Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package kanku for openSUSE:Factory checked
in at 2022-02-17 23:40:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kanku (Old)
and /work/SRC/openSUSE:Factory/.kanku.new.1958 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kanku"
Thu Feb 17 23:40:32 2022 rev:8 rq:955671 version:0.12.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/kanku/kanku.changes 2022-02-09
20:40:57.194627585 +0100
+++ /work/SRC/openSUSE:Factory/.kanku.new.1958/kanku.changes 2022-02-17
23:42:14.151700065 +0100
@@ -1,0 +2,6 @@
+Wed Feb 16 08:04:53 UTC 2022 - fschrei...@suse.com
+
+- Update to version 0.12.1:
+ * [core][feature] new systemd service kanku-iptables for master server
+
+-------------------------------------------------------------------
Old:
----
kanku-0.12.0.tar.xz
New:
----
kanku-0.12.1.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kanku.spec ++++++
--- /var/tmp/diff_new_pack.11Fonl/_old 2022-02-17 23:42:14.915700059 +0100
+++ /var/tmp/diff_new_pack.11Fonl/_new 2022-02-17 23:42:14.927700059 +0100
@@ -22,7 +22,7 @@
Name: kanku
# Version gets set by obs-service-tar_scm
-Version: 0.12.0
+Version: 0.12.1
Release: 0
License: GPL-3.0-only
Summary: Development and continuous integration
++++++ _service ++++++
--- /var/tmp/diff_new_pack.11Fonl/_old 2022-02-17 23:42:14.971700058 +0100
+++ /var/tmp/diff_new_pack.11Fonl/_new 2022-02-17 23:42:14.975700058 +0100
@@ -10,7 +10,7 @@
<param name="extract">dist/debian.control</param>
<param name="extract">dist/debian.dsc</param>
<param name="extract">dist/debian.rules</param>
- <param name="revision">0.12.0</param>
+ <param name="revision">0.12.1</param>
</service>
<service name="recompress" mode="disabled">
<param name="compression">xz</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.11Fonl/_old 2022-02-17 23:42:14.999700058 +0100
+++ /var/tmp/diff_new_pack.11Fonl/_new 2022-02-17 23:42:15.003700058 +0100
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/M0ses/kanku.git</param>
- <param
name="changesrevision">315c7835c3f3a52b9dbd362a33f5f8696c7af411</param></service></servicedata>
+ <param
name="changesrevision">d74059af00a76ca92436e09aef11c143036d45fd</param></service></servicedata>
(No newline at EOF)
++++++ debian.changelog ++++++
--- /var/tmp/diff_new_pack.11Fonl/_old 2022-02-17 23:42:15.023700058 +0100
+++ /var/tmp/diff_new_pack.11Fonl/_new 2022-02-17 23:42:15.027700058 +0100
@@ -1,4 +1,4 @@
-kanku (0.12.0-0) UNRELEASED; urgency=medium
+kanku (0.12.1-0) UNRELEASED; urgency=medium
* updated to upstream version 0.10.1
++++++ debian.dsc ++++++
--- /var/tmp/diff_new_pack.11Fonl/_old 2022-02-17 23:42:15.075700058 +0100
+++ /var/tmp/diff_new_pack.11Fonl/_new 2022-02-17 23:42:15.079700057 +0100
@@ -2,7 +2,7 @@
Source: kanku
Binary: kanku
Architecture: any
-Version: 0.12.0
+Version: 0.12.1
Maintainer: Frank Schreiner <fschrei...@suse.de>
Standards-Version: 3.8.2
Homepage: https://github.com/M0ses/kanku
++++++ kanku-0.12.0.tar.xz -> kanku-0.12.1.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kanku-0.12.0/Makefile new/kanku-0.12.1/Makefile
--- old/kanku-0.12.0/Makefile 2022-02-09 08:02:34.000000000 +0100
+++ new/kanku-0.12.1/Makefile 2022-02-16 10:30:18.000000000 +0100
@@ -118,6 +118,7 @@
install -m 644 ./dist/systemd/kanku-triggerd.service
$(DESTDIR)/usr/lib/systemd/system/kanku-triggerd.service
install -m 644 ./dist/systemd/kanku-web.service
$(DESTDIR)/usr/lib/systemd/system/kanku-web.service
install -m 644 ./dist/systemd/kanku-dispatcher.service
$(DESTDIR)/usr/lib/systemd/system/kanku-dispatcher.service
