[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
AFAICS ceph-iscsi still needs tcmu, which is ready except waiting for https://github.com/open-iscsi/tcmu-runner/issues/582 AFAICS no one continue on that yet, I'm updating the case to better reflect that. James please re-assign as-needed to get these steps done. ** Changed in: tcmu (Ubuntu) Status: In Progress => Incomplete ** Changed in: tcmu (Ubuntu) Assignee: (unassigned) => James Page (james-page) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
I've added the bug subscription for ceph-iscsi. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
This was kind of forgotten, James/Chris don't you need that anymore. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
This was an ack and thereby ceph-iscsi this is ready as well ** Changed in: ceph-iscsi (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Please make the change that pulls in ceph-iscsi and ensure you are subscribed to the package to "own" it as the archive admins will rightfully insist on that before promotion :-) @Jamespage - I think this is up to you to push now right? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
I reviewed ceph-iscsi 3.4-0ubuntu2 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. ceph-iscsi is a set of tools for managing LIO gateways for Ceph. It consists of 2 services providing REST APIs - one for obtaining gateway node statistics and another for providing the gateway API, restoring gateway state and keeping gateway nodes in sync. Under the hood, it uses rtslib for configuring the gateway via the LIO interfaces, and Ceph backstores are implemented in userspace (in tcmu). A command line tool is provided for managing the gateway nodes, which communicates with the gateway node's API. - No CVE history. - All build-depends in main except for: python3-configshell-fb, python3-mock, python3-pytest, python3-rtslib-fb. Only python3-configshell-fb and python3-rtslib-fb are required at runtime (this MIR). - Depends on python3-openssl (crypto), python3-requests (HTTP) and python-flask (werkzeug based web framework). - Maintainer scripts just contain some debhelper snippets from dh_python3, dh_installinit and dh_installsystemd. - Provides 2 services: - rbd-target-gw: - This is a simple flask app that provides a REST API with 2 endpoints on port 9287 (configurable) to obtain gateway statistics. - The /metrics endpoint just provides a formatted summary of a bunch of properties from configfs (via rtslib). - rbd-target-api: - This is a flask app that provides a REST API on port 5000 (configurable) for configuring the gateways and restoring their state. - Some of the API is used by gwcli, and some of it is considered "internal" for the purposes of syncrhonizing configuration on gateway nodes. - Both services run as root. - The APIs are publicly available by default, although this is configurable. - The APIs are exported using HTTP by default. They can be configured to use HTTPS. - Contains 2 systemd units for starting the 2 REST services as part of multi-user.target. Both run as root, but do specify the PrivateDevices=yes, ProtectHome=true, ProtectSystem=full, PrivateTmp=true options. - No D-Bus services. - No setuid binaries. - 3 binaries in PATH: the 2 services (rbd-target-api, rbd-target-gw) and a CLI tool (gwcli) for managing the Ceph iSCSI gateway. - No sudo fragments. - No policykit. - No udev rules. - Some limited unit tests that test a few classes in the ceph_iscsi_config python package. These run as part of the build and all pass. No autopkgtests. - No cronjobs. - Build logs are clean - just some deprecation warnings that seem to come from pyudev. Only lintian warnings are a couple of binary-without-manpage warnings for the 2 services. - Spawns subprocesses using subprocess.check_output. - gwcli uses the default shell=False - rbd-target-api uses shell=True, but doesn't seem to be using it with arguments from untrusted sources. - There is a subprocess.check_output helper in ceph_iscsi_config/utils.py (shellcommand) that appears to be unused. - Opens files for reading in a few places using a mixture of hard-coded paths and paths specified in the config file (/etc/ceph/iscsi-gateway.cfg). - One API endpoint (/api/_targetinfo/), opens a file in configfs for reading and returns the contents using a path derived from the received target IQN. There is a check that the IQN corresponds to target in the gateway configuration though. - It's not reading from untrusted files (just /etc and configfs). - No files opened for writing. - Plenty of logging using python's logging module. Services log to syslog at level logging.INFO and a rotating file handler in /var/log at a custom level (configured in /etc/ceph/iscsi-gateway.cfg) which defaults to logging.DEBUG. - The default log level for gwcli seems to be logging.DEBUG, and it appears to log to ~/gwcli.log by default. I'm suspicious that it is logging passwords in a couple of places (gwcli/client.py:Client.set_auth and gwcli/gateway.py:Target.ui_command_auth). - Only use of environment is by gwcli to read PATH in order to determine if the ceph binary exists. - No evidence of privileged operations. - Makes use of python-cryptography using the default backend (openssl?) for encrypting target passwords with RSA-OAEP using SHA-256 hashing (see class CHAP in ceph_iscsi_config/client.py). - No tempfile usage. - Uses python-flask for providing 2 REST APIs. - Internal exceptions are caught by flask and result in a generic 500 response without exposing debug information by default. - All APIs that accept arguments require authentication as the gateway API user. - No paths are provided as arguments, although arguments are used to derive configfs paths in some API endpoints. - ceph_iscsi_config/target.py:GWTarget._exists tests if a configfs path exists and derives the path from an argument that looks like it can be provided via the /api/_targetauth/ endpoint. This may be susceptible to
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Override component to main urwid 2.1.0-4 in groovy: universe/python -> main python-urwid-doc 2.1.0-4 in groovy amd64: universe/doc/optional/100% -> main python-urwid-doc 2.1.0-4 in groovy arm64: universe/doc/optional/100% -> main python-urwid-doc 2.1.0-4 in groovy armhf: universe/doc/optional/100% -> main python-urwid-doc 2.1.0-4 in groovy i386: universe/doc/optional/100% -> main python-urwid-doc 2.1.0-4 in groovy ppc64el: universe/doc/optional/100% -> main python-urwid-doc 2.1.0-4 in groovy riscv64: universe/doc/optional/100% -> main python-urwid-doc 2.1.0-4 in groovy s390x: universe/doc/optional/100% -> main python3-urwid 2.1.0-4 in groovy amd64: universe/python/optional/100% -> main python3-urwid 2.1.0-4 in groovy arm64: universe/python/optional/100% -> main python3-urwid 2.1.0-4 in groovy armhf: universe/python/optional/100% -> main python3-urwid 2.1.0-4 in groovy ppc64el: universe/python/optional/100% -> main python3-urwid 2.1.0-4 in groovy riscv64: universe/python/optional/100% -> main python3-urwid 2.1.0-4 in groovy s390x: universe/python/optional/100% -> main 14 publications overridden. ** Changed in: urwid (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Override component to main python-rtslib-fb 2.1.73-1ubuntu2 in groovy: universe/misc -> main python3-rtslib-fb 2.1.73-1ubuntu2 in groovy amd64: universe/python/optional/100% -> main python3-rtslib-fb 2.1.73-1ubuntu2 in groovy arm64: universe/python/optional/100% -> main python3-rtslib-fb 2.1.73-1ubuntu2 in groovy armhf: universe/python/optional/100% -> main python3-rtslib-fb 2.1.73-1ubuntu2 in groovy i386: universe/python/optional/100% -> main python3-rtslib-fb 2.1.73-1ubuntu2 in groovy ppc64el: universe/python/optional/100% -> main python3-rtslib-fb 2.1.73-1ubuntu2 in groovy riscv64: universe/python/optional/100% -> main python3-rtslib-fb 2.1.73-1ubuntu2 in groovy s390x: universe/python/optional/100% -> main 8 publications overridden. ** Changed in: python-rtslib-fb (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Override component to main python-configshell-fb 1:1.1.28-1ubuntu1 in groovy: universe/misc -> main python3-configshell-fb 1:1.1.28-1ubuntu1 in groovy amd64: universe/python/optional/100% -> main python3-configshell-fb 1:1.1.28-1ubuntu1 in groovy arm64: universe/python/optional/100% -> main python3-configshell-fb 1:1.1.28-1ubuntu1 in groovy armhf: universe/python/optional/100% -> main python3-configshell-fb 1:1.1.28-1ubuntu1 in groovy i386: universe/python/optional/100% -> main python3-configshell-fb 1:1.1.28-1ubuntu1 in groovy ppc64el: universe/python/optional/100% -> main python3-configshell-fb 1:1.1.28-1ubuntu1 in groovy riscv64: universe/python/optional/100% -> main python3-configshell-fb 1:1.1.28-1ubuntu1 in groovy s390x: universe/python/optional/100% -> main 8 publications overridden. ** Changed in: python-configshell-fb (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Override component to main targetcli-fb 1:2.1.53-1ubuntu1 in groovy: universe/misc -> main targetcli-fb 1:2.1.53-1ubuntu1 in groovy amd64: universe/admin/optional/100% -> main targetcli-fb 1:2.1.53-1ubuntu1 in groovy arm64: universe/admin/optional/100% -> main targetcli-fb 1:2.1.53-1ubuntu1 in groovy armhf: universe/admin/optional/100% -> main targetcli-fb 1:2.1.53-1ubuntu1 in groovy i386: universe/admin/optional/100% -> main targetcli-fb 1:2.1.53-1ubuntu1 in groovy ppc64el: universe/admin/optional/100% -> main targetcli-fb 1:2.1.53-1ubuntu1 in groovy riscv64: universe/admin/optional/100% -> main targetcli-fb 1:2.1.53-1ubuntu1 in groovy s390x: universe/admin/optional/100% -> main 8 publications overridden. ** Changed in: targetcli-fb (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
