--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
- From: Thomas Goirand <zigo@debian.org>
- Date: Tue, 21 Nov 2017 00:45:37 +0100
- Message-id: <151122153736.5695.10990433292967715331.reportbug@buzig2.mirantis.com>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I'd like to push for an update of Nova, to fix the nova-placement-api
package. Indeed, /usr/bin/nova-placement-api is *not* a Daemon, but a WSGI
application, that can work for example with libapache-mod-wsgi or others.
As a consequence, the init script for the start of nova-placement-api
simply doesn't work. So I'd like to make use of uwsgi, which is a very
good way to run WSGI applications. I've added a runtime depends on uwsgi,
and modified the startup script to use that. As I've used uwsgi in other
daemons, the modification is just 2 lines in the init template system
of openstack-pkg-tools, as per the attached debdiff.
This update, I'd like to push it in the soon comming security update for
Nova, through a security upload fixing CVE-2017-16239 / #882009. This
update is currently on hold, because the upstream patch adds a DoS hole.
Though the security team (ie: Sebastien Delafond) advised me wisely to
start the discussion with the release team about this new dependency
for nova-placement-api.
So, does the SRM agree to the attached change? (note: I've stripped
out the CVE fix from it)
Cheers,
Thomas Goirand (zigo)
diff -Nru nova-14.0.0/debian/changelog nova-14.0.0/debian/changelog
--- nova-14.0.0/debian/changelog 2017-04-02 10:52:50.000000000 +0000
+++ nova-14.0.0/debian/changelog 2017-11-17 15:41:15.000000000 +0000
@@ -1,3 +1,13 @@
+nova (2:14.0.0-4+deb9u1) stretch-security; urgency=medium
+
+ * Fixed nova-placement-api init to use uwsgi. The old init file was simply
+ not working at all.
+
+ -- Thomas Goirand <zigo@debian.org> Fri, 17 Nov 2017 15:41:15 +0000
+
nova (2:14.0.0-4) unstable; urgency=medium
[ David Rabel ]
diff -Nru nova-14.0.0/debian/control nova-14.0.0/debian/control
--- nova-14.0.0/debian/control 2017-04-02 10:52:50.000000000 +0000
+++ nova-14.0.0/debian/control 2017-11-17 15:41:15.000000000 +0000
@@ -653,6 +653,7 @@
Architecture: all
Depends: debconf,
nova-common (= ${binary:Version}),
+ uwsgi-plugin-python,
${misc:Depends},
${ostack-lsb-base},
${python:Depends},
diff -Nru nova-14.0.0/debian/nova-placement-api.init.in nova-14.0.0/debian/nova-placement-api.init.in
--- nova-14.0.0/debian/nova-placement-api.init.in 2017-04-02 10:52:50.000000000 +0000
+++ nova-14.0.0/debian/nova-placement-api.init.in 2017-11-17 15:41:15.000000000 +0000
@@ -14,3 +14,5 @@
DESC="OpenStack Compute Placement API"
PROJECT_NAME=nova
NAME=${PROJECT_NAME}-placement-api
+DAEMON=/usr/bin/uwsgi_python
+DAEMON_ARGS="--master --die-on-term --logto /var/log/nova/nova-placement-api.log --http-socket :8778 --wsgi-file /usr/bin/nova-placement-api"
--- End Message ---
--- Begin Message ---
- To: 882274-done@bugs.debian.org
- Cc: Thomas Goirand <zigo@debian.org>
- Subject: Re: Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Fri, 08 Dec 2017 08:29:16 +0000
- Message-id: <6677586ccb4c79c4bd09f871dc4597d1@mail.adam-barratt.org.uk>
- In-reply-to: <1512067262.2278.7.camel@adam-barratt.org.uk>
- References: <151122153736.5695.10990433292967715331.reportbug@buzig2.mirantis.com> <151122153736.5695.10990433292967715331.reportbug@buzig2.mirantis.com> <1512067262.2278.7.camel@adam-barratt.org.uk>
On 2017-11-30 18:41, Adam D. Barratt wrote:
Control: tags -1 + confirmed
On Tue, 2017-11-21 at 00:45 +0100, Thomas Goirand wrote:
I'd like to push for an update of Nova, to fix the nova-placement-api
package. Indeed, /usr/bin/nova-placement-api is *not* a Daemon, but a
WSGI application, that can work for example with libapache-mod-wsgi
or others.
[...]
This update, I'd like to push it in the soon comming security update
for Nova, through a security upload fixing CVE-2017-16239 / #882009.
This update is currently on hold, because the upstream patch adds a
DoS hole.
Though the security team (ie: Sebastien Delafond) advised me wisely
to start the discussion with the release team about this new
dependency for nova-placement-api.
Dependency changes in stable updates always make me uneasy, but this
sounds like a reasonable way of fixing the issue.
Please close this bug once the security update has been released.
It was - as DSA 4056-1 - and the bug is still open, so closing.
Regards,
Adam
--- End Message ---