Bug#719632: pu: package nova/2012.1.1-18
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
Please find attached a serrie of correction I want to add to the current
Nova package. It comes from the output of git format-patch of the wheezy
branch of the Nova package, since the global debdiff for the package was
less readable.
In the 0001-CVE-2013-2096-OSSA-2013-012-Check-QCOW2-image-size-d.patch
patch, there's normally a quilt refresh output, which I have removed from
attached file so that you can read it better.
Please let me know which of these patches is considered acceptable form
the release team point of view.
Cheers,
Thomas Goirand (zigo)
>From 4f384d61f29b604601bc69f66bfa8b10d440dcac Mon Sep 17 00:00:00 2001
From: Thomas Goirand <thomas@goirand.fr>
Date: Sat, 13 Jul 2013 22:37:23 +0800
Subject: [PATCH 2/6] Do not use file from /usr/share/doc/nova-compute-xen in
postinst (Closes: #710507)
---
debian/changelog | 2 ++
debian/nova-compute-xen.postinst | 2 +-
debian/rules | 2 +-
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 3c5bf44..6e6eaaf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low
* CVE-2013-2096: [OSSA 2013-012] Check QCOW2 image size during root disk
creation (Closes: #710157).
* Refreshes various patches (removes offsets when applying).
+ * Do not use file from /usr/share/doc/nova-compute-xen in postinst, thanks
+ to Andreas Beckmann for reporting (Closes: #710507).
-- Thomas Goirand <zigo@debian.org> Sat, 13 Jul 2013 22:26:11 +0800
diff --git a/debian/nova-compute-xen.postinst b/debian/nova-compute-xen.postinst
index f74e389..098c2c2 100644
--- a/debian/nova-compute-xen.postinst
+++ b/debian/nova-compute-xen.postinst
@@ -10,7 +10,7 @@ if [ "$1" = "configure" -o "$1" = "reconfigure" ]; then
mkdir /etc/nova
fi
if ! [ -f ${XENAPI_CONFFILE} ] ; then
- cp /usr/share/doc/nova-compute-xen/nova-compute.conf.dist ${XENAPI_CONFFILE}
+ cp /usr/share/nova-compute-xen/nova-compute.conf.dist ${XENAPI_CONFFILE}
fi
. /usr/share/debconf/confmodule
diff --git a/debian/rules b/debian/rules
index 6c91641..6fc41f1 100755
--- a/debian/rules
+++ b/debian/rules
@@ -30,7 +30,7 @@ override_dh_install:
for hypervisor in qemu kvm uml lxc; do \
install -D -m 0600 $(CURDIR)/debian/nova-compute-$${hypervisor}.conf $(CURDIR)/debian/nova-compute-$${hypervisor}/etc/nova/nova-compute.conf; \
done
- install -D -m 0600 $(CURDIR)/debian/nova-compute-xen.conf.dist $(CURDIR)/debian/nova-compute-xen/usr/share/doc/nova-compute-xen/nova-compute.conf.dist
+ install -D -m 0600 $(CURDIR)/debian/nova-compute-xen.conf.dist $(CURDIR)/debian/nova-compute-xen/usr/share/nova-compute-xen/nova-compute.conf.dist
override_dh_fixperms:
dh_fixperms -Xnova_sudoers
--
1.7.10.4
>From 55f8951757e0923c6919381e280ca4e7a3f7c321 Mon Sep 17 00:00:00 2001
From: Thomas Goirand <thomas@goirand.fr>
Date: Sat, 13 Jul 2013 23:03:05 +0800
Subject: [PATCH 4/6] Fixes log rotation of nova-consoleauth.log and
nova-xvpvncproxy.log (Closes: #706011)
---
debian/changelog | 5 +++++
debian/nova-console.logrotate | 2 +-
debian/nova-xvpvncproxy.logrotate | 4 ++--
3 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 6c73dd9..a873cb7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low
+ [ Thomas Goirand ]
* CVE-2013-2096: [OSSA 2013-012] Check QCOW2 image size during root disk
creation (Closes: #710157).
