subject:"Bug#941901\: buster\-pu\: package octavia\/3.0.0\-3"

Bug#941901: buster-pu: package octavia/3.0.0-3

2021-03-26 Thread Salvatore Bonaccorso

Hi,

On Sun, Nov 10, 2019 at 05:08:54PM +0100, Thomas Goirand wrote:
> On 11/9/19 2:31 PM, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Mon, 2019-10-07 at 14:35 +0200, Thomas Goirand wrote:
> >> Since Buster was frozen, I worked quite a long time on Octavia, and
> >> was
> >> able to make the octavia-agent work properly, as well as building an
> >> Octavia base image using Debian only stuff [1]. It works super well
> >> using the next version of OpenStack, ie: Stein, while Buster has
> >> Rocky.
> >>
> >> Though I'd like to be able to provide a working Amphorae image using
> >> only stuff from Buster, if possible. This is what this update is
> >> about.
> >>
> > 
> > Please go ahead.
> > 
> > Regards,
> > 
> > Adam
> 
> Hi Adam,
> 
> On top of what you already approved, I'd like to also add what's in this
> commit:
> 
> https://salsa.debian.org/openstack-team/services/octavia/commit/25eb5debecfc53e3394ca9d5dcf2bc01c563915f
> 
> The reason is, instead of adding so many things when building the
> Octavia virtual machine image, it makes a lot of sense to instead push
> all of this in the Debian package. At the time of writing the package
> for Buster, I had no experience with this, though that's how I am
> building the image using Sid these days.
> 
> When we have these in the Octavia package, then building the official
> Buster image for Octavia will be super simple, and will integrate easily
> in the cloud team's scripts. Hopefully, we can publish such an Octavia
> image right after the next Buster point release.
> 
> I've uploaded the above. If you think that's not reasonable changes,
> please reject the package and let me know, then we can decide what you
> think can go in the Buster package and what shouldn't (though I really
> think all of the above is better suited in the package than in the image
> build script).

What is the status here? Should the package be rejected and only the
original changes included or should be the additional changes accepted
as well?

Regards,
Salvatore

Bug#941901: buster-pu: package octavia/3.0.0-3

2019-11-10 Thread Thomas Goirand

On 11/9/19 2:31 PM, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Mon, 2019-10-07 at 14:35 +0200, Thomas Goirand wrote:
>> Since Buster was frozen, I worked quite a long time on Octavia, and
>> was
>> able to make the octavia-agent work properly, as well as building an
>> Octavia base image using Debian only stuff [1]. It works super well
>> using the next version of OpenStack, ie: Stein, while Buster has
>> Rocky.
>>
>> Though I'd like to be able to provide a working Amphorae image using
>> only stuff from Buster, if possible. This is what this update is
>> about.
>>
> 
> Please go ahead.
> 
> Regards,
> 
> Adam

Hi Adam,

On top of what you already approved, I'd like to also add what's in this
commit:

https://salsa.debian.org/openstack-team/services/octavia/commit/25eb5debecfc53e3394ca9d5dcf2bc01c563915f

The reason is, instead of adding so many things when building the
Octavia virtual machine image, it makes a lot of sense to instead push
all of this in the Debian package. At the time of writing the package
for Buster, I had no experience with this, though that's how I am
building the image using Sid these days.

When we have these in the Octavia package, then building the official
Buster image for Octavia will be super simple, and will integrate easily
in the cloud team's scripts. Hopefully, we can publish such an Octavia
image right after the next Buster point release.

I've uploaded the above. If you think that's not reasonable changes,
please reject the package and let me know, then we can decide what you
think can go in the Buster package and what shouldn't (though I really
think all of the above is better suited in the package than in the image
build script).

Cheers,

Thomas Goirand (zigo)

Processed: Re: Bug#941901: buster-pu: package octavia/3.0.0-3

2019-11-09 Thread Debian Bug Tracking System

Processing control commands:

> tags -1 + confirmed
Bug #941901 [release.debian.org] buster-pu: package octavia/3.0.0-3
Added tag(s) confirmed.

-- 
941901: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941901
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#941901: buster-pu: package octavia/3.0.0-3

2019-11-09 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Mon, 2019-10-07 at 14:35 +0200, Thomas Goirand wrote:
> Since Buster was frozen, I worked quite a long time on Octavia, and
> was
> able to make the octavia-agent work properly, as well as building an
> Octavia base image using Debian only stuff [1]. It works super well
> using the next version of OpenStack, ie: Stein, while Buster has
> Rocky.
> 
> Though I'd like to be able to provide a working Amphorae image using
> only stuff from Buster, if possible. This is what this update is
> about.
> 

Please go ahead.

Regards,

Adam

Bug#941901: buster-pu: package octavia/3.0.0-3, fix for CVE-2019-17134

2019-10-11 Thread Thomas Goirand

On 10/7/19 2:35 PM, Thomas Goirand wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian@packages.debian.org
> Usertags: pu
> 
> Dear release team,
> 
> Since Buster was frozen, I worked quite a long time on Octavia, and was
> able to make the octavia-agent work properly, as well as building an
> Octavia base image using Debian only stuff [1]. It works super well
> using the next version of OpenStack, ie: Stein, while Buster has Rocky.
> 
> Though I'd like to be able to provide a working Amphorae image using
> only stuff from Buster, if possible. This is what this update is about.
> The update contains:
> 
> - Fix for the vrrp script template.
> - Fix for detecting the OS from within Octavia itself.
> - Fix for CVE-2019-17134, where the Amphora didn't enforce cert checking.
> - Fix for the octavia-agent package init / systemd scripts.

