[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#882274: marked as done (stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api)



Your message dated Fri, 08 Dec 2017 08:29:16 +0000
with message-id <6677586ccb4c79c4bd09f871dc4597d1@mail.adam-barratt.org.uk>
and subject line Re: Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
has caused the Debian Bug report #882274,
regarding stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
882274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882274
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I'd like to push for an update of Nova, to fix the nova-placement-api
package. Indeed, /usr/bin/nova-placement-api is *not* a Daemon, but a WSGI
application, that can work for example with libapache-mod-wsgi or others.

As a consequence, the init script for the start of nova-placement-api
simply doesn't work. So I'd like to make use of uwsgi, which is a very
good way to run WSGI applications. I've added a runtime depends on uwsgi,
and modified the startup script to use that. As I've used uwsgi in other
daemons, the modification is just 2 lines in the init template system
of openstack-pkg-tools, as per the attached debdiff.

This update, I'd like to push it in the soon comming security update for
Nova, through a security upload fixing CVE-2017-16239 / #882009. This
update is currently on hold, because the upstream patch adds a DoS hole.
Though the security team (ie: Sebastien Delafond) advised me wisely to
start the discussion with the release team about this new dependency
for nova-placement-api.

So, does the SRM agree to the attached change? (note: I've stripped
out the CVE fix from it)

Cheers,

Thomas Goirand (zigo)
diff -Nru nova-14.0.0/debian/changelog nova-14.0.0/debian/changelog
--- nova-14.0.0/debian/changelog	2017-04-02 10:52:50.000000000 +0000
+++ nova-14.0.0/debian/changelog	2017-11-17 15:41:15.000000000 +0000
@@ -1,3 +1,13 @@
+nova (2:14.0.0-4+deb9u1) stretch-security; urgency=medium
+
+  * Fixed nova-placement-api init to use uwsgi. The old init file was simply
+    not working at all.
+
+ -- Thomas Goirand <zigo@debian.org>  Fri, 17 Nov 2017 15:41:15 +0000
+
 nova (2:14.0.0-4) unstable; urgency=medium
 
   [ David Rabel ]
diff -Nru nova-14.0.0/debian/control nova-14.0.0/debian/control
--- nova-14.0.0/debian/control	2017-04-02 10:52:50.000000000 +0000
+++ nova-14.0.0/debian/control	2017-11-17 15:41:15.000000000 +0000
@@ -653,6 +653,7 @@
 Architecture: all
 Depends: debconf,
          nova-common (= ${binary:Version}),
+         uwsgi-plugin-python,
          ${misc:Depends},
          ${ostack-lsb-base},
          ${python:Depends},
diff -Nru nova-14.0.0/debian/nova-placement-api.init.in nova-14.0.0/debian/nova-placement-api.init.in
--- nova-14.0.0/debian/nova-placement-api.init.in	2017-04-02 10:52:50.000000000 +0000
+++ nova-14.0.0/debian/nova-placement-api.init.in	2017-11-17 15:41:15.000000000 +0000
@@ -14,3 +14,5 @@
 DESC="OpenStack Compute Placement API"
 PROJECT_NAME=nova
 NAME=${PROJECT_NAME}-placement-api
+DAEMON=/usr/bin/uwsgi_python
+DAEMON_ARGS="--master --die-on-term --logto /var/log/nova/nova-placement-api.log --http-socket :8778 --wsgi-file /usr/bin/nova-placement-api"

--- End Message ---
--- Begin Message ---
On 2017-11-30 18:41, Adam D. Barratt wrote:
Control: tags -1 + confirmed

On Tue, 2017-11-21 at 00:45 +0100, Thomas Goirand wrote:
I'd like to push for an update of Nova, to fix the nova-placement-api
package. Indeed, /usr/bin/nova-placement-api is *not* a Daemon, but a
WSGI application, that can work for example with libapache-mod-wsgi
or others.
[...]
This update, I'd like to push it in the soon comming security update
for Nova, through a security upload fixing CVE-2017-16239 / #882009.
This update is currently on hold, because the upstream patch adds a
DoS hole.
Though the security team (ie: Sebastien Delafond) advised me wisely
to start the discussion with the release team about this new
dependency for nova-placement-api.

Dependency changes in stable updates always make me uneasy, but this
sounds like a reasonable way of fixing the issue.

Please close this bug once the security update has been released.

It was - as DSA 4056-1 - and the bug is still open, so closing.

Regards,

Adam

--- End Message ---

Reply to: