Bug#901331: stretch-pu: package ganeti/2.15.2-7+deb9u2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear SRMs,
I would like to update ganeti in Stretch to resolve #895599, whereby
ganeti fails to "export" (aka dump) VMs because of an SSL verification
error. The bug is fixed by cherry-picking an upstream commit, already
included in 2.16 which is in unstable.
Full source debdiff attached.
Regards,
Apollon
diff -Nru ganeti-2.15.2/debian/changelog ganeti-2.15.2/debian/changelog
--- ganeti-2.15.2/debian/changelog 2017-10-03 17:31:05.000000000 +0300
+++ ganeti-2.15.2/debian/changelog 2018-06-11 17:42:10.000000000 +0300
@@ -1,3 +1,9 @@
+ganeti (2.15.2-7+deb9u2) stretch; urgency=medium
+
+ * Properly verify SSL certificates during VM export (Closes: #895599)
+
+ -- Apollon Oikonomopoulos <apoikos@debian.org> Mon, 11 Jun 2018 17:42:10 +0300
+
ganeti (2.15.2-7+deb9u1) stretch; urgency=medium
* Depend on lsb-base (>= 3.0.6) for init-functions.
diff -Nru ganeti-2.15.2/debian/patches/impexpd-fix-certificate-verification-with-new-socat.patch ganeti-2.15.2/debian/patches/impexpd-fix-certificate-verification-with-new-socat.patch
--- ganeti-2.15.2/debian/patches/impexpd-fix-certificate-verification-with-new-socat.patch 1970-01-01 02:00:00.000000000 +0200
+++ ganeti-2.15.2/debian/patches/impexpd-fix-certificate-verification-with-new-socat.patch 2018-06-11 17:42:10.000000000 +0300
@@ -0,0 +1,55 @@
+From 7bb03511f6b13f83cc7cbc5fe6a30bd46105b0bd Mon Sep 17 00:00:00 2001
+From: Apollon Oikonomopoulos <apoikos@debian.org>
+Date: Wed, 20 Dec 2017 12:57:12 +0200
+Subject: [PATCH] impexpd: fix certificate verification with new socat versions
+
+Socat versions after 1.7.3 verify the server certificate's subject
+against either the hostname, or the openssl-commonname option. Since
+ganeti uses 'ganeti.example.com' for all self-signed certs, certificate
+verification will fail, as socat will be told to connect to the node
+using its proper name.
+
+Fix this by passing the openssl-commonname option. Since this option is
+only available on newer socat versions and older socat versions will
+break when passed the unknown option, we need to parse `socat -V` output
+to check if we need to specify the option or not.
+
+This fixes #1226.
+
+Signed-off-by: Apollon Oikonomopoulos <apoikos@debian.org>
+---
+ lib/impexpd/__init__.py | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/lib/impexpd/__init__.py b/lib/impexpd/__init__.py
+index 97a9716cc..850bdb987 100644
+--- a/lib/impexpd/__init__.py
++++ b/lib/impexpd/__init__.py
+@@ -197,6 +197,24 @@ class CommandBuilder(object):
+ "intervall=1",
+ ] + common_addr_opts
+
++ # For socat versions >= 1.7.3, we need to also specify
++ # openssl-commonname, otherwise server certificate verification will
++ # fail.
++ socat = utils.RunCmd([SOCAT_PATH, "-V"])
++ # No need to check for errors here. If -V is not there, socat is really
++ # old. Any other failure will be handled when running the actual socat
++ # command.
++ for line in socat.output.splitlines():
++ match = re.match(r"socat version ((\d+\.)*(\d+))", line)
++ if match:
++ try:
++ version = tuple(int(x) for x in m.group(1).split('.'))
++ if version >= (1, 7, 3):
++ addr2 += ["openssl-commonname=%s" % constants.X509_CERT_CN]
++ except TypeError:
++ pass
++ break
++
+ else:
+ raise errors.GenericError("Invalid mode '%s'" % self._mode)
+
+--
+2.17.1
+
diff -Nru ganeti-2.15.2/debian/patches/series ganeti-2.15.2/debian/patches/series
--- ganeti-2.15.2/debian/patches/series 2017-10-03 14:09:55.000000000 +0300
+++ ganeti-2.15.2/debian/patches/series 2018-06-11 17:42:10.000000000 +0300
@@ -16,3 +16,4 @@
use-hv-class-to-check-for-migration.patch
do-not-specify-socat-ssl-method.patch
fix-failover-from-dead-node.patch
+impexpd-fix-certificate-verification-with-new-socat.patch
Reply to: