Re: [foreman-dev] Redmine running slowly
On Tue, 2017-10-10 at 10:50 -0400, Andrew Kofink wrote: > Me as well. It's quite difficult to work this way. Yeah, I know :( Openshift aren't saying much other than that this is mainly due to the number of people that decided to upgrade to Silver Tier to avoid the sunset of v2. That's putting a lot of load on the v2 cluster, which obviously is hitting us. As Ewoud said, we've made a change today in how we process the underlying cron jobs that should reduce the amount of IO we were doing - if there's any kind of quota-ing going on, that should help. We're seeing that bring the time taken to run the cron down to about 10mins (starting at the top of the hour). That should improve things during that period. Sadly I did make a mistake during a manual part of the changes that impacted the DB, but that should be resolved now. Base load now seems to be down to around 7-9 which is better but still too high. Sadly the v3 resources are unlikely to be available before November, which is a limiter. If things are not better in the next day or two, then on Thu or Fri I may migrate it to our Scaleway account anyway, as we have capacity there, although I'd rather not migrate twice... Greg -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [foreman-dev] Redmine running slowly
We deployed a new version but that took longer than expected. Now we use bare git clones rather than doing full checkouts. This should save a lot of IO which is generally a limiting factor. Hopefully this helps enough until we can migrate to the new platform. https://github.com/theforeman/redmine/commit/cb4ccf049e0c892fcbba98861c904492e9833a67 On Tue, Oct 10, 2017 at 10:50:24AM -0400, Andrew Kofink wrote: Me as well. It's quite difficult to work this way. On Tue, Oct 10, 2017 at 10:40 AM, Dirk Götz wrote: Now Redmine seems to be down completely. Only getting 404 or 502 errors since an half hour. -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [foreman-dev] Adding npm dependencies to foreman plugins (katello)
Hi, I have put together [1], which could be a way. O. [1] https://github.com/theforeman/foreman/pull/4888 On Tue, Oct 10, 2017 at 5:09 PM, wrote: > Hey everyone! > > We're ready to begin adding React pages to Katello. One of the challenges > we face is adding the dependencies listed in Katello's package.json into > the Foreman webpack build. We're experimenting with having Webpack look for > a package.json in the registered plugins or possibly copying the > node_modules folder from the plugin to be made available during the build. > > I'd love to hear some feedback or ideas on how to make this happen. Thanks! > > -- > You received this message because you are subscribed to the Google Groups > "foreman-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to foreman-dev+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[foreman-dev] Adding npm dependencies to foreman plugins (katello)
Hey everyone! We're ready to begin adding React pages to Katello. One of the challenges we face is adding the dependencies listed in Katello's package.json into the Foreman webpack build. We're experimenting with having Webpack look for a package.json in the registered plugins or possibly copying the node_modules folder from the plugin to be made available during the build. I'd love to hear some feedback or ideas on how to make this happen. Thanks! -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [foreman-dev] Redmine running slowly
Me as well. It's quite difficult to work this way. On Tue, Oct 10, 2017 at 10:40 AM, Dirk Götz wrote: > Now Redmine seems to be down completely. Only getting 404 or 502 errors > since an half hour. > > Regards, > Dirk > > -- > You received this message because you are subscribed to the Google Groups > "foreman-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to foreman-dev+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Andrew Kofink akof...@redhat.com IRC: akofink Associate Software Engineer Red Hat Satellite -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [foreman-dev] Redmine running slowly
Now Redmine seems to be down completely. Only getting 404 or 502 errors since an half hour. Regards, Dirk -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [foreman-dev] Proposed drop of supporting ruby 2.0 in hammer
+1 out with the old On Tue, Oct 10, 2017 at 8:00 AM, Michael Moll wrote: > On Tue, Oct 10, 2017 at 01:45:42PM +0200, Ewoud Kohl van Wijngaarden wrote: > > On Tue, Oct 10, 2017 at 01:21:36PM +0200, Tomas Strachota wrote: > > >we recently encountered a compatibility issue with older version of > > >Clamp that we use on ruby 2.0 installations. Latest Clamp releases > > >require ruby 2.1+. See [1] for some more details. > > > > > >The easiest solution seems to be dropping ruby 2.0 support, which was > > >eol 2016-02-24 anyway. We use scl with ruby 2.2 on rpm based distros, > > >so we should be safe there. > > Support for Trusty has been dropped in 1.16 and 1.17 will drop Jessie. > > Focussing on 2.1+ or 2.2+ should be no problem. > > exactly. > -- > Michael Moll > > -- > You received this message because you are subscribed to the Google Groups > "foreman-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to foreman-dev+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- Andrew Kofink akof...@redhat.com IRC: akofink Associate Software Engineer Red Hat Satellite -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [foreman-dev] Proposed drop of supporting ruby 2.0 in hammer
On Tue, Oct 10, 2017 at 01:45:42PM +0200, Ewoud Kohl van Wijngaarden wrote: > On Tue, Oct 10, 2017 at 01:21:36PM +0200, Tomas Strachota wrote: > >we recently encountered a compatibility issue with older version of > >Clamp that we use on ruby 2.0 installations. Latest Clamp releases > >require ruby 2.1+. See [1] for some more details. > > > >The easiest solution seems to be dropping ruby 2.0 support, which was > >eol 2016-02-24 anyway. We use scl with ruby 2.2 on rpm based distros, > >so we should be safe there. > Support for Trusty has been dropped in 1.16 and 1.17 will drop Jessie. > Focussing on 2.1+ or 2.2+ should be no problem. exactly. -- Michael Moll -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [foreman-dev] Proposed drop of supporting ruby 2.0 in hammer
On Tue, Oct 10, 2017 at 01:21:36PM +0200, Tomas Strachota wrote: Hi all, we recently encountered a compatibility issue with older version of Clamp that we use on ruby 2.0 installations. Latest Clamp releases require ruby 2.1+. See [1] for some more details. The easiest solution seems to be dropping ruby 2.0 support, which was eol 2016-02-24 anyway. We use scl with ruby 2.2 on rpm based distros, so we should be safe there. The question is how big deal it would be for Debian based distros. I checked ruby versions on what we currently support: - Debian Jessie - ruby 2.1 (https://packages.debian.org/jessie/ruby) - Debian Stretch - ruby 2.3 (https://packages.debian.org/stretch/ruby) - Ubuntu Trusty - ruby 1.9 (https://packages.ubuntu.com/trusty/ruby) but we depend on a package ruby2.0 - Ubuntu Xenial - ruby 2.3 (https://packages.ubuntu.com/xenial/ruby) So the only issue seems to be with Trusty, where we could bump the dependency to ruby2.3. What do you think, are there any objections against dropping it? Support for Trusty has been dropped in 1.16 and 1.17 will drop Jessie. Focussing on 2.1+ or 2.2+ should be no problem. -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[foreman-dev] Foreman develop brakeman report
Hello,
I performed security audit report via brakeman gem and reviewed all
warnings found. None of these look like exploitable security issue to
me, so I am sending it here for further analysis.
The first two warnings really smell tho therefore I created a refactor
ticket - we should get rid of this style for the future:
http://projects.theforeman.org/issues/21267
Full report follows:
== Brakeman Report ==
Application Path: /home/lzap/work/foreman
Rails Version: 4.2.9
Brakeman Version: 4.0.1
Scan Date: 2017-10-10 13:29:23 +0200
Duration: 24.950139702 seconds
Checks Run: BasicAuth, BasicAuthTimingAttack, ContentTag, CreateWith,
CrossSiteScripting, DefaultRoutes, Deserialize, DetailedExceptions,
DigestDoS, DynamicFinders, EscapeFunction, Evaluation, Execute,
FileAccess, FileDisclosure, FilterSkipping, ForgerySetting, HeaderDoS,
I18nXSS, JRubyXML, JSONEncoding, JSONParsing, LinkTo, LinkToHref,
MailTo, MassAssignment, MimeTypeDoS, ModelAttrAccessible,
ModelAttributes, ModelSerialize, NestedAttributes,
NestedAttributesBypass, NumberToCurrency, QuoteTableName, Redirect,
RegexDoS, Render, RenderDoS, RenderInline, ResponseSplitting,
RouteDoS, SQL, SQLCVEs, SSLVerify, SafeBufferManipulation,
SanitizeMethods, SelectTag, SelectVulnerability, Send, SendFile,
SessionManipulation, SessionSettings, SimpleFormat, SingleQuotes,
SkipBeforeFilter, StripTags, SymbolDoSCVE, TranslateBug,
