Bug#941901: buster-pu: package octavia/3.0.0-3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
Since Buster was frozen, I worked quite a long time on Octavia, and was
able to make the octavia-agent work properly, as well as building an
Octavia base image using Debian only stuff [1]. It works super well
using the next version of OpenStack, ie: Stein, while Buster has Rocky.
Though I'd like to be able to provide a working Amphorae image using
only stuff from Buster, if possible. This is what this update is about.
The update contains:
- Fix for the vrrp script template.
- Fix for detecting the OS from within Octavia itself.
- Fix for CVE-2019-17134, where the Amphora didn't enforce cert checking.
- Fix for the octavia-agent package init / systemd scripts.
Debdiff is attached. Please allow me to update the Octavia package in
Buster accordingly. Next up, I hope to be able to provide a Debian image
for Octavia through the official cdimage.debian.org repo. I'll do that
through Testing first.
Cheers,
Thomas Goirand (zigo)
[1] If you don't know what Octavia is, it is haproxy as a service, with
a base virtual machine image containing Haproxy and the Octavia Agent.
This image is called "Amphorae", and can be used to provide load balancer
as a service. This is quite nice technology!
diff -Nru octavia-3.0.0/debian/changelog octavia-3.0.0/debian/changelog
--- octavia-3.0.0/debian/changelog 2019-01-21 17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/changelog 2019-04-30 12:07:21.000000000 +0200
@@ -1,3 +1,14 @@
+octavia (3.0.0-3+deb10u1) buster; urgency=medium
+
+ * Fix octavia-agent binary in init/service file, fix the startup.
+ * Add Fix-osutils.py-to-detect-Debian.patch.
+ * CVE-2019-17134: Client certificates aren't checked properly in the Amphora.
+ Applied upstream patch (Closes: #941897):
+ - Add CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch.
+ * Add Fix_template_that_generates_vrrp_check_script.patch.
+
+ -- Thomas Goirand <zigo@debian.org> Tue, 30 Apr 2019 12:07:21 +0200
+
octavia (3.0.0-3) unstable; urgency=medium
* Add an octavia-agent package.
diff -Nru octavia-3.0.0/debian/octavia-agent.install octavia-3.0.0/debian/octavia-agent.install
--- octavia-3.0.0/debian/octavia-agent.install 1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent.install 2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,2 @@
+debian/octavia-agent-ramfs-start /sbin
+debian/octavia-agent-ramfs-stop /sbin
diff -Nru octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in
--- octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in 2019-01-21 17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent.octavia-agent.init.in 2019-04-30 12:07:21.000000000 +0200
@@ -17,3 +17,5 @@
NAME=${PROJECT_NAME}-agent
SYSTEM_USER=root
SYSTEM_GROUP=root
+CONFIG_FILE=/etc/octavia/amphora-agent.conf
+DAEMON=/usr/bin/amphora-agent
diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-start octavia-3.0.0/debian/octavia-agent-ramfs-start
--- octavia-3.0.0/debian/octavia-agent-ramfs-start 1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent-ramfs-start 2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+modprobe brd rd_size=1024000 max_part=2 rd_nr=1
+passphrase=$(head /dev/urandom | tr -dc "a-zA-Z0-9" | fold -w 32 | head -n 1)
+certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{print $3}')
+if [ -z "${certs_path}" ] ; then
+ certs_path=/var/lib/octavia/certs
+fi
+mkdir -p "${certs_path}"
+chown octavia:octavia ${certs_path}
+echo -n "${passphrase}" | cryptsetup luksFormat /dev/ram0 -
+echo -n "${passphrase}" | cryptsetup luksOpen /dev/ram0 certfs-ramfs -
+mkfs.ext2 /dev/mapper/certfs-ramfs
+mount /dev/mapper/certfs-ramfs ${certs_path}
+chown octavia:octavia ${certs_path}
diff -Nru octavia-3.0.0/debian/octavia-agent-ramfs-stop octavia-3.0.0/debian/octavia-agent-ramfs-stop
--- octavia-3.0.0/debian/octavia-agent-ramfs-stop 1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/octavia-agent-ramfs-stop 2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+certs_path=$(grep base_cert_dir /etc/octavia/amphora-agent.conf | awk '{printf $3}')
+umount "${certs_path}"
+cryptsetup luksClose /dev/mapper/certfs-ramfs
diff -Nru octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
--- octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch 1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/patches/CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch 2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,73 @@
+Description: [PATCH] Fix urgent amphora two-way auth security bug
+ The value of gunicorn's option 'cert_reqs` for client-cert requirement
+ does not take a boolean, but rather `ssl.CERT_REQUIRED` which is `2`.
+ .
+Story: 2006660
+Task: 36916
+Author: Adam Harwell <flux.adam@gmail.com>
+Date: Fri, 4 Oct 2019 01:04:20 -0700
+SecurityImpact: CVE-2019-17134
+Change-Id: I5619f5e40d7c9a2ee7741bf4664c0d2d08963992
+Bug-Debian: https://bugs.debian.org/941897
+Origin: https://review.opendev.org/#/c/686544/
+Last-Update: 2019-10-07
+
+diff --git a/octavia/cmd/agent.py b/octavia/cmd/agent.py
+index 861ad75..759cf4b 100644
+--- a/octavia/cmd/agent.py
++++ b/octavia/cmd/agent.py
+@@ -15,6 +15,7 @@
+ # make sure PYTHONPATH includes the home directory if you didn't install
+
+ import multiprocessing as multiproc
++import ssl
+ import sys
+
+ import gunicorn.app.base
+@@ -74,7 +75,7 @@ def main():
+ 'timeout': CONF.amphora_agent.agent_request_read_timeout,
+ 'certfile': CONF.amphora_agent.agent_server_cert,
+ 'ca_certs': CONF.amphora_agent.agent_server_ca,
+- 'cert_reqs': True,
++ 'cert_reqs': ssl.CERT_REQUIRED,
+ 'preload_app': True,
+ 'accesslog': '/var/log/amphora-agent.log',
+ 'errorlog': '/var/log/amphora-agent.log',
+diff --git a/octavia/tests/unit/cmd/test_agent.py b/octavia/tests/unit/cmd/test_agent.py
+index 551ab56..22ca4ff 100644
+--- a/octavia/tests/unit/cmd/test_agent.py
++++ b/octavia/tests/unit/cmd/test_agent.py
+@@ -9,6 +9,7 @@
+ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ # License for the specific language governing permissions and limitations
+ # under the License.
++import ssl
+
+ import mock
+
+@@ -36,5 +37,11 @@ class TestAmphoraAgentCMD(base.TestCase):
+
+ agent.main()
+
++ # Ensure gunicorn is initialized with the correct cert_reqs option.
++ # This option is what enforces use of a valid client certificate.
++ self.assertEqual(
++ ssl.CERT_REQUIRED,
++ mock_amp.call_args[0][1]['cert_reqs'])
++
+ mock_health_proc.start.assert_called_once_with()
+ mock_amp_instance.run.assert_called_once()
+diff --git a/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml b/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml
+new file mode 100644
+index 0000000..e348b14
+--- /dev/null
++++ b/releasenotes/notes/correct-amp-client-auth-vulnerability-6803f4bac2508e4c.yaml
+@@ -0,0 +1,5 @@
++---
++security:
++ - |
++ Correctly require two-way certificate authentication to connect to the
++ amphora agent API (CVE-2019-17134).
+--
+2.7.4
+
diff -Nru octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch
--- octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch 1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/patches/Fix-osutils.py-to-detect-Debian.patch 2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Fix is_os_name in osutils.py to detect Debian
+ Otherwise, the OCtavia agent just dies...
+Author: Thomas Goirand <zigo@debian.org>
+Forwarded: no
+Last-Update: 2019-04-30
+
+Index: octavia/octavia/amphorae/backends/agent/api_server/osutils.py
+===================================================================
+--- octavia.orig/octavia/amphorae/backends/agent/api_server/osutils.py
++++ octavia/octavia/amphorae/backends/agent/api_server/osutils.py
+@@ -233,7 +233,7 @@ class Ubuntu(BaseOS):
+
+ @classmethod
+ def is_os_name(cls, os_name):
+- return os_name in ['ubuntu']
++ return os_name in ['ubuntu', 'debian']
+
+ def cmd_get_version_of_installed_package(self, package_name):
+ name = self._map_package_name(package_name)
diff -Nru octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch
--- octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch 1970-01-01 01:00:00.000000000 +0100
+++ octavia-3.0.0/debian/patches/Fix_template_that_generates_vrrp_check_script.patch 2019-04-30 12:07:21.000000000 +0200
@@ -0,0 +1,30 @@
+Author: Rene Luria <rene.luria@infomaniak.com>
+Subject: [PATCH] Fix template that generates vrrp check script
+ Correct the inline comment to not include an empty new line at the start
+ of generated /var/lib/octavia/vrrp/check_script.sh that leads to this
+ kind of error:
+ .
+ > Aug 26 11:49:32 amphora-12184e15-1ec3-4d80-98a7-c7d1ddb6716f
+ > Keepalived_vrrp[15265]: Error exec-ing command
+ > '/var/lib/octavia/vrrp/check_script.sh', error 8: Exec format error
+Date: Mon, 26 Aug 2019 13:50:42 +0200
+Change-Id: Icddd2873abeb56a389a35356995df6dde70872b2
+Origin: upstream, https://review.opendev.org/678525
+Last-Update: 2019-08-26
+
+diff --git a/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2 b/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
+index bb1eceb..e2c85c4 100644
+--- a/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
++++ b/octavia/amphorae/backends/agent/api_server/templates/keepalived_check_script.conf.j2
+@@ -13,7 +13,7 @@
+ # License for the specific language governing permissions and limitations
+ # under the License.
+ #
+-#}
++-#}
+ #!/bin/bash
+
+ # Don't try to run the directory when it is empty
+--
+2.7.4
+
diff -Nru octavia-3.0.0/debian/patches/series octavia-3.0.0/debian/patches/series
--- octavia-3.0.0/debian/patches/series 2019-01-21 17:28:54.000000000 +0100
+++ octavia-3.0.0/debian/patches/series 2019-04-30 12:07:21.000000000 +0200
@@ -1,2 +1,5 @@
fix-py36-compatibility.patch
install-missing-files.patch
+Fix-osutils.py-to-detect-Debian.patch
+CVE-2019-17134_Fix_urgent_amphora_two-way_auth_security_bug.patch
+Fix_template_that_generates_vrrp_check_script.patch
Reply to: