Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2021-07-22 22:42:44
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime"
Thu Jul 22 22:42:44 2021 rev:3 rq:907680 version:6.1.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2021-07-17
23:36:24.702074732 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.1899/keylime.changes
2021-07-22 22:43:06.943218942 +0200
@@ -1,0 +2,11 @@
+Wed Jul 21 14:17:10 UTC 2021 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Add tenant-do_cvdelete-wait-until-404.patch to fix the update command
+
+-------------------------------------------------------------------
+Mon Jul 19 14:57:45 UTC 2021 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Adjust the default revocation notifier binding IP
+- Default to CFSSL in keylime.conf
+
+-------------------------------------------------------------------
New:
----
tenant-do_cvdelete-wait-until-404.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ keylime.spec ++++++
--- /var/tmp/diff_new_pack.8YsX1v/_old 2021-07-22 22:43:07.875217727 +0200
+++ /var/tmp/diff_new_pack.8YsX1v/_new 2021-07-22 22:43:07.875217727 +0200
@@ -37,6 +37,8 @@
Patch4: webapp-fix-tls-certs-paths.patch
# PATCH-FIX-UPSTREAM check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
gh#keylime/keylime!695
Patch5: check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
+# PATCH-FIX-UPSTREAM tenant-do_cvdelete-wait-until-404.patch
gh#keylime/keylime!711
+Patch6: tenant-do_cvdelete-wait-until-404.patch
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
++++++ keylime.conf.diff ++++++
--- /var/tmp/diff_new_pack.8YsX1v/_old 2021-07-22 22:43:07.927217659 +0200
+++ /var/tmp/diff_new_pack.8YsX1v/_new 2021-07-22 22:43:07.927217659 +0200
@@ -2,7 +2,13 @@
===================================================================
--- keylime-6.1.0.orig/keylime.conf
+++ keylime-6.1.0/keylime.conf
-@@ -16,7 +16,8 @@ ca_implementation = openssl
+@@ -12,11 +12,13 @@ tls_check_hostnames = False
+ # Valid values are "cfssl" or "openssl". For cfssl to work, you must have the
+ # go binary installed in your path or in /usr/local/.
+ # Note: Revocation list generation is only supported by "cfssl".
+-ca_implementation = openssl
++# ca_implementation = openssl
++ca_implementation = cfssl
# Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
# revocation events from the verifier.
@@ -12,7 +18,7 @@
receive_revocation_port = 8992
#=============================================================================
-@@ -24,11 +25,13 @@ receive_revocation_port = 8992
+@@ -24,11 +26,13 @@ receive_revocation_port = 8992
#=============================================================================
# The binding address and port for the agent server
@@ -28,7 +34,7 @@
registrar_port = 8890
# The name of the RSA key that Keylime should use for protecting shares of
U/V.
-@@ -68,7 +71,8 @@ extract_payload_zip = True
+@@ -68,7 +72,8 @@ extract_payload_zip = True
# 'dmidecode -s system-uuid'.
# If you set this to "hostname", Keylime will use the full qualified domain
# name of current host as the agent id.
@@ -38,7 +44,7 @@
# Whether to listen for revocation notifications from the verifier or not.
listen_notfications = True
-@@ -129,7 +133,8 @@ ek_handle = generate
+@@ -129,7 +134,8 @@ ek_handle = generate
#=============================================================================
# The IP address and port of verifier server binds to
@@ -48,7 +54,17 @@
cloudverifier_port = 8881
# The address and port of registrar server that verifier communicates with
-@@ -380,7 +385,8 @@ max_retries = 10
+@@ -241,7 +247,8 @@ revocation_notifier = True
+ # The revocation notifier IP address and port used to start the revocation
service.
+ # If the 'revocation_notifier' option is set to "true", then the verifier
+ # automatically starts the revocation service.
+-revocation_notifier_ip = 127.0.0.1
++# revocation_notifier_ip = 127.0.0.1
++revocation_notifier_ip = 0.0.0.0
+ revocation_notifier_port = 8992
+
+ # The verifier limits the size of upload payloads (allowlists) which defaults
to
+@@ -380,7 +387,8 @@ max_retries = 10
# might provide a signed list of EK public key hashes. Then you could write
# an ek_check_script that checks the signature of the allowlist and then
# compares the hash of the given EK with the allowlist.
@@ -58,7 +74,7 @@
# Optional script to execute to check the EK and/or EK certificate against a
# allowlist or any other additional EK processing you want to do. Runs in
-@@ -406,7 +412,8 @@ ek_check_script=
+@@ -406,7 +414,8 @@ ek_check_script=
# The registrar's IP address and port used to communicate with other services
# as well as the bind address for the registrar server.
++++++ tenant-do_cvdelete-wait-until-404.patch ++++++
>From 4773bae9c755dd50b3f7a38f4a9d4dacf3948809 Mon Sep 17 00:00:00 2001
From: Alberto Planas <apla...@suse.com>
Date: Wed, 21 Jul 2021 16:06:51 +0200
Subject: [PATCH] tenant: do_cvdelete wait until 404
do_cvdelete sends a delete request, and if received a 202 response
(accepted), actively iterate until the next get receives a 200 or 404.
The issue is that a get of 200 imply that the object is still available,
that causes the "update" operation to fail a bit later (update is a
delete followed of an add, and this last action will fail if the object
is still present)
This patch change the active polling to consider the agent deleted only
when a 404 is received.
Fix #711
Signed-off-by: Alberto Planas <apla...@suse.com>
---
keylime/tenant.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/keylime/tenant.py b/keylime/tenant.py
index 052674f8..7f9e1bb7 100755
--- a/keylime/tenant.py
+++ b/keylime/tenant.py
@@ -705,7 +705,7 @@ def do_cvdelete(self, verifier_check):
verify=False
)
- if response.status_code in (200, 404):
+ if response.status_code == 404:
deleted = True
break
time.sleep(.4)