* Refreshes various patches (removes offsets when applying).
@@ -7,6 +8,10 @@ nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low
to Andreas Beckmann for reporting (Closes: #710507).
* Updates debian/gbp.conf to use the debian/wheezy branch for building.
+ [ Julien Cristau ]
+ * Fixes log rotation of nova-consoleauth.log and nova-xvpvncproxy.log
+ (Closes: #706011).
+
-- Thomas Goirand <zigo@debian.org> Sat, 13 Jul 2013 22:26:11 +0800
nova (2012.1.1-18) unstable; urgency=low
diff --git a/debian/nova-console.logrotate b/debian/nova-console.logrotate
index a56813d..1ff85db 100644
--- a/debian/nova-console.logrotate
+++ b/debian/nova-console.logrotate
@@ -1,4 +1,4 @@
-/var/log/nova/nova-console.log {
+/var/log/nova/nova-console.log /var/log/nova/nova-consoleauth.log {
daily
copytruncate
missingok
diff --git a/debian/nova-xvpvncproxy.logrotate b/debian/nova-xvpvncproxy.logrotate
index 1526551..c10ec6a 100644
--- a/debian/nova-xvpvncproxy.logrotate
+++ b/debian/nova-xvpvncproxy.logrotate
@@ -1,4 +1,4 @@
-/var/log/nova/nova-vncproxy.log {
+/var/log/nova/nova-xvpvncproxy.log {
daily
missingok
-}
\ No newline at end of file
+}
--
1.7.10.4
>From 6eb5f96ec63bb8033f8a06394c1144211e653971 Mon Sep 17 00:00:00 2001
From: Thomas Goirand <thomas@goirand.fr>
Date: Sat, 13 Jul 2013 23:17:23 +0800
Subject: [PATCH 6/6] Applies https://review.openstack.org/#/c/10168/:
resolves issue where querying /v1.1/$tenant/os-hosts
returns an empty list (Closes: #689318).
---
debian/changelog | 2 +
..._os-hosts_does_not_return_a_list_of_hosts.patch | 62 ++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 65 insertions(+)
create mode 100644 debian/patches/api_v1.1_os-hosts_does_not_return_a_list_of_hosts.patch
diff --git a/debian/changelog b/debian/changelog
index 97340c6..8fd817d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,8 @@ nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low
* Do not use file from /usr/share/doc/nova-compute-xen in postinst, thanks
to Andreas Beckmann for reporting (Closes: #710507).
* Updates debian/gbp.conf to use the debian/wheezy branch for building.
+ * Applies https://review.openstack.org/#/c/10168/: resolves issue where
+ querying /v1.1/$tenant/os-hosts returns an empty list (Closes: #689318).
[ Julien Cristau ]
* Fixes log rotation of nova-consoleauth.log and nova-xvpvncproxy.log
diff --git a/debian/patches/api_v1.1_os-hosts_does_not_return_a_list_of_hosts.patch b/debian/patches/api_v1.1_os-hosts_does_not_return_a_list_of_hosts.patch
new file mode 100644
index 0000000..d3036cb
--- /dev/null
+++ b/debian/patches/api_v1.1_os-hosts_does_not_return_a_list_of_hosts.patch
@@ -0,0 +1,62 @@
+Description: API 'v1.1/{tenant_id}/os-hosts' does not return a list of hosts
+ Backports fix for bug 1014925 to stable/essex, which resolves issue
+ where querying /v1.1/$tenant/os-hosts returns an empty list.
+ .
+ Original fix by Joe Gordon reviewed into Folsom at:
+ https://review.openstack.org/#/c/8682/2
+Author: Adam Gandelman <adamg@canonical.com>
+Origin: https://review.openstack.org/#/c/10168/
+Bug-Ubuntu: https://bugs.launchpad.net/nova/+bug/1014925
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689318
+Date: Mon, 23 Jul 2012 13:16:46 -0700
+
+diff --git a/nova/api/openstack/compute/contrib/hosts.py b/nova/api/openstack/compute/contrib/hosts.py
+index a93da9e..202c8ca 100644
+--- a/nova/api/openstack/compute/contrib/hosts.py
++++ b/nova/api/openstack/compute/contrib/hosts.py
+@@ -98,7 +97,10 @@ def _list_hosts(req, service=None):
+ by service type.
