Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package aws-efs-utils for openSUSE:Factory
checked in at 2023-01-25 17:44:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/aws-efs-utils (Old)
and /work/SRC/openSUSE:Factory/.aws-efs-utils.new.32243 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aws-efs-utils"
Wed Jan 25 17:44:37 2023 rev:14 rq:1060937 version:1.34.5
Changes:
--------
--- /work/SRC/openSUSE:Factory/aws-efs-utils/aws-efs-utils.changes
2023-01-03 15:06:37.454950713 +0100
+++ /work/SRC/openSUSE:Factory/.aws-efs-utils.new.32243/aws-efs-utils.changes
2023-01-25 18:03:46.774767587 +0100
@@ -1,0 +2,7 @@
+Wed Jan 25 10:50:15 UTC 2023 - John Paul Adrian Glaubitz
<adrian.glaub...@suse.com>
+
+- Update to version 1.34.5
+ * Handle invalid entries in /proc/mounts
+ * Detect invalid private key
+
+-------------------------------------------------------------------
@@ -6 +13 @@
- state file as tlsport lock file
+ state file as tlsport lock file (bsc#1206737, CVE-2022-46174)
Old:
----
efs-utils-1.34.4.tar.gz
New:
----
efs-utils-1.34.5.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ aws-efs-utils.spec ++++++
--- /var/tmp/diff_new_pack.s6osQf/_old 2023-01-25 18:03:47.214769946 +0100
+++ /var/tmp/diff_new_pack.s6osQf/_new 2023-01-25 18:03:47.218769968 +0100
@@ -17,7 +17,7 @@
Name: aws-efs-utils
-Version: 1.34.4
+Version: 1.34.5
Release: 0
Summary: Utilities for using the EFS file systems
License: MIT
++++++ efs-utils-1.34.4.tar.gz -> efs-utils-1.34.5.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/efs-utils-1.34.4/amazon-efs-utils.spec
new/efs-utils-1.34.5/amazon-efs-utils.spec
--- old/efs-utils-1.34.4/amazon-efs-utils.spec 2022-12-14 07:13:07.000000000
+0100
+++ new/efs-utils-1.34.5/amazon-efs-utils.spec 2023-01-06 20:49:31.000000000
+0100
@@ -35,7 +35,7 @@
%endif
Name : amazon-efs-utils
-Version : 1.34.4
+Version : 1.34.5
Release : 1%{platform}
Summary : This package provides utilities for simplifying the use of EFS
file systems
@@ -137,6 +137,12 @@
%clean
%changelog
+* Wed Jan 1 2023 Ryan Stankiewicz <rjst...@amazon.com> - 1.34.5
+- Watchdog detect empty private key and regenerate
+- Update man page
+- Avoid redundant get_target_region call
+- Handle invalid mount point name
+
* Tue Dec 13 2022 Ryan Stankiewicz <rjst...@amazon.com> - 1.34.4
- Fix potential tlsport selection collision by using state file as tlsport
lock file.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/efs-utils-1.34.4/build-deb.sh
new/efs-utils-1.34.5/build-deb.sh
--- old/efs-utils-1.34.4/build-deb.sh 2022-12-14 07:13:07.000000000 +0100
+++ new/efs-utils-1.34.5/build-deb.sh 2023-01-06 20:49:31.000000000 +0100
@@ -11,7 +11,7 @@
BASE_DIR=$(pwd)
BUILD_ROOT=${BASE_DIR}/build/debbuild
-VERSION=1.34.4
+VERSION=1.34.5
RELEASE=1
DEB_SYSTEM_RELEASE_PATH=/etc/os-release
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/efs-utils-1.34.4/config.ini
new/efs-utils-1.34.5/config.ini
--- old/efs-utils-1.34.4/config.ini 2022-12-14 07:13:07.000000000 +0100
+++ new/efs-utils-1.34.5/config.ini 2023-01-06 20:49:31.000000000 +0100
@@ -7,5 +7,5 @@
#
[global]
-version=1.34.4
+version=1.34.5
release=1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/efs-utils-1.34.4/dist/amazon-efs-utils.control
new/efs-utils-1.34.5/dist/amazon-efs-utils.control
--- old/efs-utils-1.34.4/dist/amazon-efs-utils.control 2022-12-14
07:13:07.000000000 +0100
+++ new/efs-utils-1.34.5/dist/amazon-efs-utils.control 2023-01-06
20:49:31.000000000 +0100
@@ -1,6 +1,6 @@
Package: amazon-efs-utils
Architecture: all
-Version: 1.34.4
+Version: 1.34.5
Section: utils
Depends: python3, nfs-common, stunnel4 (>= 4.56), openssl (>= 1.0.2),
util-linux
Priority: optional
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/efs-utils-1.34.4/man/mount.efs.8
new/efs-utils-1.34.5/man/mount.efs.8
--- old/efs-utils-1.34.4/man/mount.efs.8 2022-12-14 07:13:07.000000000
+0100
+++ new/efs-utils-1.34.5/man/mount.efs.8 2023-01-06 20:49:31.000000000
+0100
@@ -21,7 +21,8 @@
.IP \(bu
A domain name that has a resolvable DNS-CNAME record, \
which in turn points to a fully-qualified EFS DNS name \
-in the form of "fs\-abcd1234\&.efs\&.us-east-1\&.amazonaws\&.com"\&.
