On Mon, 4 Jan 2016 at 17:11 Helga Velroyen <hel...@google.com> wrote:
> commit 1f87aa036cd887e15240415d73c5ea5fc5b2e18a > Merge: ceb09b5 625c8ea > Author: Helga Velroyen <hel...@google.com> > Date: Mon Jan 4 17:07:50 2016 +0100 > > Merge branch 'stable-2.15' into stable-2.16 > > * stable-2.15 > Add more documentation to testutils_ssh.py > renew-crypto: use bulk-removal of SSH keys > Use bulk-removal of SSH keys for single keys > Bulk-removing SSH keys of diverse set of nodes > Bulk-removal of SSH keys of normal nodes > Bulk-remove SSH keys of potential master candidates > Bulk-removal of SSH keys > testutils: add keys to own 'authorized_keys' file > Make mock SSH file manager deal with lists > Don't deepcopy the config if the old value is not needed > Revision bump for 2.15.2 > Update NEWS file for 2.15.2 > Compute lock allocation strictly > > * stable-2.14 > Revision bump for 2.14.2 > Update NEWS file for 2.14.2 > Fix lines with more than 80 characters > Add more detach/attach sequence tests > Allow disk attachment to diskless instances > Improve tests for attaching disks > > * stable-2.13 > Revision bump for 2.13.3 > Update NEWS file for 2.13.3 > > * stable-2.12 > Bump revision number for 2.12.6 > Update NEWS file for 2.12.6 > Restrict showing of DRBD secret using types > Calculate correct affected nodes set in InstanceChangeGroup > > * stable-2.11 > Revision bump for 2.11.8 > Update NEWS file for 2.11.8 > > * stable-2.10 > Version bump for 2.10.8 > Update NEWS file for 2.10.8 > > * stable-2.9 > Bump revision number > Update NEWS file for 2.9.7 release > Improve RAPI section on security > QA: Ensure the DRBD secret is not retrievable via RAPI > Redact the DRBD secret in instance queries > Do not attempt to use the DRBD secret in gnt-instance info > > Conflicts: > NEWS > configure.ac > > Resolutions: > NEWS: merge contents in right order > configure.ac: keep version number of 2.16 > > diff --cc NEWS > index 898a739,f212ca2..3e8e00a > --- a/NEWS > +++ b/NEWS > @@@ -2,55 -2,87 +2,137 @@@ New > ==== > > > +Version 2.16.0 beta2 > +-------------------- > + > +*(unreleased)* > + > +Incompatible/important changes > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +- The options ``--no-node-setup`` of ``gnt-node add`` is disabled. > + Instead, the cluster configuration parameter ``modify_ssh_setup`` is > + used to determine whether or not to manipulate the SSH setup of a new > + node. > + > + > +Version 2.16.0 beta1 > +-------------------- > + > +*(Released Tue, 28 Jul 2015)* > + > +Incompatible/important changes > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +- The IAllocator protocol has been extended by a new > ``allocate-secondary`` > + request type. Currently, this new request type is only used when in > disk > + conversion to DRBD no secondary node is specified. As long as this new > + feature is not used, a third-party IAllocator not aware of this > extension can > + be continued to be used. > +- ``htools`` now also take into account N+1 redundancy for plain and > shared > + storage. To obtain the old behavior, add the ``--no-capacity-checks`` > option. > +- ``hail`` now tries to keep the overall cluster balanced; in particular > it > + now prefers more empty groups over groups that are internally more > balanced. > + > +New features > +~~~~~~~~~~~~ > + > +- ``hbal`` can now be made aware of common causes of failures (for > + nodes). Look at ``hbal`` man page's LOCATION TAGS section for more > details. > +- ``hbal`` can now be made aware of desired location for instances. Look > + at ``hbal`` man page's DESIRED LOCATION TAGS section for more details. > +- Secret parameters are now readacted in job files > + > +New dependencies > +~~~~~~~~~~~~~~~~ > + > +- Using the metadata daemon now requires the presence of the 'setcap' > utility. > + On Debian-based systems, it is available as a part of the 'libcap2-bin' > + package. > + > + > + Version 2.15.2 > + -------------- > + > + *(Released Wed, 16 Dec 2015)* > + > + Important changes and security notes > + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > + Security release. > + > + CVE-2015-7944 > + > + Ganeti provides a RESTful control interface called the RAPI. Its HTTPS > + implementation is vulnerable to DoS attacks via client-initiated SSL > + parameter renegotiation. While the interface is not meant to be exposed > + publicly, due to the fact that it binds to all interfaces, we believe > + some users might be exposing it unintentionally and are vulnerable. A > + DoS attack can consume resources meant for Ganeti daemons and instances > + running on the master node, making both perform badly. > + > + Fixes are not feasible due to the OpenSSL Python library not exposing > + functionality needed to disable client-side renegotiation. Instead, we > + offer instructions on how to control RAPI's exposure, along with info > + on how RAPI can be setup alongside an HTTPS proxy in case users still > + want or need to expose the RAPI interface. The instructions are > + outlined in Ganeti's security document: doc/html/security.html > + > + CVE-2015-7945 > + > + Ganeti leaks the DRBD secret through the RAPI interface. Examining job > + results after an instance information job reveals the secret. With