The expected four packages for use case II show up in component mismatches after the seed change: python-configshell-fb: python3-configshell-fb MIR: #1854362 (In Progress) [Reverse-Depends: targetcli-fb (Uploader: rafaeldtinoco)] python-rtslib-fb: python3-rtslib-fb MIR: #1854362 (In Progress) [Reverse-Depends: targetcli-fb (Uploader: rafaeldtinoco)] targetcli-fb: targetcli-fb MIR: #1854362 (In Progress) [Reverse-Depends: Ubuntu.Groovy supported-misc-servers seed] urwid: python-urwid-doc python3-urwid MIR: #1854362 (In Progress) [Reverse-Depends: Rescued from urwid (Uploader: doko), python3-configshell-fb] @ubuntu-archive - please promote them. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Subscriptions are ok. I have pinged the security Team on ceph-iscsi and Rafael agreed to make the seed change. @rafael - as soon as the seed change is active and shows up in component mismatches please subscribe ubuntu-archive here to resolve. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
ceph-iscsi is still in security review, but other than that for use case II everything is indeed ready. I was updating the bug states. That is the set of python-configshell-fb + python-rtslib-fb + targetcli-fb + tcmu + urwid @Radael - would you mind doing a seed change for these to happen? P.S. I'll double check and ensure we are indeed subscribed to all packages ... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
** Changed in: tcmu (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) ** Changed in: tcmu (Ubuntu) Status: Confirmed => In Progress ** Changed in: targetcli-fb (Ubuntu) Status: Confirmed => In Progress ** Changed in: python-rtslib-fb (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
CURRENT STATUS Targets: - I: ceph-iscsi - II: targetcli-fb Summary for the current state: I: ceph-iscsi [.] MIR ack (if everything else is) I/II: python-configshell-fb (linux-blocks-teams) - DONE [.] MIR ack [.] Security ack - needs DEP8 inclusion For Debian, Suggested: - https://salsa.debian.org/linux-blocks-team/python-configshell-fb/-/merge_requests/3/ All MR got merged into debian/master (crazy) so I did 3 MRs again with same contents but mistake fixed. E-mailed debian maintainer to warn about the issue: gbp gives a merge URL with default debian/master for all git pushes you do. Whitelisted in git-ubuntu for importing Uploaded version 1:1.1.28-1ubuntu1 with same source code merged in Debian unstable. (did like if it was a syncpackage) DONE: 1:1.1.28-1ubuntu1 (groovy/universe) II: targetcli-fb (linux-blocks-teams) [.] MIR ack - needs DEP8 and services/sockets fix [.] Security nack->ack - 2 upstream fixes done For Debian, Suggested: - https://salsa.debian.org/linux-blocks-team/targetcli-fb/-/merge_requests/8 Here the same thing happened (about debian/master). I have also warned Debian maintainer about it and provided the correct MRs triple. Uploaded version 1:2.1.53-1ubuntu1 with same source code from Debian (did like if it was a sync, but warned some changes were dropped) DONE: 1:2.1.53-1ubuntu1 (groovy/universe) I/II: python-rtslib-fb (openstack team) [.] MIR ack - needs packaging/lintian fixes [.] Security ack - upstream fix done - Upstream version v2.1.73 includes the security fix. Suggesting: https://salsa.debian.org/openstack-team/python/python-rtslib-fb/-/merge_requests/2 https://salsa.debian.org/openstack-team/python/python-rtslib-fb/-/merge_requests/3 - Might not need fix for LP: #1865037 (put a comment, waiting Debian) - Highlighted @jamespage in both MR in salsa (hopefully he can help) DEBIAN OPENSTACK TEAM: Will verify my MR after the next OS release DONE: 2.1.73-1ubuntu1 (groovy/universe) I: tcmu [.] MIR ack [.] Security ack - but needs dbus fix I'm not taking action as we should wait upstream to take action on: https://github.com/open-iscsi/tcmu-runner/issues/582 CURRENT SYNC: 1.5.2-5build1 (groovy/universe) I: urwid [.] MIR ack [.] Security: ack FINAL STATUS: Ready for [main] inclusion. ** Changed in: python-configshell-fb (Ubuntu) Assignee: Rafael David Tinoco (rafaeldtinoco) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
CURRENT STATUS Targets: - I: ceph-iscsi - II: targetcli-fb Summary for the current state: I: ceph-iscsi [-] MIR ack (if everything else is) I/II: python-configshell-fb (linux-blocks-teams) - DONE [.] MIR ack [.] Security ack - needs DEP8 inclusion For Debian, Suggested: - https://salsa.debian.org/linux-blocks-team/python-configshell-fb/-/merge_requests/3/ All MR got merged into debian/master (crazy) so I did 3 MRs again with same contents but mistake fixed. E-mailed debian maintainer to warn about the issue: gbp gives a merge URL with default debian/master for all git pushes you do. Whitelisted in git-ubuntu for importing Uploaded version 1:1.1.28-1ubuntu1 with same source code merged in Debian unstable. (did like if it was a syncpackage) DONE: 1:1.1.28-1ubuntu1 (groovy/universe) II: targetcli-fb (linux-blocks-teams) [.] MIR ack - needs DEP8 and services/sockets fix [.] Security nack->ack - 2 upstream fixes done For Debian, Suggested: - https://salsa.debian.org/linux-blocks-team/targetcli-fb/-/merge_requests/8 Here the same thing happened (about debian/master). I have also warned Debian maintainer about it and provided the correct MRs triple. Uploaded version 1:2.1.53-1ubuntu1 with same source code from Debian (did like if it was a sync, but warned some changes were dropped) DONE: 1:2.1.53-1ubuntu1 (groovy/universe) I/II: python-rtslib-fb (openstack team) [.] MIR ack - needs packaging/lintian fixes [.] Security ack - upstream fix done - Upstream version v2.1.73 incudes the security fix. Suggesting: https://salsa.debian.org/openstack-team/python/python-rtslib-fb/-/merge_requests/2 https://salsa.debian.org/openstack-team/python/python-rtslib-fb/-/merge_requests/3 - Might not need fix for LP: #1865037 (put a comment, waiting Debian) - Highlighted @jamespage in both MR in salsa (hopefully he can help) DEBIAN OPENSTACK TEAM: Will verify my MR after the next OS release UBUNTU: working on it I: tcmu [.] MIR ack [.] Security ack - but needs dbus fix I'm not taking action as we should wait upstream to take action on: https://github.com/open-iscsi/tcmu-runner/issues/582 CURRENT SYNC: 1.5.2-5build1 (groovy/universe) I: urwid [.] MIR ack [.] Security: ack FINAL STATUS: Missing python-rtslib-fb update in groovy only for everything to be cleared for MIR. (working on it) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
For the tcmu DBUS fix: """ - The dbus policy allows all users to call org.kernel.TCMUService1.HandlerManager1.RegisterHandler, which doesn't seem desirable. I don't think there is a direct security impact from this, as external handlers need to be privileged in order to own the type-specific well-known name on the system bus, and the call will return an error if called before that name is owned. But I think this should only be callable as the root user. """ I'm not taking action as we should wait upstream to take action on: https://github.com/open-iscsi/tcmu-runner/issues/582 and, if there isn't a direct security impact I think it would be ok for the MIR to continue despite this change. With that in mind: I: tcmu [.] MIR ack [.] Security ack - dbus fix orthogonal (upstream bug) - https://github.com/open-iscsi/tcmu-runner/issues/582 There is nothing else to be done here but to wait Debian to accept my merge proposals. I'll keep this updated based on salsa MR discussions (if any). -rafaeldtinoco -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
CURRENT STATUS Targets: - I: ceph-iscsi - II: targetcli-fb Summary for the current state: I: ceph-iscsi [-] MIR ack (if everything else is) I/II: python-configshell-fb [.] MIR ack [.] Security ack - needs DEP8 inclusion Suggesting: - https://salsa.debian.org/linux-blocks-team/python-configshell-fb/-/merge_requests/3/ II: targetcli-fb [.] MIR ack - needs DEP8 and services/sockets fix [.] Security nack->ack - 2 upstream fixes done Suggesting: - https://salsa.debian.org/linux-blocks-team/targetcli-fb/-/merge_requests/8 I/II: python-rtslib-fb [.] MIR ack - needs packaging/lintian fixes [.] Security ack - upstream fix done - Upstream version v2.1.73 incudes the security fix. Suggesting: https://salsa.debian.org/openstack-team/python/python-rtslib-fb/-/merge_requests/2 https://salsa.debian.org/openstack-team/python/python-rtslib-fb/-/merge_requests/3 - Might not need fix for LP: #1865037 (put a comment, waiting Debian) - Highlighted @jamespage in both MR in salsa (hopefully he can help) I: tcmu [.] MIR ack [+] Security ack - but needs dbus fix I: urwid [.] MIR ack [.] Security: ack Only thing missing: tcmu fix and wait changes to be accepted so we can put all those packages on sync (and then do the MIR if everybody is on the same page). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
● targetclid.service - Targetcli daemon Loaded: loaded (/etc/systemd/system/targetclid.service; disabled; vendor preset: enabled) Active: active (running) since Wed 2020-06-24 20:28:02 UTC; 957ms ago TriggeredBy: ● targetclid.socket Docs: man:targetclid(8) Main PID: 22495 (targetclid) Tasks: 3 (limit: 23180) Memory: 14.7M CGroup: /system.slice/targetclid.service └─22495 /usr/bin/python3 /usr/bin/targetclid Jun 24 20:28:02 debian systemd[1]: Started Targetcli daemon. Service works but I have disabled it by default. Package is good to be merged in Debian. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
For targetcli-fb: https://salsa.debian.org/linux-blocks-team/targetcli- fb/-/merge_requests/8 I'm now waiting Ritesh to accept my merge request updating it to 2.1.53 and fixing the binary package (including documentation, new systemd units, etc). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Targets: - I: ceph-iscsi - II: targetcli-fb Summary for the current state: I: ceph-iscsi [-] MIR ack (if everything else is) I/II: python-configshell-fb [.] MIR ack [+] Security ack - needs DEP8 inclusion I/II: python-rtslib-fb [+] MIR ack - needs packaging/lintian fixes [.] Security ack - upstream fix done II: targetcli-fb [+] MIR ack - needs DEP8 and services/sockets fix [.] Security nack->ack - 2 upstream fixes done I: tcmu [.] MIR ack [+] Security ack - but needs dbus fix I: urwid [.] MIR ack [.] Security: ack I'm working on the [+] ones. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Okay, I'm back to this now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
I've asked Rafael to look after the TODOs that were identified for python-rtslib-fb. Assigning the task. ** Changed in: python-configshell-fb (Ubuntu) Assignee: (unassigned) => Rafael David Tinoco (rafaeldtinoco) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
I reviewed python-rtslib-fb 2.1.71-0ubuntu1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. python-rtslib-fb is a programmatic interface to the Linux kernel's LIO target. Working with Python objects causes writes to the kernel's /sys/kernel/config/target interface. It also provides an executable to save the live config to a file on service shutdown, and load the config into the running kernel on service start. - No CVEs in our database; when I reported a low severity problem, a fix was committed 13 hours later. - Build-Depends? - debhelper-compat (= 9),, dh-python, openstack-pkg-tools (>= 99~), python3-all, python3-setuptools, python3-six - pre/post inst/rm scripts? - postrm script improperly removes the alternatives entry against policy -- it should be called from prerm instead: https://lintian.debian.org/tags/maintainer-script-should-not-use-update-alternatives-remove.html - py3compile command isn't guarded with || true; -- is this correct? - init scripts? - initscript has multiple shellcheck warnings - race condition combined with busy-wait "sleep" - systemd units? - Creates directory with ExecStart=mkdir -p rather than ConfigurationDirectory= directive - No dbus config - No setuid executables - new binary targetctl in PATH - No sudo fragments - No polkit rules - No udev rules - Very small number of tests -- as doctests -- and I can't tell if they run during the build or not - No cron jobs - Lintian warnings and errors reported - Spawns a subprocess to perform module loading -- the subprocess itself looks fine, but the module loading feels out of place. There is probably a better way to do this. - File IO is used extensively; some small helper functions are written to make it look easy. The tool works extensively in a virtual filesystem meant to configure things. - Very little logging - No environment variable use - While this performs privileged operations, it mostly does so via read and write -- and the "modprobe" Popen. - No cryptography - No temp files - No networking - No webkit - No policykit While reading the code I found a low-severity issue and reported it: https://github.com/open-iscsi/rtslib-fb/issues/161 Upstream checked in a fix in 13 hours. The systemd unit file uses an explicit mkdir call rather than using a declarative setting. The postrm/prerm scripts needs work. Security team ACK for promoting python-rtslib-fb to main. I'd like the security fix and the packaging issues fixed before this package is promoted. Thanks ** Bug watch added: github.com/open-iscsi/rtslib-fb/issues #161 https://github.com/open-iscsi/rtslib-fb/issues/161 ** Changed in: python-rtslib-fb (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Lintian pointed out a mistake in the python-rtslib-fb packaging: W: python3-rtslib-fb: binary-without-manpage usr/bin/targetctl W: python3-rtslib-fb: maintainer-script-should-not-use-update-alternatives-remove postrm:6 W: python-rtslib-fb source: debhelper-compat-file-is-missing W: python-rtslib-fb source: package-uses-deprecated-debhelper-compat-version 1 E: python-rtslib-fb source: package-uses-debhelper-but-lacks-build-depends E: python-rtslib-fb source: missing-build-dependency debhelper (As is usual, I'm not entirely sure why the tooling spits out two different sets of issues; some may be related to a lintian from focal rather than devel.) Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
On 02/04/2020 01:04, Alex Murray wrote: > Upstream have merged in a fix for the world-writable targetcli-fb daemon > socket - https://github.com/open-iscsi/targetcli-fb/issues/162 - and > assigned CVE-2020-10699 for it - but there has been no official release. > With this fix in place, I would be happy to change the NACK to an ACK > for targetcli-fb. > > ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10699 Alex, I left the targetcli-fb MIR attempt to be handled at 20.10. I'll continue this shortly and will handle this. Thanks for the highlight. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
On 02/04/2020 01:04, Alex Murray wrote: > Upstream have merged in a fix for the world-writable targetcli-fb daemon > socket - https://github.com/open-iscsi/targetcli-fb/issues/162 - and > assigned CVE-2020-10699 for it - but there has been no official release. > With this fix in place, I would be happy to change the NACK to an ACK > for targetcli-fb. > > ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10699 Alex, I left the targetcli-fb MIR attempt to be handled at 20.10. I'll continue this shortly and will handle this. Thanks for the highlight. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Funny, our tooling also collected these lintian messages, in a different spot: python3-rtslib-fb_2.1.71-0ubuntu1_all.deb: W: python3-rtslib-fb: binary-without-manpage usr/bin/targetctl W: python3-rtslib-fb: maintainer-script-should-not-use-update-alternatives-remove postrm:6 Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
I'm starting to look at python-rstlib-fb and lintian (from bionic) reported: Output of lintian: W: python-rtslib-fb source: debhelper-compat-file-is-missing W: python-rtslib-fb source: package-uses-deprecated-debhelper-compat-version 1 E: python-rtslib-fb source: package-uses-debhelper-but-lacks-build-depends E: python-rtslib-fb source: missing-build-dependency debhelper Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Upstream have merged in a fix for the world-writable targetcli-fb daemon socket - https://github.com/open-iscsi/targetcli-fb/issues/162 - and assigned CVE-2020-10699 for it - but there has been no official release. With this fix in place, I would be happy to change the NACK to an ACK for targetcli-fb. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10699 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
See https://github.com/open-iscsi/tcmu-runner/issues/582 for the dbus- policy-without-send-destination lintian warning. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
I reviewed tcmu 1.5.2-5build1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. tcmu is the userspace side of the kernel's LIO TCM in userspace backstore, which allows backstores for LIO (the kernel's SCSI target) to live outside of the kernel and to be implemented in userspace. It consists of a daemon (tcmu-runner) which communicates with the kernel side via the TCM-USER generic netlink family. Handlers for SCSI commands are implemented as modules that run inside tcmu-runner - currently built and insalled are "File-backed optical", "ZBC emulation", "QCOW image file" and "Ceph RBD" handlers. Handlers process SCSI commands from a ring buffer shared between the kernel and userspace. - Some limited CVE history - a mixture of DoS and information leaks, all fixed in the current version: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000198 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000199 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000200 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000201 - Upstream is active, and we had a positive interaction with them whilst I was working on this MIR (see https://github.com/open-iscsi/tcmu-runner/issues/613). - Build-depends all in main (cmake, kmod, glib2.0, libnl3, ceph, pkg-config, zlib) - It build-depends on libkmod-dev because it consumes symbols from libkmod2, but what does it need the kmod binaries for at build time? - tcmu-runner has postinst/prerm/postrm scripts just containing autogenerated snippets from dh_installinit and dh_installsystemd. - It appears to be missing cleanup hooks for /etc/tcmu/tcmu.conf though. - Contains an init script and systemd unit that starts the tcmu-runner daemon, which is started by default as part of the multi-user target. - The daemon runs as root. - Doesn't listen on any ports. - Also installs a dbus service to activate the tcmu-runner daemon. - It exposes a couple of dbus interfaces: - org.kernel.TCMUService1 which provides a single CheckConfig method and is exported for each registered type (with a type specific object path). None of the internal plugins appear to implement check_config, so I'd imagine it just always returns success for these. - org.kernel.TCMUService1.HandlerManager1 which allows external handlers for a type to be registered (via the RegisterHandler method). Calls to org.kernel.TCMUService1.CheckConfig are then proxied to the external handler process, which owns a type-specific well-known name on the system bus. - The dbus policy allows all users to call org.kernel.TCMUService1.HandlerManager1.RegisterHandler, which doesn't seem desirable. I don't think there is a direct security impact from this, as external handlers need to be privileged in order to own