On Mon, 4 Jan 2016 at 17:11 Helga Velroyen <hel...@google.com> wrote:
> commit 1f87aa036cd887e15240415d73c5ea5fc5b2e18a
> Merge: ceb09b5 625c8ea
> Author: Helga Velroyen <hel...@google.com>
> Date: Mon Jan 4 17:07:50 2016 +0100
>
> Merge branch 'stable-2.15' into stable-2.16
>
> * stable-2.15
> Add more documentation to testutils_ssh.py
> renew-crypto: use bulk-removal of SSH keys
> Use bulk-removal of SSH keys for single keys
> Bulk-removing SSH keys of diverse set of nodes
> Bulk-removal of SSH keys of normal nodes
> Bulk-remove SSH keys of potential master candidates
> Bulk-removal of SSH keys
> testutils: add keys to own 'authorized_keys' file
> Make mock SSH file manager deal with lists
> Don't deepcopy the config if the old value is not needed
> Revision bump for 2.15.2
> Update NEWS file for 2.15.2
> Compute lock allocation strictly
>
> * stable-2.14
> Revision bump for 2.14.2
> Update NEWS file for 2.14.2
> Fix lines with more than 80 characters
> Add more detach/attach sequence tests
> Allow disk attachment to diskless instances
> Improve tests for attaching disks
>
> * stable-2.13
> Revision bump for 2.13.3
> Update NEWS file for 2.13.3
>
> * stable-2.12
> Bump revision number for 2.12.6
> Update NEWS file for 2.12.6
> Restrict showing of DRBD secret using types
> Calculate correct affected nodes set in InstanceChangeGroup
>
> * stable-2.11
> Revision bump for 2.11.8
> Update NEWS file for 2.11.8
>
> * stable-2.10
> Version bump for 2.10.8
> Update NEWS file for 2.10.8
>
> * stable-2.9
> Bump revision number
> Update NEWS file for 2.9.7 release
> Improve RAPI section on security
> QA: Ensure the DRBD secret is not retrievable via RAPI
> Redact the DRBD secret in instance queries
> Do not attempt to use the DRBD secret in gnt-instance info
>
> Conflicts:
> NEWS
> configure.ac
>
> Resolutions:
> NEWS: merge contents in right order
> configure.ac: keep version number of 2.16
>
> diff --cc NEWS
> index 898a739,f212ca2..3e8e00a
> --- a/NEWS
> +++ b/NEWS
> @@@ -2,55 -2,87 +2,137 @@@ New
> ====
>
>
> +Version 2.16.0 beta2
> +--------------------
> +
> +*(unreleased)*
> +
> +Incompatible/important changes
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +- The options ``--no-node-setup`` of ``gnt-node add`` is disabled.
> + Instead, the cluster configuration parameter ``modify_ssh_setup`` is
> + used to determine whether or not to manipulate the SSH setup of a new
> + node.
> +
> +
> +Version 2.16.0 beta1
> +--------------------
> +
> +*(Released Tue, 28 Jul 2015)*
> +
> +Incompatible/important changes
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +- The IAllocator protocol has been extended by a new
> ``allocate-secondary``
> + request type. Currently, this new request type is only used when in
> disk
> + conversion to DRBD no secondary node is specified. As long as this new
> + feature is not used, a third-party IAllocator not aware of this
> extension can
> + be continued to be used.
> +- ``htools`` now also take into account N+1 redundancy for plain and
> shared
> + storage. To obtain the old behavior, add the ``--no-capacity-checks``
> option.
> +- ``hail`` now tries to keep the overall cluster balanced; in particular
> it
> + now prefers more empty groups over groups that are internally more
> balanced.
> +
> +New features
> +~~~~~~~~~~~~
> +
> +- ``hbal`` can now be made aware of common causes of failures (for
> + nodes). Look at ``hbal`` man page's LOCATION TAGS section for more
> details.
> +- ``hbal`` can now be made aware of desired location for instances. Look
> + at ``hbal`` man page's DESIRED LOCATION TAGS section for more details.
> +- Secret parameters are now readacted in job files
> +
> +New dependencies
> +~~~~~~~~~~~~~~~~
> +
> +- Using the metadata daemon now requires the presence of the 'setcap'
> utility.
> + On Debian-based systems, it is available as a part of the 'libcap2-bin'
> + package.
> +
> +
> + Version 2.15.2
> + --------------
> +
> + *(Released Wed, 16 Dec 2015)*
> +
> + Important changes and security notes
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> + Security release.
> +
> + CVE-2015-7944
> +
> + Ganeti provides a RESTful control interface called the RAPI. Its HTTPS
> + implementation is vulnerable to DoS attacks via client-initiated SSL
> + parameter renegotiation. While the interface is not meant to be exposed
> + publicly, due to the fact that it binds to all interfaces, we believe
> + some users might be exposing it unintentionally and are vulnerable. A
> + DoS attack can consume resources meant for Ganeti daemons and instances
> + running on the master node, making both perform badly.
> +
> + Fixes are not feasible due to the OpenSSL Python library not exposing
> + functionality needed to disable client-side renegotiation. Instead, we
> + offer instructions on how to control RAPI's exposure, along with info
> + on how RAPI can be setup alongside an HTTPS proxy in case users still
> + want or need to expose the RAPI interface. The instructions are
> + outlined in Ganeti's security document: doc/html/security.html
> +
> + CVE-2015-7945
> +
> + Ganeti leaks the DRBD secret through the RAPI interface. Examining job
> + results after an instance information job reveals the secret. With the
> + DRBD secret, access to the local cluster network, and ARP poisoning,
> + an attacker can impersonate a Ganeti node and clone the disks of a
> + DRBD-based instance. While an attacker with access to the cluster
> + network is already capable of accessing any data written as DRBD
> + traffic is unencrypted, having the secret expedites the process and
> + allows access to the entire disk.