+in the form of "fs\-abcd1234\&.efs\&.us-east-1\&.amazonaws\&.com" \
+or "us\-east\-1a\&.fs\-abcd1234\&.efs\&.us-east-1\&.amazonaws\&.com"\&.
.P
\fImount-point\fR is the local directory \
on which the file system will be mounted\&.
@@ -46,8 +47,8 @@
.\}
.sp
By default, when using the Amazon EFS mount helper with Transport \
-Layer Security (TLS), the mount helper enforces the use of Online \
-Certificate Status Protocol (OCSP) and certificate hostname checking\&. \
+Layer Security (TLS), the mount helper enforces the certificate hostname \
+checking and disables the use of Online Certificate Status Protocol (OCSP). \
These options can be configured in the config file located at \
\fI/etc/amazon/efs/efs\-utils\&.conf\&\fR.
.sp
@@ -69,14 +70,16 @@
.\}
.TP
\fBtls\fR
-Mounts the EFS file system over TLS\&.
+Mounts the EFS file system over TLS\&. For EC2 instances using Mac
distributions, \
+this option is by default passed and the EFS file system is mounted over TLS\&.
.TP
\fBnotls\fR
-Mounts the EFS file system without TLS. For EC2 instances using Mac
distributions, \
-the default mount command mounts the EFS file system over TLS.\&.
+Mounts the EFS file system without TLS, applies for Mac distributions only\&.
.TP
\fBtlsport=\fR\fIn\fR
-Configure the TLS relay to listen on the specified port\&.
+Configure the TLS relay to listen on the specified port\&. By default, the \
+tlsport is choosing randomly from port range defined in the config file
located \
+at \fI/etc/amazon/efs/efs\-utils\&.conf\&\fR.
.TP
\fBverify=\fR\fIn\fR
Verify TLS certificates using the specified stunnel verify level\&. For \
@@ -84,15 +87,16 @@
.TP
\fBocsp / noocsp\fR
Selects whether to perform OCSP validation on TLS certificates\&, \
-overriding /etc/amazon/efs/efs-utils.conf. \
+overriding /etc/amazon/efs/efs-utils.conf. By default OCSP is disabled. \
For more information, see \fBstunnel(8)\fR\&.
.TP
\fBiam\fR
Use the system's IAM identity to authenticate with EFS. The mount helper will
try \
-to retrieve the required IAM credentials from the following locations: the EC2
instance \
-profile, the AWS CLI credentials file (~/.aws/credentials), and the AWS CLI
config \
-file (~/.aws/config). The first location that has credentials will be used. \
-This option requires the \fBtls\fR option\&.
+to retrieve the required IAM credentials from the following locations: the aws
credentials \
+URI passed by mount option, the AWS CLI credentials file (~/.aws/credentials),
and the
+AWS CLI config file (~/.aws/config), the AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+environment variable, the AssumeRoleWithWebIdentity, the EC2 instance
profile\&.
+The first location that has credentials will be used. This option requires the
\fBtls\fR option\&.
.TP
\fBaccesspoint\fR
Mount the EFS file system using the specified access point. This option
requires the \
@@ -109,7 +113,7 @@
Use the relative uri to lookup IAM credentials from ecs task metadata
endpoint\&.