the type-specific well-known name on the system bus, and the call will return an error if called before that name is owned. But I think this should only be callable as the root user. - No setuid binaries. - One binary in PATH (/usr/bin/tcmu-runner). - No sudo fragments. - No polkit files. - No udev rules. - There don't appear to be any unit tests or autopkgtests. - No cron jobs. - Build logs appear to be mostly clean. - Note, there is a patch that removes -Werror, which appears to be unnecessary. - There are some dpkg-shlibdeps warnings because the modules don't link against libtcmu2. - tcmu-runner has a "dbus-policy-without-send-destination" lintian warning which should probably be fixed. - No subprocesses spawned. - Memory management seems to generally be cautious - it takes care to handle heap allocation failures, and makes use of calloc to avoid arithmetic overflow issues in a lot of places. - Seems to handle errors when performing file I/O operations. It uses pread and pwrite quite a bit and in most cases checks that the expected number of bytes are read / written. - There is a usage of pwritev in qcow_pwritev that checks for an error condition (ret < 0), but doesn't appear to check that the correct number of bytes are written or expose the number of bytes written for callers to handle. - It appears to be fairly defensive when reading metadata from files on disk. - Has some logging helpers, which log to a file and syslog. - Writing to the syslog happens on a dedicated thread. - There is some locking which allows the logging functions to be used from multiple threads - tcmu-runner has a dedicated thread for each internal device handler, which is why this is necessary. - Log levels are set by a config file, and the default is "info (3)". The highest log level (5) logs SCSI command sequences, but only to the dedicated log file rather than syslog. I didn't find any indication that sensitive data might be logged, although perhaps SCSI command sequences could be considered sensitive at the
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
** Changed in: targetcli-fb (Ubuntu) Assignee: Alex Murray (alexmurray) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
I reviewed targetcli-fb 1:2.1.51-0ubuntu1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. targetcli-fb is a python package for configuring and managing the LIO (Linux IO) generic SCSI target. - CVE History: - None - Build-Depends - No security sensitive build-depends: - debhelper, dh-python, python3-all, python3-configshell-fb, python3-gi, python3-rtslib-fb, python3-setuptools, python3-six - pre/post inst/rm scripts - only auto-generated ones from dh_python3/dh_installsystemd - No init scripts - 1 systemd unit for the targetclid daemon - No dbus services - No setuid binaries - binaries in PATH - /usr/bin/targetcli - /usr/bin/targetclid - No sudo fragments - No polkit files - No udev rules - No autopkgtests or unit tests - This makes it very difficult for the security team to ensure any possible security updates do not introduce regressions - No cron jobs - Build logs: - No significant errors / warnings - No processes spawned - Memory management is python - File IO - /var/run/targetclid.sock is world-writable (0o666) so anyone can connect to it and there is no authentication done on the user who is interacting with targetclid via this socket - as such an unprivileged user can connect to it and send commands to targetclid which will execute them with no privilege checks. This is likely a security vulnerability. The permissions on this socket path should be explicitly set so that this is only writable by owner/group and not others, ie. 660 rather than the current 666. Since this is generally created by systemd, adding SocketMode=0660 to the targetclid.socket systemd unit should be sufficient. This has been reported upstream at https://github.com/open-iscsi/targetcli-fb/issues/162 - targetclid uses the hardcoded file-path /tmp/data.txt for handling interaction with clients - this is a potential security vulnerability since if a client creates a symlink at /tmp/data.txt to some root owned file, targetclid would write it's own data to that target file - I notice this has already been fixed upstream via https://github.com/open-iscsi/targetcli-fb/pull/156 / https://github.com/open-iscsi/targetcli-fb/commit/23877ab4afbf0c2fe4092936261d92d7b7fbff11 and so this should be patched to avoid any possible security issue as a result - Also uses hard-coded path to /var/run/targetclid.pid - Uses the config file ~/.targetcli - saveconfig commands allows to specify any resulting filename so can be used to overwrite arbitrary files on the system - as such there should probably be stricter checks on the target filename OR that targetcli can only ever be run as a regular user (the current location of the ) - restoreconfig command will read from any specified config file without checking ownership etc so again any client to targetclid should be considered trusted - Logging - Is via ConfigShell (from python-configshell-fb) and looks fine - Environment variable usage - targetclid uses TARGETCLI_HOME to override path of ~/.targetcli and LISTEN_PID to support systemd-based socket activation - since the targetcli client first tries to create the lock file when launched, and this is only writable by root hence targetcli must be run as root anyway so this can't really be abused - No use of privileged functions - No use of cryptography / random number sources etc - Use of temp files - See above comment about /tmp/data.txt - this should be resolved before being promoted to main - No use of networking - No use of WebKit - No use of PolicyKit - No significant cppcheck results - Unknown if any significant Coverity results (waiting on Coverity license renewal) - No significant shellcheck results - No significant bandit results As mentioned above, SocketMode should likely be specified in the systemd socket unit (waiting on upstream to respond to the bug report). Also the targetcli client checks whether it is running as root and if not potentially disables some commands - this is not sufficient to stop targetclid running privileged commands on behalf of a client - instead, targetclid should check the rights of a client via `SCM_CREDENTIALS` so that it cannot be tricked into performing operations on behalf of an unprivileged user - reported upstream as https://github.com/open-iscsi/targetcli-fb/issues/163 Security team NACK for promoting targetcli-fb to main for now due to these two potential security issues. If at least the socket permissions can be fixed this should mitigate the impact of the second issue (permission check in the client) - however, ideally the daemon would be stricter on checking permissions of clients as well and in that case I would be a bit happier to ACK this. ** Bug watch added: github.com/open-iscsi/targetcli-fb/issues #162 https://github.com/open-iscsi/targetcli-fb/issues/162 ** Bug watch
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
** Changed in: targetcli-fb (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Alex Murray (alexmurray) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
@Christian: for the record, Chris Coulson is looking at tcmu. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Targetcli got into -proposed: https://bugs.launchpad.net/ubuntu/+source/targetcli-fb/1:2.1.51-0ubuntu1 Subscribing security for targetcli-fb MIR security analysis. ** Changed in: targetcli-fb (Ubuntu) Assignee: Rafael David Tinoco (rafaeldtinoco) => (unassigned) ** Changed in: targetcli-fb (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Targetcli got into -proposed: https://bugs.launchpad.net/ubuntu/+source/targetcli-fb/1:2.1.51-0ubuntu1 Subscribing security for targetcli-fb MIR security analysis. ** Changed in: targetcli-fb (Ubuntu) Assignee: Rafael David Tinoco (rafaeldtinoco) => (unassigned) ** Changed in: targetcli-fb (Ubuntu) Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Ok, Im uploading targetcli-fb based on our discussions after you fixed the todos: https://code.launchpad.net/~rafaeldtinoco/ubuntu/+source/targetcli- fb/+git/targetcli-fb/+merge/379938 And will assign security team to targetcli-fb after uploaded. Thanks a lot @Christian. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Ok, Im uploading targetcli-fb based on our discussions after you fixed the todos: https://code.launchpad.net/~rafaeldtinoco/ubuntu/+source/targetcli- fb/+git/targetcli-fb/+merge/379938 And will assign security team to targetcli-fb after uploaded. Thanks a lot @Christian. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
@Rafael - I fixed the todos on targetcli and am pushing to the branch that I linked in your MP - I've broken the rtslib-fb-targetctl into an extra bug => once you have re-reviewed targetcli and uploaded it we can set that to security as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
