Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
From: Thomas Goirand <zigo@debian.org>
Date: Tue, 21 Nov 2017 00:45:37 +0100
Message-id: <[🔎] 151122153736.5695.10990433292967715331.reportbug@buzig2.mirantis.com>
Reply-to: Thomas Goirand <zigo@debian.org>, 882274@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I'd like to push for an update of Nova, to fix the nova-placement-api
package. Indeed, /usr/bin/nova-placement-api is *not* a Daemon, but a WSGI
application, that can work for example with libapache-mod-wsgi or others.

As a consequence, the init script for the start of nova-placement-api
simply doesn't work. So I'd like to make use of uwsgi, which is a very
good way to run WSGI applications. I've added a runtime depends on uwsgi,
and modified the startup script to use that. As I've used uwsgi in other
daemons, the modification is just 2 lines in the init template system
of openstack-pkg-tools, as per the attached debdiff.

This update, I'd like to push it in the soon comming security update for
Nova, through a security upload fixing CVE-2017-16239 / #882009. This
update is currently on hold, because the upstream patch adds a DoS hole.
Though the security team (ie: Sebastien Delafond) advised me wisely to
start the discussion with the release team about this new dependency
for nova-placement-api.

So, does the SRM agree to the attached change? (note: I've stripped
out the CVE fix from it)

Cheers,

Thomas Goirand (zigo)

diff -Nru nova-14.0.0/debian/changelog nova-14.0.0/debian/changelog
--- nova-14.0.0/debian/changelog	2017-04-02 10:52:50.000000000 +0000
+++ nova-14.0.0/debian/changelog	2017-11-17 15:41:15.000000000 +0000
@@ -1,3 +1,13 @@
+nova (2:14.0.0-4+deb9u1) stretch-security; urgency=medium
+
+  * Fixed nova-placement-api init to use uwsgi. The old init file was simply
+    not working at all.
+
+ -- Thomas Goirand <zigo@debian.org>  Fri, 17 Nov 2017 15:41:15 +0000
+
 nova (2:14.0.0-4) unstable; urgency=medium
 
   [ David Rabel ]
diff -Nru nova-14.0.0/debian/control nova-14.0.0/debian/control
--- nova-14.0.0/debian/control	2017-04-02 10:52:50.000000000 +0000
+++ nova-14.0.0/debian/control	2017-11-17 15:41:15.000000000 +0000
@@ -653,6 +653,7 @@
 Architecture: all
 Depends: debconf,
          nova-common (= ${binary:Version}),
+         uwsgi-plugin-python,
          ${misc:Depends},
          ${ostack-lsb-base},
          ${python:Depends},
diff -Nru nova-14.0.0/debian/nova-placement-api.init.in nova-14.0.0/debian/nova-placement-api.init.in
--- nova-14.0.0/debian/nova-placement-api.init.in	2017-04-02 10:52:50.000000000 +0000
+++ nova-14.0.0/debian/nova-placement-api.init.in	2017-11-17 15:41:15.000000000 +0000
@@ -14,3 +14,5 @@
 DESC="OpenStack Compute Placement API"
 PROJECT_NAME=nova
 NAME=${PROJECT_NAME}-placement-api
+DAEMON=/usr/bin/uwsgi_python
+DAEMON_ARGS="--master --die-on-term --logto /var/log/nova/nova-placement-api.log --http-socket :8778 --wsgi-file /usr/bin/nova-placement-api"

Reply to:

Follow-Ups:
- Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#881900: stretch-pu: package libofx/1:0.9.10-2+deb9u1
Next by Date: Bug#882200: transition: sox
Previous by thread: Processed: Re: Bug#882242: jessie-pu: package tor/0.2.5.15-1
Next by thread: Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
Index(es):
- Date
- Thread