.TP
\fBcafile\fR
-Use the cafile as the stunnel certificate authority file.\&.
+Use the cafile as the stunnel certificate authority file\&.
.TP
\fBnetns\fR
Mount the EFS file system to the specified network namespace\&.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/efs-utils-1.34.4/src/mount_efs/__init__.py
new/efs-utils-1.34.5/src/mount_efs/__init__.py
--- old/efs-utils-1.34.4/src/mount_efs/__init__.py 2022-12-14
07:13:07.000000000 +0100
+++ new/efs-utils-1.34.5/src/mount_efs/__init__.py 2023-01-06
20:49:31.000000000 +0100
@@ -85,7 +85,7 @@
BOTOCORE_PRESENT = False
-VERSION = "1.34.4"
+VERSION = "1.34.5"
SERVICE = "elasticfilesystem"
AMAZON_LINUX_2_RELEASE_ID = "Amazon Linux release 2 (Karoo)"
@@ -1390,22 +1390,18 @@
def check_network_target(fs_id):
with open(os.devnull, "w") as devnull:
- if not check_if_platform_is_mac():
- rc = subprocess.call(
- ["systemctl", "is-active", "network.target"],
- stdout=devnull,
- stderr=devnull,
- close_fds=True,
- )
- else:
- rc = subprocess.call(
- ["sudo", "ifconfig", "en0"],
- stdout=devnull,
- stderr=devnull,
- close_fds=True,
- )
+ rc = subprocess.call(
+ ["systemctl", "is-active", "network.target"],
+ stdout=devnull,
+ stderr=devnull,
+ close_fds=True,
+ )
if rc != 0:
+ # For fstab mount, the exit code 0 below is to avoid non-zero exit
status causing instance to fail the
+ # local-fs.target boot up and then fail the network setup failure can
result in the instance being unresponsive.
+ #
https://docs.amazonaws.cn/en_us/efs/latest/ug/troubleshooting-efs-mounting.html#automount-fails
+ #
fatal_error(
'Failed to mount %s because the network was not yet available, add
"_netdev" to your mount options'
% fs_id,
@@ -1413,6 +1409,15 @@
)
+# This network status check is necessary for the fstab automount use case and
should not be removed.
+# efs-utils relies on the network to retrieve the instance metadata and get
information e.g. region, to further parse
+# the DNS name of file system to mount target IP address, we need a way to
inform users to add `_netdev` option to fstab
+# entry if they haven't do so.
+#
+# However, network.target status itself cannot accurately reflect the status
of network reachability.
+# We will replace this check with other accurate way such that even
network.target is turned off while network is
+# reachable, the mount can still proceed.
+#
def check_network_status(fs_id, init_system):
if init_system != "systemd":
logging.debug("Not testing network on non-systemd init systems")
@@ -1562,7 +1567,6 @@
)
# common name for certificate signing request is max 64 characters
cert_details["commonName"] = socket.gethostname()[0:64]
- region = get_target_region(config)
cert_details["region"] = region
cert_details["certificateCreationTime"] = create_certificate(
config,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/efs-utils-1.34.4/src/watchdog/__init__.py
new/efs-utils-1.34.5/src/watchdog/__init__.py
--- old/efs-utils-1.34.4/src/watchdog/__init__.py 2022-12-14
07:13:07.000000000 +0100
+++ new/efs-utils-1.34.5/src/watchdog/__init__.py 2023-01-06
20:49:31.000000000 +0100
@@ -56,7 +56,7 @@
AMAZON_LINUX_2_RELEASE_ID,
AMAZON_LINUX_2_PRETTY_NAME,
]
-VERSION = "1.34.4"
+VERSION = "1.34.5"
SERVICE = "elasticfilesystem"
CONFIG_FILE = "/etc/amazon/efs/efs-utils.conf"
@@ -658,7 +658,18 @@
if not check_if_running_on_macos():
with open(mount_file) as f:
for mount in f:
- mounts.append(Mount._make(mount.strip().split()))
+ try:
+ mounts.append(Mount._make(mount.strip().split()))