UnsafeReflection, ValidationRegex, WithoutProtection, XMLDoS,
YAMLParsing
== Overview ==
Controllers: 145
Models: 132
Templates: 492
Errors: 0
Security Warnings: 39
== Warning Types ==
Cross-Site Request Forgery: 2
Cross-Site Scripting: 2
Dangerous Send: 2
Dynamic Render Path: 3
File Access: 2
Mass Assignment: 1
Redirect: 1
Remote Code Execution: 4
SQL Injection: 21
SSL Verification Bypass: 1
== Warnings ==
Confidence: High
Category: Dangerous Send
Check: Send
Message: User controlled method execution
Code: host.power.send(params[:power][:action].to_sym)
File: app/controllers/hosts_controller.rb
Line: 475
Confidence: High
Category: Dangerous Send
Check: Send
Message: User controlled method execution
Code: (resource_base.friendly.find(params[:id]) or
resource_base.find_by_mac(params[:host][:mac].to_s)).power.send(params[:power_action].to_sym)
File: app/controllers/hosts_controller.rb
Line: 266
Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:host].delete(:type).constantize
File: app/controllers/hosts_controller.rb
Line: 709
Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:host].delete(:type).constantize
File: app/controllers/hosts_controller.rb
Line: 710
Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:type].constantize
File: app/controllers/api/v2/hosts_controller.rb
Line: 378
Confidence: High
Category: Remote Code Execution
Check: UnsafeReflection
Message: Unsafe reflection method constantize called with parameter value
Code: params[:type].constantize
File: app/controllers/api/v2/hosts_controller.rb
Line: 380
Confidence: High
Category: SSL Verification Bypass
Check: SSLVerify
Message: SSL certificate verification was bypassed
Code: Net::HTTP.new(URI.parse(url).host,
URI.parse(url).port).verify_mode = OpenSSL::SSL::VERIFY_NONE
File: app/models/compute_resources/foreman/model/ovirt.rb
Line: 382
Confidence: Medium
Category: Cross-Site Request Forgery
Check: ForgerySetting
Message: protect_from_forgery should be configured with 'with: :exception'
File: app/controllers/api/base_controller.rb
Confidence: Medium
Category: Cross-Site Request Forgery
Check: ForgerySetting
Message: protect_from_forgery should be configured with 'with: :exception'
File: app/controllers/application_controller.rb
Confidence: Medium
Category: File Access
Check: FileAccess
Message: Model attribute used in file name
Code: File.read(Setting[:ssl_priv_key])
File: lib/proxy_api/resource.rb
Line: 111
Confidence: Medium
Category: File Access
Check: FileAccess
Message: Model attribute used in file name
Code: File.read(Setting[:ssl_certificate])
File: lib/proxy_api/resource.rb
Line: 110
Confidence: Medium
Category: Mass Assignment
Check: MassAssignment
Message: Parameters should be whitelisted for mass assignment
Code: params[:vm].permit!
File: app/controllers/compute_resources_vms_controller.rb
Line: 39
Confidence: Medium
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: Host::Managed.reorder("").unscoped.authorized.group("#{resource_name}_id")
File: app/helpers/application_helper.rb
Line: 508
Confidence: Medium
Category: SQL Injection
Check: SQL
Message: Possible SQL injection
Code: User.current.widgets.where("id = #{id}")
File: app/controllers/dashboard_controller.rb
Line: 59
Confidence: Medium
Catego
[foreman-dev] Proposed drop of supporting ruby 2.0 in hammer
Hi all, we recently encountered a compatibility issue with older version of Clamp that we use on ruby 2.0 installations. Latest Clamp releases require ruby 2.1+. See [1] for some more details. The easiest solution seems to be dropping ruby 2.0 support, which was eol 2016-02-24 anyway. We use scl with ruby 2.2 on rpm based distros, so we should be safe there. The question is how big deal it would be for Debian based distros. I checked ruby versions on what we currently support: - Debian Jessie - ruby 2.1 (https://packages.debian.org/jessie/ruby) - Debian Stretch - ruby 2.3 (https://packages.debian.org/stretch/ruby) - Ubuntu Trusty - ruby 1.9 (https://packages.ubuntu.com/trusty/ruby) but we depend on a package ruby2.0 - Ubuntu Xenial - ruby 2.3 (https://packages.ubuntu.com/xenial/ruby) So the only issue seems to be with Trusty, where we could bump the dependency to ruby2.3. What do you think, are there any objections against dropping it? T. [1] https://github.com/theforeman/hammer-cli/pull/251 -- You received this message because you are subscribed to the Google Groups "foreman-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