+ install -m 644 ./dist/systemd/kanku-iptables.service
$(DESTDIR)/usr/lib/systemd/system/kanku-iptables.service
install_docs:
install -m 644 README.md $(_DOCDIR)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kanku-0.12.0/bin/network-setup.pl
new/kanku-0.12.1/bin/network-setup.pl
--- old/kanku-0.12.0/bin/network-setup.pl 2022-02-09 08:02:34.000000000
+0100
+++ new/kanku-0.12.1/bin/network-setup.pl 2022-02-16 10:30:18.000000000
+0100
@@ -35,16 +35,18 @@
}
if ($current_network_name eq '-') {
+ $logger->info("Adding all networks");
@net_cfg = @net_list;
} else {
for my $net (@net_list) {
next if ($net->{name} ne $current_network_name);
+ $logger->info("Adding network: $net->{name}");
push @net_cfg, $net;
}
}
for my $ncfg (@net_cfg) {
- my $setup =
Kanku::Setup::LibVirt::Network->new(net_cfg=>$ncfg,name=>$current_network_name);
+ my $setup =
Kanku::Setup::LibVirt::Network->new(net_cfg=>$ncfg,name=>$ncfg->{name});
try {
if ( $action eq 'start' ) {
$setup->prepare_ovs();
@@ -53,14 +55,20 @@
if ( $action eq 'started' ) {
$setup->prepare_dns();
$setup->start_dhcp();
- $setup->configure_iptables();
}
if ( $action eq 'stopped' ) {
$setup->kill_dhcp();
- $setup->cleanup_iptables;
$setup->bridge_down;
}
+
+ if ( $action eq 'cleanup_iptables' ) {
+ $setup->cleanup_iptables;
+ }
+
+ if ( $action eq 'configure_iptables' ) {
+ $setup->configure_iptables;
+ }
} catch {
$logger->error("$0 $current_network_name $action failed:");
$logger->error($_);
@@ -68,5 +76,4 @@
};
}
-$logger->info("Current network name ($current_network_name) did not found in
our configs");
exit 0;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kanku-0.12.0/dist/systemd/kanku-iptables.service
new/kanku-0.12.1/dist/systemd/kanku-iptables.service
--- old/kanku-0.12.0/dist/systemd/kanku-iptables.service 1970-01-01
01:00:00.000000000 +0100
+++ new/kanku-0.12.1/dist/systemd/kanku-iptables.service 2022-02-16
10:30:18.000000000 +0100
@@ -0,0 +1,12 @@
+[Unit]
+Description=Restore and store kanku iptables rules
+After=local-fs.target network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/kanku/network-setup.pl - configure_iptables
+ExecStop=/usr/lib/kanku/network-setup.pl - cleanup_iptables
+
+[Install]
+WantedBy=multi-user.target
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kanku-0.12.0/lib/Kanku/Setup/LibVirt/Network.pm
new/kanku-0.12.1/lib/Kanku/Setup/LibVirt/Network.pm
--- old/kanku-0.12.0/lib/Kanku/Setup/LibVirt/Network.pm 2022-02-09
08:02:34.000000000 +0100
+++ new/kanku-0.12.1/lib/Kanku/Setup/LibVirt/Network.pm 2022-02-16
10:30:18.000000000 +0100
@@ -232,11 +232,15 @@
}
sub configure_iptables {
- my $self = shift;
- my $net_cfg = $self->net_cfg;
- my $bridges = $self->bridges;
- my $name = $self->name;
+ my ($self) = @_;
+ my $net_cfg = $self->net_cfg;
+ my $bridges = $self->bridges;
+ my $name = $self->name;
+ my $ipt = Kanku::Util::IPTables->new;
+ my $chain = $self->iptables_chain;
+
my $forward;
+
for my $ncfg (@$bridges) {
$self->logger->debug("Starting configuration of iptables");
@@ -260,26 +264,33 @@
my @comment = ('-m','comment','--comment',"Kanku:net:$name");
my $rules = [
- ["-X",$self->iptables_chain],
- ["-N",$self->iptables_chain],
- ["-I",$self->iptables_chain, "-j","RETURN",@comment],
- ['-t','nat','-X',$self->iptables_chain],
- ['-t','nat','-N',$self->iptables_chain],
- ['-t','nat','-I',$self->iptables_chain, "-j","RETURN",@comment],
["-I","FORWARD","1","-i",$ncfg->{bridge},"-j","REJECT","--reject-with","icmp-port-unreachable",@comment],
["-I","FORWARD","1","-o",$ncfg->{bridge},"-j","REJECT","--reject-with","icmp-port-unreachable",@comment],