+ except Exception as e:
+ # Make sure nfs mounts being skipped are made apparent
+ if " nfs4 " in mount:
+ logging.warning(
+ 'Watchdog ignoring malformed nfs4 mount "%s": %s',
mount, e
+ )
+ else:
+ logging.debug(
+ 'Watchdog ignoring malformed mount "%s": %s',
mount, e
+ )
else:
# stat command on MacOS does not have '--file-system' option to verify
the filesystem type of a mount point,
# traverse all the mounts, and find if current mount point is already
mounted
@@ -1582,7 +1593,11 @@
def generate_key():
if os.path.isfile(key):
- return
+ if os.path.getsize(key) == 0:
+ logging.info("Purging empty private key file")
+ os.remove(key)
+ else:
+ return
cmd = (
"openssl genpkey -algorithm RSA -out %s -pkeyopt
rsa_keygen_bits:3072" % key
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/efs-utils-1.34.4/test/mount_efs_test/test_check_network_status.py
new/efs-utils-1.34.5/test/mount_efs_test/test_check_network_status.py
--- old/efs-utils-1.34.4/test/mount_efs_test/test_check_network_status.py
2022-12-14 07:13:07.000000000 +0100
+++ new/efs-utils-1.34.5/test/mount_efs_test/test_check_network_status.py
2023-01-06 20:49:31.000000000 +0100
@@ -20,13 +20,21 @@
return mocker.patch("subprocess.call", side_effect=call_mock)
-def test_non_systemd(mocker):
+def test_non_systemd_init(mocker):
call_mock = _mock_subprocess_call(mocker)
mount_efs.check_network_status(FS_ID, "init")
utils.assert_not_called(call_mock)
+
+def test_non_systemd_launchd(mocker):
+ call_mock = _mock_subprocess_call(mocker)
+
+ mount_efs.check_network_status(FS_ID, "launchd")
+
+ utils.assert_not_called(call_mock)
+
def test_systemd_network_up(mocker):
call_mock = _mock_subprocess_call(mocker)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/efs-utils-1.34.4/test/mount_efs_test/test_main.py
new/efs-utils-1.34.5/test/mount_efs_test/test_main.py
--- old/efs-utils-1.34.4/test/mount_efs_test/test_main.py 2022-12-14
07:13:07.000000000 +0100
+++ new/efs-utils-1.34.5/test/mount_efs_test/test_main.py 2023-01-06
20:49:31.000000000 +0100
@@ -5,7 +5,7 @@
# the License.
from contextlib import contextmanager
-from unittest.mock import MagicMock, patch
+from unittest.mock import MagicMock
import pytest
@@ -72,6 +72,7 @@
mocker.patch("os.geteuid", return_value=100)
bootstrap_logging_mock = mocker.patch("mount_efs.bootstrap_logging")
+ network_status_check_mock = mocker.patch("mount_efs.check_network_status")
get_dns_mock = mocker.patch(
"mount_efs.get_dns_name_and_fallback_mount_target_ip_address",
return_value=("fs-deadbeef.efs.us-west-1.amazonaws.com", None),
@@ -90,6 +91,7 @@
mount_efs.main()
utils.assert_called_once(bootstrap_logging_mock)
+ utils.assert_called_once(network_status_check_mock)
utils.assert_called_once(get_dns_mock)
utils.assert_called_once(parse_arguments_mock)
utils.assert_called_once(mount_mock)
@@ -110,13 +112,31 @@
assert expected_err in err
-@patch("mount_efs.check_network_target")
-def test_main_tls(check_network, mocker):
+def _test_main_macos(mocker, is_supported_macos_version, **kwargs):
+ mocker.patch("mount_efs.check_if_platform_is_mac", return_value=True)
+ mocker.patch(
+ "mount_efs.check_if_mac_version_is_supported",
+ return_value=is_supported_macos_version,
+ )
+ _test_main(mocker, **kwargs)
+
+
+def _test_main_macos_assert_error(
+ mocker, capsys, expected_err, is_supported_macos_version, **kwargs
+):
+ mocker.patch("mount_efs.check_if_platform_is_mac", return_value=True)
+ mocker.patch(