> +
> + Fixes contained in this release prevent the secret from being exposed
> + via the RAPI. The DRBD secret can be changed by converting an instance
> + to plain and back to DRBD, generating a new secret, but redundancy will
> + be lost until the process completes.
> + Since attackers with node access are capable of accessing some and
> + potentially all data even without the secret, we do not recommend that
> + the secret be changed for existing instances.
> +
> + Minor changes
> + ~~~~~~~~~~~~~
> +
> + - Allow disk aittachment to diskless instances
> + - Reduce memory footprint: Compute lock allocation strictly
> + - Calculate correct affected nodes set in InstanceChangeGroup
> + (Issue 1144)
> + - Reduce memory footprint: Don't keep input for error messages
> + - Use bulk-adding of keys in renew-crypto
> + - Reduce memory footprint: Send answers strictly
> + - Reduce memory footprint: Store keys as ByteStrings
> + - Reduce memory footprint: Encode UUIDs as ByteStrings
> + - Do not retry all requests after connection timeouts to prevent
> + repeated job submission
> + - Fix reason trails of expanding opcodes
> + - Make lockConfig call retryable
> + - Extend timeout for gnt-cluster renew-crypto
> + - Return the correct error code in the post-upgrade script
> + - Make OpenSSL refrain from DH altogether
> + - Fix faulty iallocator type check
> + - Improve cfgupgrade output in case of errors
> + - Fix upgrades of instances with missing creation time
> + - Support force option for deactivate disks on RAPI
> + - Make htools tolerate missing "dtotal" and "dfree" on luxi
> + - Fix default for --default-iallocator-params
> + - Renew-crypto: stop daemons on master node first
> + - Don't warn about broken SSH setup of offline nodes (Issue 1131)
> + - Fix computation in network blocks
> + - At IAlloc backend guess state from admin state
> + - Set node tags in iallocator htools backend
> + - Only search for Python-2 interpreters
> + - Handle Xen 4.3 states better
> + - Improve xl socat migrations
> ++>>>>>>> stable-2.15
>
Consider this line removed :)
> +
> +
> Version 2.15.1
> --------------
>
> diff --cc lib/backend.py
> index 6c51df8,520a6e7..a787ed6
> --- a/lib/backend.py
> +++ b/lib/backend.py
> @@@ -2027,9 -2132,10 +2138,11 @@@ def RenewSshKeys(node_uuids, node_names
> continue
> master_candidate = node_uuid in master_candidate_uuids
> potential_master_candidate = node_name in potential_master_candidates
> + node_list.append((node_uuid, node_name, master_candidate,
> + potential_master_candidate))
>
> - keys_by_uuid = ssh.QueryPubKeyFile([node_uuid],
> key_file=pub_key_file)
> + keys_by_uuid = ssh.QueryPubKeyFile([node_uuid],
> + key_file=ganeti_pub_keys_file)
> if not keys_by_uuid:
> raise errors.SshUpdateError("No public key of node %s (UUID %s)
> found,"
> " not generating a new key."
> @@@ -2061,9 -2165,22 +2172,22 @@@
> logging.debug("Old key of node '%s' is the same as the current
> master"
> " key. Not deleting that key on the node.",
> node_name)
>
> + logging.debug("Removing old SSH keys of all master candidates.")
> + if node_info_to_remove:
> + node_errors = RemoveNodeSshKeyBulk(
> + node_info_to_remove,
> + master_candidate_uuids,
> + potential_master_candidates,
> + master_uuid=master_node_uuid)
> + if node_errors:
> + all_node_errors = all_node_errors + node_errors
> +
> + for (node_uuid, node_name, master_candidate,
> potential_master_candidate) \
> + in node_list:
> +
> logging.debug("Generating new SSH key for node '%s'.", node_name)
> - _GenerateNodeSshKey(node_uuid, node_name, ssh_port_map,
> - pub_key_file=pub_key_file,
> + _GenerateNodeSshKey(node_uuid, node_name, ssh_port_map, new_key_type,
> + new_key_bits, pub_key_file=ganeti_pub_keys_file,
> ssconf_store=ssconf_store,
> noded_cert_file=noded_cert_file,
> run_cmd_fn=run_cmd_fn)
> --
>
> Helga Velroyen
> Software Engineer
> hel...@google.com
>
> Google Germany GmbH
> Dienerstraße 12
> 80331 München
>
> Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
>
> Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind,
> leiten Sie diese bitte nicht weiter, informieren Sie den Absender und
> löschen Sie die E-Mail und alle Anhänge. Vielen Dank.
>
> This e-mail is confidential. If you are not the right addressee please do
> not forward it, please inform the sender, and please erase this e-mail
> including any attachments. Thanks.
>
> --
Helga Velroyen
Software Engineer
hel...@google.com
Google Germany GmbH
Dienerstraße 12
80331 München
Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind,
leiten Sie diese bitte nicht weiter, informieren Sie den Absender und
löschen Sie die E-Mail und alle Anhänge. Vielen Dank.
This e-mail is confidential. If you are not the right addressee please do
not forward it, please inform the sender, and please erase this e-mail
including any attachments. Thanks.
