Bug#866615: stretch-pu: package ganeti/2.15.2-7+deb9u1

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 866615@bugs.debian.org
Subject: Bug#866615: stretch-pu: package ganeti/2.15.2-7+deb9u1
From: Apollon Oikonomopoulos <apoikos@debian.org>
Date: Sat, 15 Jul 2017 13:30:46 +0300
Message-id: <[🔎] 20170715103046.fuv6nne54iocshlf@marvin.dmesg.gr>
Reply-to: Apollon Oikonomopoulos <apoikos@debian.org>, 866615@bugs.debian.org
In-reply-to: <[🔎] 1500112547.5317.181.camel@adam-barratt.org.uk>
References: <20170630141542.frnl6nxmz4uztyew@marvin.dmesg.gr> <[🔎] 1500112547.5317.181.camel@adam-barratt.org.uk>

Hi Adam,

Thanks for looking into this.

On 10:55 Sat 15 Jul     , Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
> 
> On Fri, 2017-06-30 at 17:15 +0300, Apollon Oikonomopoulos wrote:
> > I would like to update ganeti in Stretch to fix some outstanding issues 
> > and to introduce non-DSA SSH key support (see also #863320).
> > 
> > Regarding SSH key support, Ganeti by default manages node SSH keys at 
> > the cluster level. The latest stable releases still rely on DSA keys, 
> > which however are deemed weak and are not supported by our OpenSSH 
> > server version by default. Upstream has already introduced RSA & ECDSA 
> > key support, although it has not been released as part of a stable 
> > release in over a year, due to upstream development slowing down. I have 
> > thoroughly tested these changes on a couple production clusters I 
> > operate myself, as have others and found them to be working in order.
> 
> That's a non-trivial patch, as I'm sure you're aware. :-(

Yes, I am :-(. I realise you only have my word that it's working 
properly, so feel free to reject this part if you feel it's too risky 
for a stable update. OTOH, it's the only way for Ganeti's key management 
to work out-of-the box without having people re-enable DSA key support 
in their OpenSSH setup.

> > Apart from non-DSA key support, the proposed package fixes a number 
> > of issues encountered late in the Stretch freeze phase:
> > 
> >  - gnt-instance move does not work with stretch's socat version, as the 
> >    option specifying the TLS method socat uses has changed format. This 
> >    is fixed by removing the argument and letting socat pick the best TLS 
> >    method available (which is better than hardcoding the outdated TLS 
> >    1.0 anyway).
> >  - Instances using external storage cannot be failed over from dead 
> >    nodes (#864756). This has been fixed upstream, so we are simply 
> >    backporting the relevant commit.
> 
> This doesn't look like it's fixed in unstable yet?

Yes, you're right, I somehow missed that :(. I'll upload the fix to 
unstable ASAP.

Regards,
Apollon

Reply to:

References:
- Bug#866615: stretch-pu: package ganeti/2.15.2-7+deb9u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Processed: Re: Bug#868054: stretch-pu: package dwarfutils/20161124-1+deb9u1
Next by Date: Bug#868128: stretch-pu: package python-imaplib2/2.55-1
Previous by thread: Processed: Re: Bug#866615: stretch-pu: package ganeti/2.15.2-7+deb9u1
Next by thread: Bug#863970: jessie-pu: package debian-security-support/2016.06.02~deb8u1
Index(es):
- Date
- Thread