[Pulp-list] Criteria search consumers
Hi guys I'm testing out the consumer and wondering about group bindings and memberships. I have registered some consumers and now would like to add them to a group based on their notes. One of them has the following notes Notes: Os: 7 Vm: true I'm able to search based on "top level" fields like id but how do I search for these notes? Things I've tried pulp-admin consumer search --str-eq vm=true pulp-admin consumer search --int-eq os=7 pulp-admin consumer search --match notes,vm=true Any help would be appreciated :) How are you handling group membership and bindings? Is there a way to automatically join a group on registration and based on the group get bindings? Thanks Sandro This email message and any attachments are confidential and may be privileged. If you are not the intended recipient, please notify us immediately and destroy the original transmittal. You are hereby notified that any review, copying or distribution of it is strictly prohibited. Thank you for your cooperation. Header information contained in E-mails to and from the company are monitored for operational reasons in accordance with the Swiss data protection act. ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
Re: [Pulp-list] Pulp 2.8.3 Beta 1 released - Security & Bug fixes
On 04/25/2016 04:39 AM, Sean Myers wrote: > The following Security issues were addressed in this release: > > CVE-2016-3111 (Low Impact): > pulp.spec generates its RSA keys for message signing insecurely > https://pulp.plan.io/issues/1837 > > CVE-2016-3112 (Moderate Impact): > Pulp consumer private keys are world-readable > https://pulp.plan.io/issues/1834 > > CVE-2016-3107 (Moderate Impact): > Node certificate containing private key stored in world-readable file > https://pulp.plan.io/issues/1833 > > CVE-2016-3108 (Moderate Impact): > Insecure temporary file used when generating certificate for Pulp Nodes > https://pulp.plan.io/issues/1830 > > CVE-2016-3106 (Low Impact): > Insecure creation of temporary directory when generating new CA key > https://pulp.plan.io/issues/1827 > > Details on addressing these vulnerabilities will be released in a > followup email later today, and included in subsequent release > announcements for 2.8.3 (apologies for not being able to include > them in this post). CVE-2013-7450 (https://bugzilla.redhat.com/show_bug.cgi?id=1003326) - Additionally, CVE-2013-7450 was announced during this release cycle, even though it was fixed in Pulp 2.3.0. Users who have upgraded from Pulp < 2.3.0 may still be vulnerable, action may be required (see below). Upgrade instructions Some of the CVEs require user interaction to remedy. Begin by upgrading to Pulp 2.8.3: $ sudo systemctl stop httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd $ sudo yum upgrade $ sudo systemctl start httpd pulp_workers pulp_resource_manager pulp_celerybeat goferd CVE-2016-3112 (Part I) -- The client certificate for consumers (/etc/pki/pulp/consumer/consumer-cert.pem) was installed world-readable. This issue has been fixed for new certificates issued to consumers, but upgrading to 2.8.3 does not modify the permissions of old certificates. It is recommended that users regenerate the certificates by unregistering and re-registering all consumers. However, the consumers cannot be re-registered until CVE-2013-7450, CVE-2016-3095, CVE-2016-3106, and CVE-2016-3111 have been addressed below. Thus, start by unregistering each of your consumers (we will return to this CVE later to re-register them): $ sudo pulp-consumer unregister CVE-2013-7450, CVE-2016-3095, and CVE-2016-3106 --- There are two reasons that you may wish to regenerate Pulp's internal certificate authority key and certificate. First, if your Pulp installation started off as a version lower than 2.3.0 and you are still using the default CA certificate and key that was distributed with those versions of Pulp, then you are still vulnerable to CVE-2013-7450 and it is crucial that you generate a new unique CA. Additionally, CVE-2016-3095 and CVE-2016-3106 made it possible for local attackers to read the CA key during generation (which happens during the initial installation of Pulp or any time an admin ran pulp-gen-ca-certificate). If you are concerned that a local user may have read that CA key during the brief window that it was visible it is recommended that you regenerate the key and cert. To regenerate the certificate, you should remove the old one and then you may use the provided utility: # First remove the old files so that the new files get the correct SELinux context. $ sudo rm /etc/pki/pulp/ca.