Kindly ping? It'd nice if we could get this done... :)

Thomas

Bug#941901: buster-pu: package octavia/3.0.0-3

2019-10-07 Thread Thomas Goirand

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu

Dear release team,

Since Buster was frozen, I worked quite a long time on Octavia, and was
able to make the octavia-agent work properly, as well as building an
Octavia base image using Debian only stuff [1]. It works super well
using the next version of OpenStack, ie: Stein, while Buster has Rocky.

Though I'd like to be able to provide a working Amphorae image using
only stuff from Buster, if possible. This is what this update is about.
The update contains:

- Fix for the vrrp script template.
- Fix for detecting the OS from within Octavia itself.
- Fix for CVE-2019-17134, where the Amphora didn't enforce cert checking.
- Fix for the octavia-agent package init / systemd scripts.

Debdiff is attached. Please allow me to update the Octavia package in
Buster accordingly. Next up, I hope to be able to provide a Debian image
for Octavia through the official cdimage.debian.org repo. I'll do that
through Testing first.

Cheers,

Thomas Goirand (zigo)

[1] If you don't know what Octavia is, it is haproxy as a service, with
a base virtual machine image containing Haproxy and the Octavia Agent.
This image is called "Amphorae", and can be used to provide load balancer
as a service. This is quite nice technology!
diff -Nru octavia-3.0.0/debian/changelog octavia-3.0.0/debian/changelog
--- octavia-3.0.0/debian/changelog  2019-01-21 17:28:54.0 +0100
+++ octavia-3.0.0/debian/changelog  2019-04-30 12:07:21.0 +0200
@@ -1,3 +1,14 @@
+octavia (3.0.0-3+deb10u1) buster; urgency=medium
+
+  * Fix octavia-agent binary in init/service file, fix the startup.
+  * Add Fix-osutils.py-to-detect-Debian.patch.
+  * CVE-2019-17134: Client certificates aren't checked properly in the Amphora.
+Applied upstream patch (Closes: #941897):
+- Add CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch.
+  * Add Fix_template_that_generates_vrrp_check_script.patch.
+
+ -- Thomas Goirand   Tue, 30 Apr 2019 12:07:21 +0200
+
 octavia (3.0.0-3) unstable; urgency=medium
 
   * Add an octavia-agent package.
diff -Nru octavia-3.0.0/debian/octavia-agent.install 
octavia-3.0.0/debian/octavia-agent.install
--- octavia-3.0.0/debian/octavia-agent.install  1970-01-01 01:00:00.0 
+0100
+++ octavia-3.0.0/debian/octavia-agent.install  2019-04-30 12:07:21.0 
+0200
@@ -0,0 +1,2 @@
+debian/octavia-agent-ramfs-start   /sbin
+debian/octavia-agent-ramfs-stop/sbin
diff -Nru octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in 
octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in
--- octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in2019-01-21 
17:28:54.0 +0100
+++ octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in2019-04-30 
12:07:21.0 +0200
@@ -17,3 +17,5 @@
 NAME=${PROJECT_NAME}-agent
 SYSTEM_USER=root
 SYSTEM_GROUP=root
+CONFIG_FILE=/etc/octavia/amphora-agent.conf
+DAEMON=/usr/bin/amphora-agent
diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-start 
octavia-3.0.0/debian/octavia-agent-ramfs-start
--- octavia-3.0.0/debian/octavia-agent-ramfs-start  1970-01-01 
01:00:00.0 +0100
+++ octavia-3.0.0/debian/octavia-agent-ramfs-start  2019-04-30 
12:07:21.0 +0200
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+modprobe brd rd_size=1024000 max_part=2 rd_nr=1
+passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
+certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{print 
$3}')
+if [ -z "${certs_path}" ] ; then
+   certs_path=/var/lib/octavia/certs
+fi
+mkdir -p "${certs_path}"
+chown octavia:octavia ${certs_path}
+echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
+echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
+mkfs.ext2 /dev/mapper/certfs-ramfs
+mount /dev/mapper/certfs-ramfs ${certs_path}
+chown octavia:octavia ${certs_path}
diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-stop 
octavia-3.0.0/debian/octavia-agent-ramfs-stop
--- octavia-3.0.0/debian/octavia-agent-ramfs-stop   1970-01-01 
01:00:00.0 +0100
+++ octavia-3.0.0/debian/octavia-agent-ramfs-stop   2019-04-30 
12:07:21.0 +0200
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{printf 
$3}')
+umount "${certs_path}"
+cryptsetup luksClose /dev/mapper/certfs-ramfs
diff -Nru 
octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
 
octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
--- 
octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
  1970-01-01 01:00:00.0 +0100
+++ 
octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
  2019-04-30 12:07:21.0 +0200
@@ -0,0 +1,73 @@
+Description: [PATCH] Fix urgent amphora

Bug#941901: buster-pu: package octavia/3.0.0-3

Bug#941901: buster-pu: package octavia/3.0.0-3

Processed: Re: Bug#941901: buster-pu: package octavia/3.0.0-3

Bug#941901: buster-pu: package octavia/3.0.0-3

Bug#941901: buster-pu: package octavia/3.0.0-3, fix for CVE-2019-17134

Bug#941901: buster-pu: package octavia/3.0.0-3

6 matches

Site Navigation

Mail list logo

Footer information