+ "mount_efs.check_if_mac_version_is_supported",
+ return_value=is_supported_macos_version,
+ )
+ _test_main_assert_error(mocker, capsys, expected_err, **kwargs)
+
+
+def test_main_tls(mocker):
_test_main(mocker, tls=True, tlsport=TLS_PORT)
-@patch("mount_efs.check_network_target")
-def test_main_no_tls(check_network, mocker):
+def test_main_no_tls(mocker):
_test_main(mocker, tls=False)
@@ -278,24 +298,21 @@
def test_main_unsupported_macos(mocker, capsys):
- mocker.patch("mount_efs.check_if_platform_is_mac", return_value=True)
# Test for Catalina Client
- mocker.patch("mount_efs.check_if_mac_version_is_supported",
return_value=False)
-
expected_err = "We do not support EFS on MacOS"
- _test_main_assert_error(mocker, capsys, expected_err, root=True)
+ _test_main_macos_assert_error(
+ mocker, capsys, expected_err, root=True,
is_supported_macos_version=False
+ )
def test_main_supported_macos(mocker):
- mocker.patch("mount_efs.check_if_platform_is_mac", return_value=True)
- mocker.patch("mount_efs.check_if_mac_version_is_supported",
return_value=True)
- _test_main(mocker, tls=True, tlsport=TLS_PORT)
+ _test_main_macos(
+ mocker, is_supported_macos_version=True, tls=True, tlsport=TLS_PORT
+ )
-def test_main_tls_notls_option(mocker):
- mocker.patch("mount_efs.check_if_platform_is_mac", return_value=True)
- mocker.patch("mount_efs.check_if_mac_version_is_supported",
return_value=True)
- _test_main(mocker, notls=True)
+def test_main_tls_notls_option_macos(mocker):
+ _test_main_macos(mocker, is_supported_macos_version=True, notls=True)
def test_main_tls_ocsp_and_noocsp_option(mocker, capsys):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/efs-utils-1.34.4/test/watchdog_test/test_get_current_local_nfs_mounts.py
new/efs-utils-1.34.5/test/watchdog_test/test_get_current_local_nfs_mounts.py
---
old/efs-utils-1.34.4/test/watchdog_test/test_get_current_local_nfs_mounts.py
2022-12-14 07:13:07.000000000 +0100
+++
new/efs-utils-1.34.5/test/watchdog_test/test_get_current_local_nfs_mounts.py
2023-01-06 20:49:31.000000000 +0100
@@ -6,6 +6,8 @@
# the License.
#
+import logging
+
import watchdog
MOUNT_FMT_LINE = "{address}:/ {mountpoint} {fs_type} {options} 0 0"
@@ -62,6 +64,57 @@
assert {} == mounts
+def test_invalid_mount_with_nfs(tmpdir, caplog):
+ mount_file = _create_mount_file(
+ tmpdir,
+ [
+ MOUNT_FMT_LINE.format(
+ address="127.0.0.1",
+ mountpoint="/ mnt",
+ fs_type="nfs4",
+ options=DEFAULT_OPTS,
+ )
+ ],
+ )
+ with caplog.at_level(logging.WARNING):
+ mounts = watchdog.get_current_local_nfs_mounts(mount_file)
+ assert "Watchdog ignoring malformed nfs4 mount" in caplog.text
+
+
+def test_invalid_mount_without_nfs(tmpdir, caplog):
+ mount_file = _create_mount_file(
+ tmpdir,
+ [
+ MOUNT_FMT_LINE.format(
+ address="127.0.0.1",
+ mountpoint="/ mnt",
+ fs_type="overlay",
+ options=DEFAULT_OPTS,
+ )
+ ],
+ )
+ with caplog.at_level(logging.DEBUG):
+ mounts = watchdog.get_current_local_nfs_mounts(mount_file)
+ assert "Watchdog ignoring malformed mount" in caplog.text
+
+
+def test_invalid_mount_arguments_without_nfs(tmpdir, caplog):
+ mount_file = _create_mount_file(
+ tmpdir,
+ [
+ MOUNT_FMT_LINE.format(
+ address="127.0.0.1",
+ mountpoint="/ mnt",
+ fs_type="overlay",
+ options="rw,port= 12345",
+ )
+ ],
+ )
+ with caplog.at_level(logging.DEBUG):
+ mounts = watchdog.get_current_local_nfs_mounts(mount_file)
+ assert "Watchdog ignoring malformed mount" in caplog.text
+
+
def test_local_nfs_mount(tmpdir):
mount_file = _create_mount_file(
tmpdir,