I split the service change for rtslib-fb into https://bugs.launchpad.net /rtslib-fb/+bug/1865037 as the MIR and security review isn't dependent on it. ** Changed in: python-rtslib-fb (Ubuntu) Assignee: Rafael David Tinoco (rafaeldtinoco) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Updating my small summary of this morning after the MIR reviews. Targets: - I: ceph-iscsi - II: targetcli-fb Current state: I: ceph-iscsi - MIR ack, Security in-queue I/II: python-configshell-fb - MIR ack, Security ack - READY I/II: python-rtslib-fb - MIR ack, needs Security review (not yet queued) II: targetcli-fb - MIR conditional-ack, Updates and fixes needed (@Rafael), then security review I: tcmu - MIR ack, Security in-queue (undefined) I: urwid - MIR ack, Security ack - READY -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Updating my small summary of this morning after the MIR reviews. Targets: - I: ceph-iscsi - II: targetcli-fb Current state: I: ceph-iscsi - MIR ack, Security in-queue I/II: python-configshell-fb - MIR ack, Security ack - READY I/II: python-rtslib-fb - MIR ack, fixes needed (@Rafael), then security review II: targetcli-fb - MIR conditional-ack, Updates and fixes needed (@Rafael), then security review I: tcmu - MIR ack, Security in-queue (undefined) I: urwid - MIR ack, Security ack - READY ** Changed in: urwid (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Rafael was working on updating targetcli and I was reviewing/helping with that. TODOs: @Rafael - install state of rtslib-fb-targetctl.service still is bad in containers Unless you find any idea why this would ever make sense in a container (I don't) you can start by adding ConditionVirtualization=!container and upload that to python3-rtslib-fb - probably targetclid might need the same treatment as it most likely will fail the same way - fixup targetcli service /lib/systemd/system/targetclid.socket:6: ListenStream= references a path below legacy directory /var/run/, updating /var/run/targetclid.sock - some things are still missing on the sockets/service activation sequence The socket fails via targetclid.socket: Socket service targetclid.service already active, refusing. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
I reviewed urwid 2.0.1-2build3 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. urwid is a console-based display and user interface framework/library for python 2.7 and 3.4+ - CVE History: - none found - Build-Depends? - nothing troubling found - pre/post inst/rm scripts? - n/a - init scripts? - n/a - systemd units? - n/a - dbus services? - n/a - setuid binaries? - n/a - binaries in PATH? - n/a - sudo fragments? - n/a - udev rules? - n/a - unit tests / autopkgtests? - there are some tests but no autopackage tests. The tests run fine when I manually run them but I don't see them running during the build. - cron jobs? - n/a - Build logs: - lintian warns about old python versions - Processes spawned? - the default for Terminal is using the value of SHELL env var as the command - it execs a command for it virtual terminal class and some for mouse pointer integration - it also execs some python for reraising exceptions - Memory management? - n/a - File IO? - paths appear to be constructed safely - it's not really getting input from files - umask is set to 0 when deamonizing - umask not explicitly set for file creation - Logging? - looking isn't used much and looks ok - Environment variable usage? - env is not sanitized - this could possibly be misused or produce unanticipated results but that isn't happening as used by python-configshell-fb - Use of privileged functions? - Use of cryptography / random number sources etc? - n/a - Use of temp files? - pipes located in /tmp by default, this isn't being used for our purposed right now. - Use of networking? - I didn't focus on this very much becuause urwid as used by python-configshell-fb doesn't use networking - input is parsed one character at a time. - Use of WebKit? - Use of PolicyKit? - n/a - Any significant cppcheck results? - No - Any significant Coverity results? - No Bandit flagged creation of pipes in /tmp in web_display.py as potentially unsafe. That functionality of the framework is not being used by python-configshell-fb but it could probably be improved. Security team ACK. My recommendation is that the web_display tmp files be cleaned up to use python's tempfile but I don't think it needs to block inclusion into main at this time because it isn't being used. ** Changed in: urwid (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
** Changed in: urwid (Ubuntu) Assignee: Maria Emilia Torino (emitorino) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
I also uploaded the requested versions of configshell-fb and rtslib-fb to get things up-to-date for the release feature freeze. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Seeing: ceph-iscsi | 3.4-0ubuntu1 | focal/universe | source, all thanks James! You also said [12:22] cpaelzer, rafaeldtinoco: rtslib and configshell are straight updates - have those ready for upload => That sounds great. I'd almost encourage you to upload it right away. To later catch up I'd ask to open debian MPs as well. => That leaves the update of targetcli-fb which at least has this new targetclid daemon that might need to be packaged and tested to work well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
ceph-iscsi: ubuntu-openstack added as bug subscriber. package updated to 3.4 as requested (thanks for spotting that). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Re "tcmu 32 bit Werror" - I supplied a patch for the actual error raised on 32 bit archs but the Debian maintainer rejected my change to not disable that compiler feature (-Werror) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Updating my small summary of this morning after the MIR reviews. I still doubt (even more now) we can make it for 20.04, but lets see how things go and decide to punt to 20.10 when we really missed it. Targets: - I: ceph-iscsi - II: targetcli-fb Current state: I: ceph-iscsi - MIR ack, Update to 3.4 recommended, Security review needed I/II: python-configshell-fb - MIR ack, Security ack - READY I/II: python-rtslib-fb - MIR ack, Updates and fixes needed (@Rafael), then afterward security review needed II: targetcli-fb - MIR conditional-ack, Updates and fixes needed (@Rafael), then afterward security review needed I: tcmu - MIR ack, Security in-queue (undefined) I: urwid - MIR ack, Security in-queue (emitorino) TODOs: - @Rafael/@James: if you could take a look at the "tcmu 32 bit Werror" issues, that would be great. - @Rafael: please work on todos listed in comment #24 comment #26 and assign these tasks to security after they are done - @James: please work on todos listed in comment #27 - @Security - as usual please let us know via an update here once these entered your review queue and once people are assigned. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
## ceph-iscsi ## [Summary] MIR Team conditional ack. To be complete I'd recommend an update to v3.4 and I'd request a security review. The updates are important, but no blocker for the security review therefore I'm assigning the security Team. TODOs: @Jamespage - bug subscriber I guess openstack will subscribe for this one right? Jamespage could you make that happen? @Jamespage - update to version 3.4 for a bunch of crash fixes @security - please put this on your review queue. [Duplication] This is essentially a ceph/LIO gateway translating between the two. Such functionality isn't in main, duplication is no issue. [Dependencies] - no other Dependencies to MIR due to this (only those listed in this bug already) - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning - does not use webkit1,2 - does not process arbitrary web content - does not use lib*v8 directly - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) Problems: - does run two daemons as root - does parse data formats (via REST API) - does open a port (for REST) => a security review is needed [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error (Thanks James for enabling these). - no translation present, but none needed for this case (admin only)? - no new python2 dependency - uses dh_python Problems: - Does not yet have a team bug subscriber? - does not have a test suite that runs as autopkgtest (sort of ok for now, if tested e.g. in other openstack context) [Packaging red flags] OK: - Ubuntu does carry a delta, but it is reasonable and maintenance under control - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is ok - Debian/Ubuntu update history is not long enough to have a good insight how frequent they will be - promoting this does not seem to cause issues for MOTUs that so far maintained the package - no massive Lintian warnings - d/rules is rather clean - not using Built-Using Problems: - the current release is not packaged => https://github.com/ceph/ceph-iscsi/releases/tag/3.4 Fixing some crashes => https://github.com/ceph/ceph-iscsi/compare/3.3...3.4 @Jamespage would you mind getting this packaged? [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (python) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid (needs very careful design (prefer systemd to set those for services)) - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks Problems: - The upstream bug tracker has a list of bad bugs, but they seem to be actively worked on so that should be ok. ** Changed in: ceph-iscsi (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
## python3-rtslib-fb ##
[Summary]
MIR Team conditional-Ack. Good packaging in general, but we need the steps
below to be completed before being really ready for promotion:
(Note: this is Very similar to targetcli-fb)
@rafaeldtinoco - please update python-rtslib-fb
- update targetcli-fb to 2.1.71
- fix d/watch to detect the non *fb* versions
- as usual work with Debian to have it there as well sooner or later
- not sure but it might even need an epoch :-/
@rafaeldtinoco - please make install-fail graceful (see below for detail)
Could be just a condition in the service, but that is up to you
@rafaeldtinoco - please get Josh to subscribe to (all) these packages
- we can drop that later, but that way we
a) don't miss it later
b) get a glimpse of the bug influx on these packages
@rafaeldtinoco - tests missing
Can we get some tests that will exercise targetcli-fb in this or another
package of this MIRs context?