+ """
+ context = req.environ['nova.context']
+- hosts = scheduler_api.get_host_list(context)
++ services = db.service_get_all(context, False)
++ hosts = []
++ for host in services:
++ hosts.append({"host_name": host['host'], 'service': host['topic']})
+ if service:
+ hosts = [host for host in hosts
+ if host["service"] == service]
+diff --git a/nova/tests/api/openstack/compute/contrib/test_hosts.py b/nova/tests/api/openstack/compute/contrib/test_hosts.py
+index 77beeae..0482eb5 100644
+--- a/nova/tests/api/openstack/compute/contrib/test_hosts.py
++++ b/nova/tests/api/openstack/compute/contrib/test_hosts.py
+@@ -36,10 +36,15 @@ HOST_LIST = [
+ {"host_name": "host_c2", "service": "compute"},
+ {"host_name": "host_v1", "service": "volume"},
+ {"host_name": "host_v2", "service": "volume"}]
++SERVICES_LIST = [
++ {"host": "host_c1", "topic": "compute"},
++ {"host": "host_c2", "topic": "compute"},
++ {"host": "host_v1", "topic": "volume"},
++ {"host": "host_v2", "topic": "volume"}]
+
+
+-def stub_get_host_list(req):
+- return HOST_LIST
++def stub_service_get_all(self, req):
++ return SERVICES_LIST
+
+
+ def stub_set_host_enabled(context, host, enabled):
+@@ -104,7 +109,7 @@ class HostTestCase(test.TestCase):
+ super(HostTestCase, self).setUp()
+ self.controller = os_hosts.HostController()
+ self.req = FakeRequest()
+- self.stubs.Set(scheduler_api, 'get_host_list', stub_get_host_list)
++ self.stubs.Set(db, 'service_get_all', stub_service_get_all)
+ self.stubs.Set(self.controller.api, 'set_host_enabled',
+ stub_set_host_enabled)
+ self.stubs.Set(self.controller.api, 'set_host_maintenance',
+--
+1.7.9.5
+
diff --git a/debian/patches/series b/debian/patches/series
index 09870f1..368396f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ CVE-2013-0335_VNC-unit-tests-fixes.patch
CVE-2013-1838-Nova_DoS_by_allocating_all_Fixed_IPs_essex.patch
Fixed_broken_vncproxy_flush_tokens.patch
CVE-2013-2096_Check_QCOW2_image_size_during_root_disk_creation.patch
+api_v1.1_os-hosts_does_not_return_a_list_of_hosts.patch
--
1.7.10.4
>From ee41980298466701db4235eef432e81c4fa28fe2 Mon Sep 17 00:00:00 2001
From: Thomas Goirand <thomas@goirand.fr>
Date: Sat, 13 Jul 2013 22:48:06 +0800
Subject: [PATCH 3/6] Updates debian/gbp.conf to use the debian/wheezy branch
for building.
---
debian/changelog | 1 +
debian/gbp.conf | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index 6e6eaaf..6c73dd9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,7 @@ nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low
* Refreshes various patches (removes offsets when applying).
* Do not use file from /usr/share/doc/nova-compute-xen in postinst, thanks
to Andreas Beckmann for reporting (Closes: #710507).
+ * Updates debian/gbp.conf to use the debian/wheezy branch for building.
