprocessing_pool_num_workers is different from
1, the call to the `.start()` process will fails, as previous call to
`.add_stockets()` is already initializing the internal ioloop.
The raised exception will be:
Traceback (most recent call last):
File "/usr/bin/keylime_verifier", line 11, in <module>
load_entry_point('keylime==6.3.0', 'console_scripts', 'keylime_verifier')()
File "/usr/lib/python3.6/site-packages/keylime/cmd/verifier.py", line 21, in
main
cloud_verifier_tornado.main()
File "/usr/lib/python3.6/site-packages/keylime/cloud_verifier_tornado.py",
line 1122, in main
server.start(config.getint('cloud_verifier',
'multiprocessing_pool_num_workers'))
File "/usr/lib64/python3.6/site-packages/tornado/tcpserver.py", line 220, in
start
process.fork_processes(num_processes)
File "/usr/lib64/python3.6/site-packages/tornado/process.py", line 129, in
fork_processes
raise RuntimeError("Cannot run in multiple processes: IOLoop instance "
RuntimeError: Cannot run in multiple processes: IOLoop instance has already
been initialized. You cannot call IOLoop.instance() before calling
start_processes()
This was introduced in
https://github.com/keylime/keylime/commit/50661f8b33f6b7335104cd4c0dfff711705ee96e
This patch revert back to call `.process.fork_processes()` after the
`.bind_sockets()` line, that is happening before the `.start()`, and
drop the optional parameter in the last method call.
Signed-off-by: Alberto Planas <apla...@suse.com>
---
keylime/cloud_verifier_tornado.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Index: keylime-v6.3.0/keylime/cloud_verifier_tornado.py
===================================================================
--- keylime-v6.3.0.orig/keylime/cloud_verifier_tornado.py
+++ keylime-v6.3.0/keylime/cloud_verifier_tornado.py
@@ -1113,13 +1113,16 @@ def main():
sockets = tornado.netutil.bind_sockets(
int(cloudverifier_port), address=cloudverifier_host)
+ tornado.process.fork_processes(config.getint(
+ 'cloud_verifier', 'multiprocessing_pool_num_workers'))
+
server = tornado.httpserver.HTTPServer(app, ssl_options=context,
max_buffer_size=max_upload_size)
server.add_sockets(sockets)
signal.signal(signal.SIGTERM, lambda *_: sys.exit(0))
try:
- server.start(config.getint('cloud_verifier',
'multiprocessing_pool_num_workers'))
+ server.start()
if tornado.process.task_id() == 0:
# Start the revocation notifier only on one process
if config.getboolean('cloud_verifier', 'revocation_notifier'):
Index: keylime-v6.3.0/keylime/crypto.py
===================================================================
--- keylime-v6.3.0.orig/keylime/crypto.py
+++ keylime-v6.3.0/keylime/crypto.py
@@ -211,5 +211,5 @@ def generate_selfsigned_cert(name, key,
.serial_number(x509.random_serial_number())\
.not_valid_before(datetime.datetime.utcnow())\
.not_valid_after(valid_until)\
- .sign(key, hashes.SHA256())
+ .sign(key, hashes.SHA256(), backend=default_backend())
return cert
Index: keylime-v6.3.0/keylime/keylime_agent.py
===================================================================
--- keylime-v6.3.0.orig/keylime/keylime_agent.py
+++ keylime-v6.3.0/keylime/keylime_agent.py
@@ -30,6 +30,7 @@ import subprocess
import psutil
from cryptography import x509
+from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from keylime import config
@@ -422,7 +423,7 @@ class CloudAgentHTTPServer(ThreadingMixI
if os.path.isfile(certname):
logger.debug("Using existing mTLS cert in %s", certname)
with open(certname, "rb") as f:
- mtls_cert = x509.load_pem_x509_certificate(f.read())
+ mtls_cert = x509.load_pem_x509_certificate(f.read(),
backend=default_backend())
else:
logger.debug("No mTLS certificate found generating a new one")
with open(certname, "wb") as f:
++++++ keylime.conf.diff ++++++
--- /var/tmp/diff_new_pack.EjcBwT/_old 2022-02-09 20:39:13.042378458 +0100
+++ /var/tmp/diff_new_pack.EjcBwT/_new 2022-02-09 20:39:13.050378477 +0100
@@ -44,11 +44,21 @@
# name of current host as the agent id.
-agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+# agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
-+agent_uuid = generate
++agent_uuid = hostname
# Whether to listen for revocation notifications from the verifier or not.
listen_notfications = True
-@@ -147,7 +152,8 @@ ek_handle = generate
+@@ -129,7 +134,8 @@ max_retries = 10
+ # - hashing: sha512, sha384, sha256 or sha1
+ # - encryption: ecc or rsa
+ # - signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr
+-tpm_hash_alg = sha1
++# tpm_hash_alg = sha1
++tpm_hash_alg = sha256
+ tpm_encryption_alg = rsa
+ tpm_signing_alg = rsassa
+
+@@ -147,7 +153,8 @@ ek_handle = generate
cloudverifier_id = default
# The IP address and port of verifier server binds to
@@ -58,7 +68,7 @@
cloudverifier_port = 8881
# The address and port of registrar server that verifier communicates with
-@@ -266,7 +272,8 @@ revocation_notifier = True
+@@ -266,7 +273,8 @@ revocation_notifier = True
# The binding address and port of the revocation notifier service.
# If the 'revocation_notifier' option is set to "true", then the verifier
# automatically starts the revocation service.
@@ -68,7 +78,7 @@
revocation_notifier_port = 8992
# Enable revocation notifications via webhook. This can be used to notify
other
-@@ -400,10 +407,12 @@ max_payload_size = 1048576
+@@ -400,10 +408,12 @@ max_payload_size = 1048576
# and SHA-512).
# Note that you can't set a policy on PCR10 and PCR16 because Keylime uses
# them internally.
@@ -83,7 +93,7 @@
# Specify the file containing allowlists for processing Linux IMA measurements
# this file is used if tenant provides "default" as the allowlist file
-@@ -455,7 +464,8 @@ max_retries = 10
+@@ -455,7 +465,8 @@ max_retries = 10
# might provide a signed list of EK public key hashes. Then you could write
# an ek_check_script that checks the signature of the allowlist and then
# compares the hash of the given EK with the allowlist.
@@ -93,7 +103,7 @@
# Optional script to execute to check the EK and/or EK certificate against a
# allowlist or any other additional EK processing you want to do. Runs in
-@@ -481,7 +491,8 @@ ek_check_script=
+@@ -481,7 +492,8 @@ ek_check_script=
# The registrar's IP address and port used to communicate with other services
# as well as the bind address for the registrar server.
++++++ version.diff ++++++
--- /var/tmp/diff_new_pack.EjcBwT/_old 2022-02-09 20:39:13.090378573 +0100
+++ /var/tmp/diff_new_pack.EjcBwT/_new 2022-02-09 20:39:13.094378582 +0100
@@ -6,7 +6,7 @@
description=(
'TPM-based key bootstrapping and system '
'integrity measurement system for cloud'),
-+ version='6.2.1',
++ version='6.3.0',
long_description=long_description,
long_description_content_type='text/markdown',
author='Keylime Community',