* $ sudo pulp-gen-ca-certificate If you choose not to perform the CA regeneration, you may wish to apply the correct SELinux type to your existing CA files as versions of Pulp < 2.8.3 generated this file with an incorrect SELinux type. You don't need to do this if you removed the old file and regenerated it with pulp-gen-ca-certificate. You can run restorecon recursively on the /etc/pki/pulp folder to fix the SELinux label on your existing CA certificate: # You only need to do this if you didn't regenerate the CA above. $ sudo restorecon -R /etc/pki/pulp CVE-2016-3107 and CVE-2016-3108 --- For Nodes users, the /etc/pki/pulp/nodes/node.crt file was installed world-readable. Users are recommended to remove this file and regenerate it by running pulp-gen-nodes-certificate: # It is important to remove the file so that the new file has the correct permissions. $ sudo rm /etc/pki/pulp/nodes/node.crt $ sudo pulp-gen-nodes-certificate CVE-2016-3111 - Both the RSA key pair for the Pulp server and RSA key pair for each Pulp consumer was generated during installation in an insecure directory. This vulnerability allowed a local attacker to read the private key portion of the key pair. These keys are used for message authentication between the Pulp server and the Pulp consumers. If you are concerned that a local attacker was able to read these keys, you can regenerate them. We do not ship a script to perform this, but the process is straight-forward. For the Pulp
[Pulp-list] Pulp 2.8.3 Beta 1 released - Security & Bug fixes
Pulp, along with the Puppet (pulp_puppet) and RPM (pulp_rpm) plugins, have been updated to 2.8.3. This release also includes betas for OSTree plugin (pulp_ostree) version 1.1.1 and the Docker plugin (pulp_docker) version 2.0.1. The following Security issues were addressed in this release: CVE-2016-3111 (Low Impact): pulp.spec generates its RSA keys for message signing insecurely https://pulp.plan.io/issues/1837 CVE-2016-3112 (Moderate Impact): Pulp consumer private keys are world-readable https://pulp.plan.io/issues/1834 CVE-2016-3107 (Moderate Impact): Node certificate containing private key stored in world-readable file https://pulp.plan.io/issues/1833 CVE-2016-3108 (Moderate Impact): Insecure temporary file used when generating certificate for Pulp Nodes https://pulp.plan.io/issues/1830 CVE-2016-3106 (Low Impact): Insecure creation of temporary directory when generating new CA key https://pulp.plan.io/issues/1827 Details on addressing these vulnerabilities will be released in a followup email later today, and included in subsequent release announcements for 2.8.3 (apologies for not being able to include them in this post). Bugs fixed in this release: OSTree Support 1106relative_path should be checked for url collision Pulp 1837CVE-2016-3111: pulp.spec generates its RSA keys for message signing insecurely 1834CVE-2016-3112: Pulp consumer private keys are world-readable 1833CVE-2016-3107: Node certificate containing private key stored in world-readable file 1830CVE-2016-3108: Insecure temporary file used when generating certificate for Pulp Nodes 1827CVE-2016-3106: Insecure creation of temporary directory when generating new CA key 1824iso repo publish fails for file in subdirectories 1809python 2.6 incompatibility during set_importer 1802Pulp 2.8 client no longer supports sha1 RPM checksum type 1801Pulp celery_beat and resource_manager are running, but logs say they are not running 1794A Pulp unit test is failing to find a certificate to be valid 1791After upgrading from 2.7.1 to pulp 2.8.0 getting 403 error's on all my Pulp repo's. 1784regression: "pulp-admin rpm repo search" with filters does not work as expected 1771requests or urllib3 can't read a file which causes Nectar to fail mysteriously 1764SELinux denial on Celery attempting to read resolv.conf 1601Migrate /var/lib/pulp/content to new 2.8 storage paths. 1576content type mongo id searches not working Puppet Support 1780PLP: Update failed (The dotted field 'thomasmckay-rsync-0.4.1-thomasmckay' Python Support 1855Upload broken RPM Support 1856publishing kickstart repo fails on EL6 1843Pulp publishes invalid PULP_DISTRIBUTION.xml metadata 1835export fails when units are not downloaded 1828pulp doesn't sync reference title correctly from errata 1813Handle duplicate key error in comps.xml upload 1812Comps.xml upload succeeds but units are not associated to the repo. 1808exporting a sufficiently large repo with 'on_demand' policy results in BSON error 1792recursive and depsolving unit copy results in PulpExecutionException 1782None in generated XML for unit with no 'reboot_suggested' 1778Switching a repository to immediate from on_demand doesn't download its packages 1768Unable to sync RHEL 5 repositories with a distribution View the full issue list in redmine here: http://bit.ly/1Tsld0E signature.asc Description: OpenPGP digital signature ___ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