the > + DRBD secret, access to the local cluster network, and ARP poisoning, > + an attacker can impersonate a Ganeti node and clone the disks of a > + DRBD-based instance. While an attacker with access to the cluster > + network is already capable of accessing any data written as DRBD > + traffic is unencrypted, having the secret expedites the process and > + allows access to the entire disk. > + > + Fixes contained in this release prevent the secret from being exposed > + via the RAPI. The DRBD secret can be changed by converting an instance > + to plain and back to DRBD, generating a new secret, but redundancy will > + be lost until the process completes. > + Since attackers with node access are capable of accessing some and > + potentially all data even without the secret, we do not recommend that > + the secret be changed for existing instances. > + > + Minor changes > + ~~~~~~~~~~~~~ > + > + - Allow disk aittachment to diskless instances > + - Reduce memory footprint: Compute lock allocation strictly > + - Calculate correct affected nodes set in InstanceChangeGroup > + (Issue 1144) > + - Reduce memory footprint: Don't keep input for error messages > + - Use bulk-adding of keys in renew-crypto > + - Reduce memory footprint: Send answers strictly > + - Reduce memory footprint: Store keys as ByteStrings > + - Reduce memory footprint: Encode UUIDs as ByteStrings > + - Do not retry all requests after connection timeouts to prevent > + repeated job submission > + - Fix reason trails of expanding opcodes > + - Make lockConfig call retryable > + - Extend timeout for gnt-cluster renew-crypto > + - Return the correct error code in the post-upgrade script > + - Make OpenSSL refrain from DH altogether > + - Fix faulty iallocator type check > + - Improve cfgupgrade output in case of errors > + - Fix upgrades of instances with missing creation time > + - Support force option for deactivate disks on RAPI > + - Make htools tolerate missing "dtotal" and "dfree" on luxi > + - Fix default for --default-iallocator-params > + - Renew-crypto: stop daemons on master node first > + - Don't warn about broken SSH setup of offline nodes (Issue 1131) > + - Fix computation in network blocks > + - At IAlloc backend guess state from admin state > + - Set node tags in iallocator htools backend > + - Only search for Python-2 interpreters > + - Handle Xen 4.3 states better > + - Improve xl socat migrations > ++>>>>>>> stable-2.15 > Consider this line removed :) > + > + > Version 2.15.1 > -------------- > > diff --cc lib/backend.py > index 6c51df8,520a6e7..a787ed6 > --- a/lib/backend.py > +++ b/lib/backend.py > @@@ -2027,9 -2132,10 +2138,11 @@@ def RenewSshKeys(node_uuids, node_names > continue > master_candidate = node_uuid in master_candidate_uuids > potential_master_candidate = node_name in potential_master_candidates > + node_list.append((node_uuid, node_name, master_candidate, > + potential_master_candidate)) > > - keys_by_uuid = ssh.QueryPubKeyFile([node_uuid], > key_file=pub_key_file) > + keys_by_uuid = ssh.QueryPubKeyFile([node_uuid], > + key_file=ganeti_pub_keys_file) > if not keys_by_uuid: > raise errors.SshUpdateError("No public key of node %s (UUID %s) > found," > " not generating a new key." > @@@ -2061,9 -2165,22 +2172,22 @@@ > logging.debug("Old key of node '%s' is the same as the current > master" > " key. Not deleting that key on the node.", > node_name) > > + logging.debug("Removing old SSH keys of all master candidates.") > + if node_info_to_remove: > + node_errors = RemoveNodeSshKeyBulk( > + node_info_to_remove, > + master_candidate_uuids, > + potential_master_candidates, > + master_uuid=master_node_uuid) > + if node_errors: > + all_node_errors = all_node_errors + node_errors > + > + for (node_uuid, node_name, master_candidate, > potential_master_candidate) \ > + in node_list: > + > logging.debug("Generating new SSH key for node '%s'.", node_name) > - _GenerateNodeSshKey(node_uuid, node_name, ssh_port_map, > - pub_key_file=pub_key_file, > + _GenerateNodeSshKey(node_uuid, node_name, ssh_port_map, new_key_type, > + new_key_bits, pub_key_file=ganeti_pub_keys_file, > ssconf_store=ssconf_store, > noded_cert_file=noded_cert_file, > run_cmd_fn=run_cmd_fn) > -- > > Helga Velroyen > Software Engineer > hel...@google.com > > Google Germany GmbH > Dienerstraße 12 > 80331 München > > Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > > Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind, > leiten Sie diese bitte nicht weiter, informieren Sie den Absender und > löschen Sie die E-Mail und alle Anhänge. Vielen Dank. > > This e-mail is confidential. If you are not the right addressee please do > not forward it, please inform the sender, and please erase this e-mail > including any attachments. Thanks. > > -- Helga Velroyen Software Engineer hel...@google.com Google Germany GmbH Dienerstraße 12 80331 München Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind, leiten Sie diese bitte nicht weiter, informieren Sie den Absender und löschen Sie die E-Mail und alle Anhänge. Vielen Dank. This e-mail is confidential. If you are not the right addressee please do not forward it, please inform the sender, and please erase this e-mail including any attachments. Thanks.