["-I","FORWARD","1","-i",$ncfg->{bridge},"-o","$ncfg->{bridge}","-j","ACCEPT",@comment],
["-I","FORWARD","1","-s",$prefix,"-i",$ncfg->{bridge},"-j","ACCEPT",@comment],
- ["-I","FORWARD","1","-j",$self->iptables_chain,@comment],
["-I","FORWARD","1","-d",$prefix,"-o",$ncfg->{bridge},"-m","conntrack","--ctstate","RELATED,ESTABLISHED","-j","ACCEPT",@comment],
["-t","nat","-I","POSTROUTING","-s",$prefix,"!","-d",$prefix,"-j","MASQUERADE",@comment],
["-t","nat","-I","POSTROUTING","-s",$prefix,"!","-d",$prefix,"-p","udp","-j","MASQUERADE","--to-ports","1024-65535",@comment],
["-t","nat","-I","POSTROUTING","-s",$prefix,"!","-d",$prefix,"-p","tcp","-j","MASQUERADE","--to-ports","1024-65535",@comment],
["-t","nat","-I","POSTROUTING","-s",$prefix,"-d","255.255.255.255/32","-j","RETURN",@comment],
["-t","nat","-I","POSTROUTING","-s",$prefix,"-d","224.0.0.0/24","-j","RETURN",@comment],
- ["-t","nat","-I","PREROUTING","1","-j",$self->iptables_chain,@comment],
];
+ if (!$ipt->chain_exists('filter', $chain)) {
+ push @$rules,
+ ["-N", $chain],
+ ["-I", $chain, "-j", "RETURN", @comment],
+ ["-I", "FORWARD", "1", "-j", $chain, @comment];
+ }
+
+ if (!$ipt->chain_exists('nat', $chain)) {
+ push @$rules,
+ ['-t', 'nat', '-N', $chain],
+ ['-t', 'nat', '-I', $chain, "-j", "RETURN", @comment],
+ ["-t", "nat", "-I", "PREROUTING", "1", "-j", $chain, @comment];
+ }
+
+
for my $rule (@{$rules}) {
$self->logger->debug("Adding rule: iptables @{$rule}");
my @ipt;
@@ -291,11 +302,10 @@
}
}
}
- system('sysctl net.ipv4.ip_forward=1') if $forward;
+ `sysctl net.ipv4.ip_forward=1` if $forward;
my $json_file = $self->iptables_autostart_json;
if (-f $json_file) {
- my $ipt = Kanku::Util::IPTables->new;
$ipt->restore_iptables_autostart($json_file);
unlink $json_file;
} else {
@@ -320,9 +330,14 @@
my ($self) = @_;
my $bridges = $self->bridges;
my $name = $self->name;
+ my $logger = $self->logger;
+
+ $logger->info("Starting cleanup_iptables for network $name");
my $ipt = Kanku::Util::IPTables->new;
- $ipt->store_iptables_autostart($self->iptables_autostart_json);
+ my $json_file = $self->iptables_autostart_json;
+ $logger->debug("Storing $json_file");
+ $ipt->store_iptables_autostart($json_file);
for my $ncfg (@$bridges) {
my $ncfg = $self->net_cfg;
@@ -342,35 +357,49 @@
for my $table (keys %$rules_to_delete) {
for my $chain (keys %{$rules_to_delete->{$table}}) {
- my @rules = $ipt->_get_rules_from_chain($table, $chain);
- for my $rule (@rules) {
- $self->logger->debug("Cleaning chain $chain in table $table
$rule->{comment}");
- push @{$rules_to_delete->{$table}->{$chain}}, $rule->{line_number}
if $rule->{comment} eq "Kanku:net:$name";
- }
+ if ($ipt->chain_exists($table, $chain)) {
+ my @rules = $ipt->_get_rules_from_chain($table, $chain);
+ for my $rule (@rules) {
+ $logger->debug("Cleaning chain $chain in table $table
$rule->{comment}");
+ push @{$rules_to_delete->{$table}->{$chain}}, $rule->{line_number}
if $rule->{comment} eq "Kanku:net:$name";
+ }
+ }
}
}
- $self->logger->info("Cleaning iptables rules");
+ $logger->info("Cleaning iptables rules");
for my $table (keys(%{$rules_to_delete})) {
for my $chain (keys(%{$rules_to_delete->{$table}}) ) {
# cleanup from the highest number to keep numbers consistent
- $self->logger->debug("Cleaning chain $chain in table $table");
+ $logger->debug("Cleaning chain $chain in table $table");
for my $number ( reverse @{$rules_to_delete->{$table}->{$chain}} ) {
- $self->logger->debug("... deleting from chain $chain rule number
$number");
+ $logger->debug("... deleting from chain $chain rule number $number");
# security not relevant here because we have trusted input
# from 'iptables -L ...'
my @cmd_output = `iptables -t $table -D $chain $number 2>&1`;
if ( $? ) {
- $self->logger->error("An error occured while deleting rule $number
from chain $chain : @cmd_output");
+ $logger->error("An error occured while deleting rule $number from
chain $chain : @cmd_output");
}
}
}
}
my $chain = $self->iptables_chain;
- `iptables -F $chain`;
- `iptables -X $chain`;
- `iptables -t nat -F $chain`;
- `iptables -t nat -X $chain`;
+ if ($ipt->chain_exists('filter', $chain)) {
+ my @f_rules = $ipt->_get_rules_from_chain('filter', $chain);
+ if (@f_rules <= 1) {
+ $logger->debug("Removing filter/$chain");
+ `iptables -F $chain`;
+ `iptables -X $chain`;
+ }
+ }
+ if ($ipt->chain_exists('nat', $chain)) {
+ my @n_rules = $ipt->_get_rules_from_chain('nat', $chain);
+ if (@n_rules <= 1) {
+ $logger->debug("Removing nat/$chain");
+ `iptables -t nat -F $chain`;
+ `iptables -t nat -X $chain`;
+ }
+ }
}
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kanku-0.12.0/lib/Kanku/Setup/Server/Distributed.pm
new/kanku-0.12.1/lib/Kanku/Setup/Server/Distributed.pm
--- old/kanku-0.12.0/lib/Kanku/Setup/Server/Distributed.pm 2022-02-09
08:02:34.000000000 +0100
+++ new/kanku-0.12.1/lib/Kanku/Setup/Server/Distributed.pm 2022-02-16
10:30:18.000000000 +0100
@@ -395,14 +395,6 @@
chmod oct(755), "/etc/libvirt/hooks/network";
- file("/etc/libvirt/hooks/daemon")->spew('#!/bin/bash
-
-if [ "$2" == "shutdown" ];then
- /usr/bin/perl /usr/lib/kanku/network-setup.pl - stopped
-fi
-');
-
- chmod oct(755), "/etc/libvirt/hooks/daemon";
$self->_run_system_cmd("systemctl", "restart", "libvirtd.service");
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/kanku-0.12.0/lib/Kanku/Util/IPTables.pm
new/kanku-0.12.1/lib/Kanku/Util/IPTables.pm
--- old/kanku-0.12.0/lib/Kanku/Util/IPTables.pm 2022-02-09 08:02:34.000000000
+0100
+++ new/kanku-0.12.1/lib/Kanku/Util/IPTables.pm 2022-02-16 10:30:18.000000000
+0100
@@ -19,6 +19,8 @@
use Moose;
use File::Which;
use JSON::MaybeXS;
+use Carp;
+
use Kanku::Config;
with 'Kanku::Roles::Logger';
@@ -100,16 +102,16 @@
sub get_active_rules_for_domain {
my $self = shift;
my $domain_name = shift || $self->domain_name;
- my $result = {
- filter =>{$self->iptables_chain=>[]},
- nat=>{$self->iptables_chain=>[]}
- };
+ my $chain = $self->iptables_chain;
+ my $result = {filter =>{$chain=>[]}, nat=>{$chain=>[]}};
die "No domain_name given. Cannot procceed\n" if (! $domain_name);
for my $table ('nat', 'filter') {
- for my $rule ($self->_get_rules_from_chain($table)) {
- push(@{$result->{$table}->{$self->iptables_chain}},$rule->{line_number})
if ($rule->{domain_name} eq $domain_name);
+ if ($self->chain_exists($table)) {
+ for my $rule ($self->_get_rules_from_chain($table)) {
+ push(@{$result->{$table}->{$chain}},$rule->{line_number}) if
($rule->{domain_name} eq $domain_name);
+ }
}
}
@@ -204,9 +206,11 @@
my $rules2store = {nat=>[],filter=>[]};
for my $table (keys %$rules2store) {
- my @rules = $self->_get_rules_from_chain($table);
- for my $rule (@rules) {
- push @{$rules2store->{$table}}, $rule if $rule->{domain_autostart};
+ if ($self->chain_exists($table)) {
+ my @rules = $self->_get_rules_from_chain($table);
+ for my $rule (@rules) {
+ push @{$rules2store->{$table}}, $rule if $rule->{domain_autostart};
+ }
}
}
$self->logger->debug("Writing rules2store to $file");
@@ -247,6 +251,20 @@
}
}
+sub chain_exists {
+ my ($self, $table, $chain) = @_;
+ my $sudo = $self->sudo();
+ my @rules;
+ $table ||= 'filter';
+ $chain ||= $self->iptables_chain;
+ my $cmd = "$sudo LANG=C iptables -t $table -L $chain";
+ my @lines = `$cmd`;
+
+ return 1 unless $?;
+
+ return 0;
+}
+
sub _get_rules_from_chain {
my ($self, $table, $chain) = @_;
@@ -258,7 +276,7 @@
my @lines = `$cmd`;
- die "Error while creating iptables chain($?):\n\t$cmd\n\n@lines\n" if $?;
+ confess "Error while creating iptables chain($?):\n\t$cmd\n\n@lines\n" if $?;
# 1 0 0 ACCEPT tcp -- * * 0.0.0.0/0
192.168.199.84 state NEW tcp dpt:443 /* Kanku:host:obs-server::1 */
my $re = qr/^