-- Thomas Goirand <zigo@debian.org> Sat, 13 Jul 2013 22:26:11 +0800
diff --git a/debian/gbp.conf b/debian/gbp.conf
index ccf8702..91ccdf6 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,6 @@
[DEFAULT]
upstream-branch = master
-debian-branch = debian/unstable
+debian-branch = debian/wheezy
upstream-tag = %(version)s
compression = xz
--
1.7.10.4
>From 3e006e5a949d6f2a57e1a84888d4a44dd1a354ba Mon Sep 17 00:00:00 2001
From: Thomas Goirand <thomas@goirand.fr>
Date: Sat, 13 Jul 2013 22:32:52 +0800
Subject: [PATCH 1/6] * CVE-2013-2096: [OSSA 2013-012] Check QCOW2 image
size during root disk creation (Closes: #710157).
* Refreshes various patches (removes offsets when
applying).
---
debian/changelog | 8 ++
...-volume-from-specifying-arbitrary-volumes.patch | 23 +++--
...335_VNC-proxy-can-connect-to-the-wrong-VM.patch | 57 ++++++-------
...ova_DoS_by_allocating_all_Fixed_IPs_essex.patch | 90 ++++++++++----------
...COW2_image_size_during_root_disk_creation.patch | 34 ++++++++
.../Fixed_broken_vncproxy_flush_tokens.patch | 36 ++++----
debian/patches/series | 1 +
7 files changed, 143 insertions(+), 106 deletions(-)
create mode 100644 debian/patches/CVE-2013-2096_Check_QCOW2_image_size_during_root_disk_creation.patch
diff --git a/debian/changelog b/debian/changelog
index 4de16bf..3c5bf44 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low
+
+ * CVE-2013-2096: [OSSA 2013-012] Check QCOW2 image size during root disk
+ creation (Closes: #710157).
+ * Refreshes various patches (removes offsets when applying).
+
+ -- Thomas Goirand <zigo@debian.org> Sat, 13 Jul 2013 22:26:11 +0800
+
nova (2012.1.1-18) unstable; urgency=low
* nova-common isn't anymore using /usr/share/doc to store configuration files
diff --git a/debian/patches/CVE-2013-2096_Check_QCOW2_image_size_during_root_disk_creation.patch b/debian/patches/CVE-2013-2096_Check_QCOW2_image_size_during_root_disk_creation.patch
new file mode 100644
index 0000000..000e0b3
--- /dev/null
+++ b/debian/patches/CVE-2013-2096_Check_QCOW2_image_size_during_root_disk_creation.patch
@@ -0,0 +1,34 @@
+Description: Check QCOW2 image size during root disk creation
+ glance can only tell us the size of the file, not the virtual
+ size of the QCOW2. As such we need to check the virtual size of
+ the image once its cached and ensure it's <= to the flavor's
+ root disk size. Based on I833467284126557eb598b8350a84e10c06292fa9
+Author: Jamie Strandboge <jamie@canonical.com>
+Origin: https://bugs.launchpad.net/nova/+bug/1177830/comments/21
+Bug-Ubuntu: https://launchpad.net/bugs/1177830
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710157
+Last-Update: 2013-07-13
+
+Index: nova/nova/virt/libvirt/connection.py
+===================================================================
+--- nova.orig/nova/virt/libvirt/connection.py 2013-07-13 22:30:01.000000000 +0800
++++ nova/nova/virt/libvirt/connection.py 2013-07-13 22:30:01.000000000 +0800
+@@ -1125,6 +1125,18 @@
+ if cow:
+ cow_base = base
+ if size:
++ # NOTE(cfb): Having a flavor that sets the root size to
++ # 0 and having nova effectively ignore that
++ # size and use the size of the image is
++ # considered a feature at this time, not a
++ # bug.
++ if os.path.exists(cow_base) and \
++ size < disk.get_image_virtual_size(cow_base):
++ LOG.error(_("%(base)s virtual size larger than "
++ "flavor root disk size %(size)s" %
++ {'base': cow_base, 'size': size}))
++ raise exception.ImageTooLarge()
++
+ size_gb = size / (1024 * 1024 * 1024)
+ cow_base += "_%d" % size_gb
+ if not os.path.exists(cow_base):
diff --git a/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch b/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch
index 1ba22c2..b605564 100644
--- a/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch
+++ b/debian/patches/Fixed_broken_vncproxy_flush_tokens.patch
>From d67817dbf1a5406d43ae2eadec76d4fa291ca9e2 Mon Sep 17 00:00:00 2001
From: Thomas Goirand <thomas@goirand.fr>
Date: Sat, 13 Jul 2013 23:06:28 +0800
Subject: [PATCH 5/6] * Add optional postgresql dependency to a number of
init script to ensure proper startup ordering if
nova is configured to use a local postgresql
backend. (applied patch from jcristau).
---
debian/changelog | 3 +++
debian/nova-cert.init | 2 ++
debian/nova-console.init | 2 ++
debian/nova-console.nova-consoleauth.init | 2 ++
debian/nova-scheduler.init | 2 ++
debian/nova-volume.init | 2 ++
6 files changed, 13 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index a873cb7..97340c6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,9 @@ nova (2012.1.1-18+deb7u1) wheezy-proposed-updates; urgency=low
[ Julien Cristau ]
* Fixes log rotation of nova-consoleauth.log and nova-xvpvncproxy.log
(Closes: #706011).
+ * Add optional postgresql dependency to a number of init script to ensure
+ proper startup ordering if nova is configured to use a local postgresql
+ backend (Closes: #706013).
-- Thomas Goirand <zigo@debian.org> Sat, 13 Jul 2013 22:26:11 +0800
diff --git a/debian/nova-cert.init b/debian/nova-cert.init
index b8d822e..0b7edee 100644
--- a/debian/nova-cert.init
+++ b/debian/nova-cert.init
@@ -3,6 +3,8 @@
# Provides: nova-cert
# Required-Start: $network $local_fs $remote_fs $syslog
# Required-Stop: $remote_fs
+# Should-Start: postgresql mysql
+# Should-Stop: postgresql mysql
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Nova Cert server
diff --git a/debian/nova-console.init b/debian/nova-console.init
index 399354e..6a47de2 100644
--- a/debian/nova-console.init
+++ b/debian/nova-console.init
@@ -3,6 +3,8 @@
# Provides: nova-console
# Required-Start: $network $local_fs $remote_fs $syslog
# Required-Stop: $remote_fs
+# Should-Start: postgresql mysql
+# Should-Stop: postgresql mysql
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Nova Console for XenServer and XVP
diff --git a/debian/nova-console.nova-consoleauth.init b/debian/nova-console.nova-consoleauth.init
index 1a5f2a5..1103747 100644
--- a/debian/nova-console.nova-consoleauth.init
+++ b/debian/nova-console.nova-consoleauth.init
@@ -3,6 +3,8 @@
# Provides: nova-consoleauth
# Required-Start: $network $local_fs $remote_fs $syslog
# Required-Stop: $remote_fs
+# Should-Start: postgresql mysql
+# Should-Stop: postgresql mysql
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Nova Console auth system for XenServer and XVP
diff --git a/debian/nova-scheduler.init b/debian/nova-scheduler.init
index 19337af..de4dff4 100644
--- a/debian/nova-scheduler.init
+++ b/debian/nova-scheduler.init
@@ -3,6 +3,8 @@
# Provides: nova-scheduler
# Required-Start: $network $local_fs $remote_fs $syslog
# Required-Stop: $remote_fs
+# Should-Start: postgresql mysql
+# Should-Stop: postgresql mysql
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Nova Scheduler
diff --git a/debian/nova-volume.init b/debian/nova-volume.init
index ab77119..6392839 100644
--- a/debian/nova-volume.init
+++ b/debian/nova-volume.init
@@ -3,6 +3,8 @@
# Provides: nova-volume
# Required-Start: $network $local_fs $remote_fs $syslog
# Required-Stop: $remote_fs
+# Should-Start: postgresql mysql
+# Should-Stop: postgresql mysql
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Nova Volume
--
1.7.10.4
Reply to: