Bug#941901: buster-pu: package octavia/3.0.0-3
Hi, On Sun, Nov 10, 2019 at 05:08:54PM +0100, Thomas Goirand wrote: > On 11/9/19 2:31 PM, Adam D. Barratt wrote: > > Control: tags -1 + confirmed > > > > On Mon, 2019-10-07 at 14:35 +0200, Thomas Goirand wrote: > >> Since Buster was frozen, I worked quite a long time on Octavia, and > >> was > >> able to make the octavia-agent work properly, as well as building an > >> Octavia base image using Debian only stuff [1]. It works super well > >> using the next version of OpenStack, ie: Stein, while Buster has > >> Rocky. > >> > >> Though I'd like to be able to provide a working Amphorae image using > >> only stuff from Buster, if possible. This is what this update is > >> about. > >> > > > > Please go ahead. > > > > Regards, > > > > Adam > > Hi Adam, > > On top of what you already approved, I'd like to also add what's in this > commit: > > https://salsa.debian.org/openstack-team/services/octavia/commit/25eb5debecfc53e3394ca9d5dcf2bc01c563915f > > The reason is, instead of adding so many things when building the > Octavia virtual machine image, it makes a lot of sense to instead push > all of this in the Debian package. At the time of writing the package > for Buster, I had no experience with this, though that's how I am > building the image using Sid these days. > > When we have these in the Octavia package, then building the official > Buster image for Octavia will be super simple, and will integrate easily > in the cloud team's scripts. Hopefully, we can publish such an Octavia > image right after the next Buster point release. > > I've uploaded the above. If you think that's not reasonable changes, > please reject the package and let me know, then we can decide what you > think can go in the Buster package and what shouldn't (though I really > think all of the above is better suited in the package than in the image > build script). What is the status here? Should the package be rejected and only the original changes included or should be the additional changes accepted as well? Regards, Salvatore
Bug#941901: buster-pu: package octavia/3.0.0-3
On 11/9/19 2:31 PM, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Mon, 2019-10-07 at 14:35 +0200, Thomas Goirand wrote: >> Since Buster was frozen, I worked quite a long time on Octavia, and >> was >> able to make the octavia-agent work properly, as well as building an >> Octavia base image using Debian only stuff [1]. It works super well >> using the next version of OpenStack, ie: Stein, while Buster has >> Rocky. >> >> Though I'd like to be able to provide a working Amphorae image using >> only stuff from Buster, if possible. This is what this update is >> about. >> > > Please go ahead. > > Regards, > > Adam Hi Adam, On top of what you already approved, I'd like to also add what's in this commit: https://salsa.debian.org/openstack-team/services/octavia/commit/25eb5debecfc53e3394ca9d5dcf2bc01c563915f The reason is, instead of adding so many things when building the Octavia virtual machine image, it makes a lot of sense to instead push all of this in the Debian package. At the time of writing the package for Buster, I had no experience with this, though that's how I am building the image using Sid these days. When we have these in the Octavia package, then building the official Buster image for Octavia will be super simple, and will integrate easily in the cloud team's scripts. Hopefully, we can publish such an Octavia image right after the next Buster point release. I've uploaded the above. If you think that's not reasonable changes, please reject the package and let me know, then we can decide what you think can go in the Buster package and what shouldn't (though I really think all of the above is better suited in the package than in the image build script). Cheers, Thomas Goirand (zigo)
Processed: Re: Bug#941901: buster-pu: package octavia/3.0.0-3
Processing control commands: > tags -1 + confirmed Bug #941901 [release.debian.org] buster-pu: package octavia/3.0.0-3 Added tag(s) confirmed. -- 941901: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941901 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#941901: buster-pu: package octavia/3.0.0-3
Control: tags -1 + confirmed On Mon, 2019-10-07 at 14:35 +0200, Thomas Goirand wrote: > Since Buster was frozen, I worked quite a long time on Octavia, and > was > able to make the octavia-agent work properly, as well as building an > Octavia base image using Debian only stuff [1]. It works super well > using the next version of OpenStack, ie: Stein, while Buster has > Rocky. > > Though I'd like to be able to provide a working Amphorae image using > only stuff from Buster, if possible. This is what this update is > about. > Please go ahead. Regards, Adam
Bug#941901: buster-pu: package octavia/3.0.0-3, fix for CVE-2019-17134
On 10/7/19 2:35 PM, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian@packages.debian.org > Usertags: pu > > Dear release team, > > Since Buster was frozen, I worked quite a long time on Octavia, and was > able to make the octavia-agent work properly, as well as building an > Octavia base image using Debian only stuff [1]. It works super well > using the next version of OpenStack, ie: Stein, while Buster has Rocky. > > Though I'd like to be able to provide a working Amphorae image using > only stuff from Buster, if possible. This is what this update is about. > The update contains: > > - Fix for the vrrp script template. > - Fix for detecting the OS from within Octavia itself. > - Fix for CVE-2019-17134, where the Amphora didn't enforce cert checking. > - Fix for the octavia-agent package init / systemd scripts. Kindly ping? It'd nice if we could get this done... :) Thomas
Bug#941901: buster-pu: package octavia/3.0.0-3
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu Dear release team, Since Buster was frozen, I worked quite a long time on Octavia, and was able to make the octavia-agent work properly, as well as building an Octavia base image using Debian only stuff [1]. It works super well using the next version of OpenStack, ie: Stein, while Buster has Rocky. Though I'd like to be able to provide a working Amphorae image using only stuff from Buster, if possible. This is what this update is about. The update contains: - Fix for the vrrp script template. - Fix for detecting the OS from within Octavia itself. - Fix for CVE-2019-17134, where the Amphora didn't enforce cert checking. - Fix for the octavia-agent package init / systemd scripts. Debdiff is attached. Please allow me to update the Octavia package in Buster accordingly. Next up, I hope to be able to provide a Debian image for Octavia through the official cdimage.debian.org repo. I'll do that through Testing first. Cheers, Thomas Goirand (zigo) [1] If you don't know what Octavia is, it is haproxy as a service, with a base virtual machine image containing Haproxy and the Octavia Agent. This image is called "Amphorae", and can be used to provide load balancer as a service. This is quite nice technology! diff -Nru octavia-3.0.0/debian/changelog octavia-3.0.0/debian/changelog --- octavia-3.0.0/debian/changelog 2019-01-21 17:28:54.0 +0100 +++ octavia-3.0.0/debian/changelog 2019-04-30 12:07:21.0 +0200 @@ -1,3 +1,14 @@ +octavia (3.0.0-3+deb10u1) buster; urgency=medium + + * Fix octavia-agent binary in init/service file, fix the startup. + * Add Fix-osutils.py-to-detect-Debian.patch. + * CVE-2019-17134: Client certificates aren't checked properly in the Amphora. +Applied upstream patch (Closes: #941897): +- Add CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch. + * Add Fix_template_that_generates_vrrp_check_script.patch. + + -- Thomas Goirand Tue, 30 Apr 2019 12:07:21 +0200 + octavia (3.0.0-3) unstable; urgency=medium * Add an octavia-agent package. diff -Nru octavia-3.0.0/debian/octavia-agent.install octavia-3.0.0/debian/octavia-agent.install --- octavia-3.0.0/debian/octavia-agent.install 1970-01-01 01:00:00.0 +0100 +++ octavia-3.0.0/debian/octavia-agent.install 2019-04-30 12:07:21.0 +0200 @@ -0,0 +1,2 @@ +debian/octavia-agent-ramfs-start /sbin +debian/octavia-agent-ramfs-stop/sbin diff -Nru octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in --- octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in2019-01-21 17:28:54.0 +0100 +++ octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in2019-04-30 12:07:21.0 +0200 @@ -17,3 +17,5 @@ NAME=${PROJECT_NAME}-agent SYSTEM_USER=root SYSTEM_GROUP=root +CONFIG_FILE=/etc/octavia/amphora-agent.conf +DAEMON=/usr/bin/amphora-agent diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-start octavia-3.0.0/debian/octavia-agent-ramfs-start --- octavia-3.0.0/debian/octavia-agent-ramfs-start 1970-01-01 01:00:00.0 +0100 +++ octavia-3.0.0/debian/octavia-agent-ramfs-start 2019-04-30 12:07:21.0 +0200 @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e + +modprobe brd rd_size=1024000 max_part=2 rd_nr=1 +passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1) +certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{print $3}') +if [ -z "${certs_path}" ] ; then + certs_path=/var/lib/octavia/certs +fi +mkdir -p "${certs_path}" +chown octavia:octavia ${certs_path} +echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 - +echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs - +mkfs.ext2 /dev/mapper/certfs-ramfs +mount /dev/mapper/certfs-ramfs ${certs_path} +chown octavia:octavia ${certs_path} diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-stop octavia-3.0.0/debian/octavia-agent-ramfs-stop --- octavia-3.0.0/debian/octavia-agent-ramfs-stop 1970-01-01 01:00:00.0 +0100 +++ octavia-3.0.0/debian/octavia-agent-ramfs-stop 2019-04-30 12:07:21.0 +0200 @@ -0,0 +1,7 @@ +#!/bin/sh + +set -e + +certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{printf $3}') +umount "${certs_path}" +cryptsetup luksClose /dev/mapper/certfs-ramfs diff -Nru octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch --- octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch 1970-01-01 01:00:00.0 +0100 +++ octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch 2019-04-30 12:07:21.0 +0200 @@ -0,0 +1,73 @@ +Description: [PATCH] Fix urgent amphora