@rafaeldtinoco - (optional) targetctl man page
If it seems easy to do writign and proposing upstream a man page would be great,
currently there is nothing but the -h output and that is rather scarce.
@Rafael - once you are done with the above, please assign security to the
python-rtslib-fb task
@security - please put it on your review queue, but only process it once we are
at version >=2.1.71 which @rafaeldtinoco will work on first.
[Duplication]
This is "object API for managing the Linux LIO kernel target"" we don't have
that in main yet. TGT is no full alternative and to be replaced (tgt to be
demoted) once we are ready to promote this.
[Dependencies]
OK:
- All dependencies are in main already.
- No -dev/-debug/-doc packages with extra deps that would be auto-incldued that
need exclusion later on promotion
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- history of CVEs does not look concerning
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
Problem:
- does run a daemon as root
- does parse data formats
I don't think any of that will be critical it just reads the stored config from
disk and restores it on boot. But one could e.g. mess with the config files to
break it in unexpected ways. The executed program targetctl is part of this
package, so it isn't reviewed already in another context.
=> security review is requested
[Common blockers]
OK:
- does not FTBFS currently
- no translation present, but none needed for this case (admin only)?
- no new python2 dependency
- uses dh_python
Problems:
- no Team subscriber yet, server-team please subscribe
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest
-> could we get some basic tests when working on 2.1.71 to at least cover
and detect the most obvious issues)
It might be ok to get the tests done in one of the packages here that
would then use all the packages belonging to this "context".
- doesn't install-fail gracefully
Error on non-LIO capable systems (e.g. container unable to load modules)
I know it can't really "work" there, but it should not break install itself.
This needs to be made graceful (e.g. a systemd condition)
Job for rtslib-fb-targetctl.service failed because the control process exited
with error code.
See "systemctl status rtslib-fb-targetctl.service" and "journalctl -xe" for
details.
invoke-rc.d: initscript rtslib-fb-targetctl, action "start" failed.
● rtslib-fb-targetctl.service - Restore LIO kernel target configuration
Loaded: loaded (/lib/systemd/system/rtslib-fb-targetctl.service;
disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2020-02-25 06:45:06 UTC;
24ms ago
Process: 1567 ExecStart=/usr/bin/mkdir -p /etc/rtslib-fb-target
(code=exited, status=0/SUCCESS)
Process: 1568 ExecStart=/usr/bin/targetctl restore (code=exited,
status=1/FAILURE)
Main PID: 1568 (code=exited, status=1/FAILURE)
Feb 25 06:45:06 f target[1568]: File "/usr/bin/targetctl", line 47, in
restore
Feb 25 06:45:06 f target[1568]: errors =
RTSRoot().restore_from_file(restore_file=from_file)
Feb 25 06:45:06 f target[1568]: File
"/usr/lib/python3/dist-packages/rtslib_fb/root.py", line 84, in __init__
Feb 25 06:45:06 f target[1568]: modprobe('target_core_mod')
Feb 25 06:45:06 f target[1568]: File
"/usr/lib/python3/dist-packages/rtslib_fb/utils.py", line 425, in modprobe
Feb 25 06:45:06 f target[1568]: raise RTSLibError(stderrdata)
Feb 25 06:45:06 f target[1568]: rtslib_fb.utils.RTSLibError: b"modprobe:
ERROR: ../libkmod/libkmod.c:611 kmod_search_moddep() could not open moddep file
'/lib/modules/5.3.0-40-generic/modules.dep.bin'\nmodprobe: FATAL: Module
target_core_mod
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
^^ The above was for targetcli-fb ^^ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
[Summary]
MIR Team conditional-Ack. Good packaging in general, but we need the steps
below to be completed before being really ready for promotion:
@rafaeldtinoco - please update targetcli-fb
- update targetcli-fb to 2.1.51
- fix d/watch to detect the non *fb* versions
- as usual work with Debian to have it there as well sooner or later
- not sure but it might even need an epoch :-/
$ dpkg --compare-versions 2.1.fb49 lt-nl 2.1.51 => NO
But OTOH:
UserWarning: The version specified ('2.1.fb49') is an invalid version
@rafaeldtinoco - please get Josh to subscribe to (all) these packages
- we can drop that later, but that way we
a) don't miss it later
b) get a glimpse of the bug influx on these packages
@rafaeldtinoco - tests missing
Can we get some tests that will exercise targetcli-fb in this or another
package of this MIRs context?
@Rafael - once you are done with the above, please assign security to the
targetcli-fb task
@security - please put it on your review queue, but only process it once we are
at version >=2.1.51 which @rafaeldtinoco will work on first.
[Duplication]
This is "Command shell for managing the Linux LIO kernel target" we don't have
that in main yet.
TGT is no full alternative and to be replaced (tgt to be demoted) once we are
ready to promote this.
[Dependencies]
OK:
- python3-rtslib-fb and python3-configshell-fb which are part of this MIR bug
as well.
- The rest is in main already.
- No -dev/-debug/-doc packages with extra deps that would be auto-incldued that
need exclusion later on promotion
[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
=> "viewing, editing, and saving the configuration of the kernel's target
subsystem" does not have exploitable elements on their own.
The security in this particular case is needed and done on the kernel side.
I think as-is no security review would be needed.
But going to 2.1.51 (see below) will introduce targetclid which then is:
Problem:
- does run a daemon as root
- does parse data formats
I don't think any of that will be critical as it is just parts of the former CLI
portion broken out to a daemon, but e.g. exploiting the daemon could get control
of LIO controlled credentials.
Therefore looking at what we will eventually have a security review (probably
quick) is requested.
[Common blockers]
OK:
- does not FTBFS currently
- no translation present, but none needed for this case (admin only)?
- no new python2 dependency
- uses dh_python
Problems:
- no Team subscriber yet, server-team please subscribe
- does not have a test suite that runs at build time
- does not have a test suite that runs as autopkgtest
-> could we get some basic tests when working on 2.1.51 to at least cover
and detect the most obvious issues)
It might be ok to get the tests done in one of the packages here that
would then use all the packages belonging to this "context".
[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking not applicable for this kind of code.
- Upstream update history is good
- promoting this does not seem to cause issues for MOTUs that so far maintained
the package
- no massive Lintian warnings
- d/rules is rather clean
- not using Built-Using
Problems:
- Debian/Ubuntu update history is slow e.g. 2.1.fb49 was added ~1year after its
release
- the current release is not packaged, d/watch doesn't detect the new versions
so we miss 1.5y of updates which needs to be fixed.
=> https://github.com/open-iscsi/targetcli-fb/compare/v2.1.fb49...v2.1.51
- d/watch is present but missed non fb prefixed releases
@Rafael - I'd ask you to fix those things up
[Upstream red flags]
OK:
- no Errors/warnings during the build
- no incautious use of malloc/sprintf (python)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid (needs very careful design (prefer systemd to set those for
services))
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*
- no embedded source copies
- not part of the UI for extra checks (If this is a scope for the Unity Dash,
does it honor the privacy settings?)
** Changed in: targetcli-fb (Ubuntu)
Assignee: Christian Ehrhardt (paelzer) => Rafael David Tinoco
(rafaeldtinoco)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854362
Title:
[MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb,
urwid,
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Thanks for the summary, lets tackle the remaining tasks. I still doubt we can make it for 20.04, but lets see how things go and decide to punt to 20.10 when we really missed it. Targets: - I: ceph-iscsi - II: targetcli-fb (smaller) Summary for the current state (I updated bug tasks accordingly) I:ceph-iscsi - MIR tbd I/II: python-configshell-fb - MIR ack, Security ack I/II: python-rtslib-fb - MIR tbd II: targetcli-fb - MIR tbd I:tcmu - MIR ack, Security in-queue (undefined) I:urwid - MIR ack, Security in-queue (emitorino) @Rafael/@James - if you could take a look at the "tcmu 32 bit Werror" issues, that would be great. ** Changed in: python-rtslib-fb (Ubuntu) Assignee: Rafael David Tinoco (rafaeldtinoco) => (unassigned) ** Changed in: ceph-iscsi (Ubuntu) Assignee: (unassigned) => Christian Ehrhardt (paelzer) ** Changed in: python-rtslib-fb (Ubuntu) Assignee: (unassigned) => Christian Ehrhardt (paelzer) ** Changed in: targetcli-fb (Ubuntu) Assignee: (unassigned) => Christian Ehrhardt (paelzer) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
** Changed in: python-configshell-fb (Ubuntu) Status: Confirmed => In Progress ** Changed in: python-rtslib-fb (Ubuntu) Assignee: Mathieu Trudel-Lapierre (cyphermox) => Rafael David Tinoco (rafaeldtinoco) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
@rafaelftinoco - as the security team, we don't necessarily do a security review for all MIRs - only those which are deemed security relevant - and so we normally wait for the MIR team to do their review first and then if they request a security review, then we add it to our queue. So for now we only have urwid and tcmu on our queue. Please let us know if there is anything else you want us to prioritise. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
## ## SUMMARY (please correct me if I'm wrong) ## python-rtslib-fb- lib: object API for managing Linux LIO kernel target python-configshell-fb - lib: framework for building CLI-based apps MIR #1) ceph-iscsi - LIO gateways for Ceph (logic and CLI tools) deps: python3-configshell-fb- (see below in this summary) python3-rtslib-fb - (see below in this summary) python3-urwid - lib: curses-based UI lib for python (cli) tcmu - userland portion of Linux LIO (ceph, qcow2) MIR #2) targetcli-fb- Linux LIO kernel target command line interface deps: python3-configshell-fb- (see below in this summary) python3-rtslib-fb - (see below in this summary) ## DONE - urwid should have security review - emitorino gets to itself urwid review (2020-01-08) - tcmu is high-impact target (because of Werror disablement) - comments from jamespage about portability (cyphermox concerns on Werror) - python3-configshell-fb was reviewed by paelzer (2019-12-05) MIR - python3-configshell-fb was reviewed by alexmurray (2020-02-21) SECURITY Note: The next 3 items are orthogonal: ## MISSING (for both MIRs to happen at same time): - python3-rtslib-fb needs MIR and SECURITY review - python3-urwid needs MIR and SECURITY review (emitorino to finish ?) - tcmu needs MIR and SECURITY review - ceph-iscsi needs MIR and SECURITY review - targetcli-fb needs MIR and SECURITY review ## MISSING (for ceph-iscsi MIR to happen): - python3-rtslib-fb needs MIR and SECURITY review - python3-urwid needs MIR and SECURITY review (emitorino to finish ?) - tcmu needs MIR and SECURITY review - ceph-iscsi needs MIR and SECURITY review ## MISSING (for targetcli-fb MIR to happen): - python3-rtslib-fb needs MIR and SECURITY review - targetcli-fb needs MIR and SECURITY review Request: If there is no urgent need for ceph-iscsi to be LIO based on 20.04, would it be possible to prioritize the last MISSING item described above ? This way I would be able to have targetcli-fb in 20.04 and have an interface for LIO. Observation: Let me know if there is anything on my side I can do to help in accelerating either ceph-iscsi and/or targetcli-fb MIRs. Thanks a lot! - rafaeldtinoco -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
## ## SUMMARY (please correct me if I'm wrong) ## python-rtslib-fb- lib: object API for managing Linux LIO kernel target python-configshell-fb - lib: framework for building CLI-based apps MIR #1) ceph-iscsi - LIO gateways for Ceph (logic and CLI tools) deps: python3-configshell-fb- (see below in this summary) python3-rtslib-fb - (see below in this summary) python3-urwid - lib: curses-based UI lib for python (cli) tcmu - userland portion of Linux LIO (ceph, qcow2) MIR #2) targetcli-fb- Linux LIO kernel target command line interface deps: python3-configshell-fb- (see below in this summary) python3-rtslib-fb - (see below in this summary) ## DONE - urwid should have security review - emitorino gets to itself urwid review (2020-01-08) - tcmu is high-impact target (because of Werror disablement) - comments from jamespage about portability (cyphermox concerns on Werror) - python3-configshell-fb was reviewed by paelzer (2019-12-05) MIR - python3-configshell-fb was reviewed by alexmurray (2020-02-21) SECURITY Note: The next 3 items are orthogonal: ## MISSING (for both MIRs to happen at same time): - python3-rtslib-fb needs MIR and SECURITY review - python3-urwid needs MIR and SECURITY review (emitorino to finish ?) - tcmu needs MIR and SECURITY review - ceph-iscsi needs MIR and SECURITY review - targetcli-fb needs MIR and SECURITY review ## MISSING (for ceph-iscsi MIR to happen): - python3-rtslib-fb needs MIR and SECURITY review - python3-urwid needs MIR and SECURITY review (emitorino to finish ?) - tcmu needs MIR and SECURITY review - ceph-iscsi needs MIR and SECURITY review ## MISSING (for targetcli-fb MIR to happen): - python3-rtslib-fb needs MIR and SECURITY review - targetcli-fb needs MIR and SECURITY review Request: If there is no urgent need for ceph-iscsi to be LIO based on 20.04, would it be possible to prioritize the last MISSING item described above ? This way I would be able to have targetcli-fb in 20.04 and have an interface for LIO. Observation: Let me know if there is anything on my side I can do to help in accelerating either ceph-iscsi and/or targetcli-fb MIRs. Thanks a lot! - rafaeldtinoco -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Thanks a lot Alex. I'll add some DEP8 tests to python-configshell-fb. Already created a card for it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Thanks a lot Alex. I'll add some DEP8 tests to python-configshell-fb. Already created a card for it. -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
I reviewed python-configshell-fb 1.1.fb25-1.1 as checked into focal. This shouldn't be considered a full audit but rather a quick gauge of maintainability. python-configshell-fb provides a python library which is used for building CLI based user-interfaces. Upstream appears healthy and responsive. - CVE History: - None - No security relevant Build-Depends - debhelper, dh-python, python3-all, python3-pyparsing, python3-setuptools, python3-six - pre/post inst/rm scripts - These are fine - just the auto-generated ones by dh_python3 to py3compile on postinst and py3clean on prerm - No init scripts - No systemd units - No dbus services - No setuid binaries - No binaries in PATH - No sudo fragments - No polkit files - No udev rules - No unit tests / autopkgtests - This will make doing any security updates hard to test... - No cron jobs - Clean build log - No processes spawned - File IO - Uses files for preferences and logging but these are all parameters to the library and not hard-coded - Preferences are saved and restored using pickle which could present a security issue since this does little sanity checking on formats etc - however this is done using a file-name provided by the user of the library and relative to the user's home directory so this is likely safe - although there is no use of umask() to ensure this file is not accessible by others so perhaps that at least should be employed - Logging - Uses general python format strings etc - this is safe - No environment variable usage - No Use of privileged functions - No Use of cryptography / random number sources etc - No Use of temp files - No Use of networking - No Use of WebKit - No Use of PolicyKit Static analysis via bandit and Coverity does not show anything significant Security team ACK for promoting python-configshell-fb to main however I would be happier if some unit tests were added so that some testing can be done for any future updates to ensure regressions are not introduced. ** Changed in: python-configshell-fb (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
** Description changed: == ceph-iscsi == [Availability] In universe [Rationale] Provides iSCSI gateway to a Ceph cluster, allowing clients which don't understand RBD to use Ceph storage. [Security] No security history found. [Quality assurance] Package runs tests during package build (submitted back to Debian). [Dependencies] All in main or on this MIR [Standards compliance] OK [Maintenance] ubuntu-openstack == tcmu == [Availability] In universe [Rationale] Dependency for ceph-iscsi Handles the userspace side of the LIO TCM-User backstore allowing LIO to use librbd for Ceph backed block devices. [Security] Some security history: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcmu All in older versions. [Quality assurance] No tests in source package for execution during package build. [Dependencies] All in main or on this MIR [Standards compliance] OK [Maintenance] ubuntu-openstack == python-configshell-fb == [Availability] In universe [Rationale] Dependency for ceph-iscsi [Security] No security history [Quality assurance] No tests in source package for execution during package build. [Dependencies] All in main or on this MIR [Standards compliance] OK [Maintenance] ubuntu-openstack == python-rtslib-fb == [Availability] In universe [Rationale] Dependency for ceph-iscsi [Security] No security history [Quality assurance] No tests in source package for execution during package build. [Dependencies] All in main or on this MIR [Standards compliance] OK [Maintenance] ubuntu-openstack == urwid == [Availability] In universe [Rationale] Dependency for python-configshell-fb [Security] No security history [Quality assurance] Tests present and executed during package build. [Dependencies] All in main or on this MIR [Standards compliance] OK [Maintenance] ubuntu-openstack + + == targetcli-fb == + + [Availability] + In universe + + [Rationale] + - Only CLI for iSCSI target feature in Linux Kernel + - Replaces with much better performance tgt iSCSI target + - tgt is being deprecated slowly and poorly updated + - LIO fully supports SCSI 3 reservations (for clustering) + + [Security] + No security history + + [Quality assurance] + Tests present and executed during package build. + + [Dependencies] + - python3-configshell-fb (this MIR) + - python3-gi (main) + - python3-rtslib-fb (this MIR) + - python3-six (main) + + [Standards compliance] + OK + + [Maintenance] + ubuntu-server ** Changed in: targetcli-fb (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
** Description changed: == ceph-iscsi == [Availability] In universe [Rationale] Provides iSCSI gateway to a Ceph cluster, allowing clients which don't understand RBD to use Ceph storage. [Security] No security history found. [Quality assurance] Package runs tests during package build (submitted back to Debian). [Dependencies] All in main or on this MIR [Standards compliance] OK [Maintenance] ubuntu-openstack == tcmu == [Availability] In universe [Rationale] Dependency for ceph-iscsi Handles the userspace side of the LIO TCM-User backstore allowing LIO to use librbd for Ceph backed block devices. [Security] Some security history: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcmu All in older versions. [Quality assurance] No tests in source package for execution during package build. [Dependencies] All in main or on this MIR [Standards compliance] OK [Maintenance] ubuntu-openstack == python-configshell-fb == [Availability] In universe [Rationale] Dependency for ceph-iscsi [Security] No security history [Quality assurance] No tests in source package for execution during package build. [Dependencies] All in main or on this MIR [Standards compliance] OK [Maintenance] ubuntu-openstack == python-rtslib-fb == [Availability] In universe [Rationale] Dependency for ceph-iscsi [Security] No security history [Quality assurance] No tests in source package for execution during package build. [Dependencies] All in main or on this MIR [Standards compliance] OK [Maintenance] ubuntu-openstack == urwid == [Availability] In universe [Rationale] Dependency for python-configshell-fb [Security] No security history [Quality assurance] Tests present and executed during package build. [Dependencies] All in main or on this MIR [Standards compliance] OK [Maintenance] ubuntu-openstack + + == targetcli-fb == + + [Availability] + In universe + + [Rationale] + - Only CLI for iSCSI target feature in Linux Kernel + - Replaces with much better performance tgt iSCSI target + - tgt is being deprecated slowly and poorly updated + - LIO fully supports SCSI 3 reservations (for clustering) + + [Security] + No security history + + [Quality assurance] + Tests present and executed during package build. + + [Dependencies] + - python3-configshell-fb (this MIR) + - python3-gi (main) + - python3-rtslib-fb (this MIR) + - python3-six (main) + + [Standards compliance] + OK + + [Maintenance] + ubuntu-server ** Changed in: targetcli-fb (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
James, Its in my TODO list to take care of iSCSI session in server guide after freeze. So, yep. If you have someone to take care of cinder at your side than I think we're good. Adding targetcli-fb to the MIR list then... ** Also affects: targetcli-fb (Ubuntu) Importance: Undecided Status: New ** Summary changed: - [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid + [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
James, Its in my TODO list to take care of iSCSI session in server guide after freeze. So, yep. If you have someone to take care of cinder at your side than I think we're good. Adding targetcli-fb to the MIR list then... ** Also affects: targetcli-fb (Ubuntu) Importance: Undecided Status: New ** Summary changed: - [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid + [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
cinder-volume will need an update to switch to LIO instead of tgt if we make this switch. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
+1 on the switch from TGT to LIO however -server guide will probably need updates to support this. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
(and lets do that sooner rather than later in the cycle if the general consensus is that's a good idea) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
BTW, if this sounds good, and I hope it does, I'd vote for demoting tgt in favor of having targetcli-fb as the only iSCSI target available in [main] (good comparison tables can be found at: http://www.linux- iscsi.org/wiki/Features, and justifies the request IMO). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
BTW, if this sounds good, and I hope it does, I'd vote for demoting tgt in favor of having targetcli-fb as the only iSCSI target available in [main] (good comparison tables can be found at: http://www.linux- iscsi.org/wiki/Features, and justifies the request IMO). -- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
targetcli-fb depends on python3-rtslib-fb and project is hosted here: https://github.com/open-iscsi/targetcli-fb It is not a direct need judging original request by James Page BUT its the CLI for configuring LIO/TCM kernel function. There is no other tool able to configure LIO/TCM kernel iSCSI target. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
targetcli-fb has not been mentioned previously and is not a task on this bug - does it need to be added? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
Any chances of this landing in 20.04 ? I really would like to have: - python3-configshell-fb - python3-rtslib-fb - targetcli-fb included in 20.04 [main] as the official - including the kernel side - way to provide iSCSI targets (https://www.kernel.org/doc/Documentation/target/tcmu-design.txt) to other hosts. Specially if we consider HA related software: this is the only iSCSI target project that fully supports SCSI 3 reservations (tgt does not: https://bugs.launchpad.net/ubuntu/+source/tgt/+bug/1863688). How can I help moving this further ? Thank you! Rafael -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
** Changed in: urwid (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Maria Emilia Torino (emitorino) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
@cyphermox (and security team) Reading the code this is typical mis-use in mixing uint64_t and size_t on the assumption that size_t is 64 bit - so code compiles fine on 64bit but fails on 32bit. I've fixed numerous issues of this type in other code bases so I'll take a look - the return type of tcmu_lba_to_byte is uint64_t which is the correct approach - size_t usage needs to be switch to match. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
For python-configshell-fb [Summary] - Overall looks ok, MIR Team ack - @Openstack team: it would be great if you'd would fix https://bugs.launchpad.net/ubuntu/+source/python-configshell-fb/+bug/1776761 If you happen to UCA port this to 18.04 that might help anyway (unless you plan to add that package to UCA itself) - While attack surface seems minimal the value of getting in seems high in this case, so security should have a look (assigning them) [Duplication] There is duplication around this project but not in Main. https://pypi.org/project/configshell-fb/ belongs to https://github.com/open-iscsi/configshell-fb Those are all forks and a project has to live in either "all -fb or none" world to work. But Debian/Ubuntu run the -fb path of this everywhere, so that is good. [Embedded sources and static linking] - no embedded sources - no static linking (python) - no golang package [Security] - no CVE history - no daemon as root - no use of webkit1,2 - no use of lib*v8 directly - does not open a port - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (eg, pam), etc) But: - does parse data formats from caller and coming back from configshell-fb In general since this deals with setting up storage access to critical data is close. OTOH attack surface is low as you'd need to have control of the application or the storage already. Never the less it seems reasonable to ask security to have a look. [Common blockers] - builds fine atm - unfortunately there is no test suite (neither build time nor autopkgtest) - ubuntu-openstack is already subscribed to bugs of this - no translations available (none needed for this case) - dh helpers for python are used - python2 packages present but not part of the dependency that will pull it into main [Packaging red flags] - no Ubuntu delta - no symbols tracking in python to consider - watch file is present - Upstreams releases are not rare, but at what seems random intervals - Debian usually packages those quite well being up to date or one behind - E.g. the current release isn't packaged but the delta 1.1.25 -> 1.1.27 seems negligible so that is overall ok - not causing problems for MOTUs - no massive Lintian warnings - d/rules is very small and clear - no Built-Using - no go package for further considerations [Upstream red flags] - no critical Errors/warnings during the build - no Incautious use of malloc/sprintf (python) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no User nobody - no use of setuid - No important bugs (crashers, etc) in Debian or Ubuntu going forward - https://bugs.launchpad.net/ubuntu/+source/python-configshell-fb/+bug/1776761 ould be nice to be SRUed I guess - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI ** Changed in: python-configshell-fb (Ubuntu) Assignee: Christian Ehrhardt (paelzer) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
** Changed in: python-configshell-fb (Ubuntu) Assignee: (unassigned) => Christian Ehrhardt (paelzer) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: python-configshell-fb (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: python-rtslib-fb (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: ceph-iscsi (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: tcmu (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: urwid (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
tcmu is a high-impact target that will handle storage requests and potentially allow an attacker to intercept data. I'm concerned by the fact the Debian maintainer felt they had to disable -Werror to make things work on 32-bit; even if that's not necessarily out main focus: it points to potential issues in the code, code that is not necessarily very portable or that might be hard to maintain in the future. I'll let the Security Team give their opinion on it and decide. ** Changed in: tcmu (Ubuntu) Assignee: Mathieu Trudel-Lapierre (cyphermox) => Ubuntu Security Team (ubuntu-security) ** Changed in: tcmu (Ubuntu) Status: In Progress => New ** Changed in: python-rtslib-fb (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
urwid should have security review. Packaging for it looks fine, but it does handle input, present UI that is used in core places for the OS (such as in the installer, even though that's a snap...) ** Changed in: urwid (Ubuntu) Status: In Progress => New ** Changed in: urwid (Ubuntu) Assignee: Mathieu Trudel-Lapierre (cyphermox) => Ubuntu Security Team (ubuntu-security) ** Changed in: tcmu (Ubuntu) Status: New => In Progress ** Changed in: tcmu (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid
** Changed in: urwid (Ubuntu) Status: New => In Progress ** Changed in: urwid (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
