commit 1f87aa036cd887e15240415d73c5ea5fc5b2e18a Merge: ceb09b5 625c8ea Author: Helga Velroyen <hel...@google.com> Date: Mon Jan 4 17:07:50 2016 +0100
Merge branch 'stable-2.15' into stable-2.16 * stable-2.15 Add more documentation to testutils_ssh.py renew-crypto: use bulk-removal of SSH keys Use bulk-removal of SSH keys for single keys Bulk-removing SSH keys of diverse set of nodes Bulk-removal of SSH keys of normal nodes Bulk-remove SSH keys of potential master candidates Bulk-removal of SSH keys testutils: add keys to own 'authorized_keys' file Make mock SSH file manager deal with lists Don't deepcopy the config if the old value is not needed Revision bump for 2.15.2 Update NEWS file for 2.15.2 Compute lock allocation strictly * stable-2.14 Revision bump for 2.14.2 Update NEWS file for 2.14.2 Fix lines with more than 80 characters Add more detach/attach sequence tests Allow disk attachment to diskless instances Improve tests for attaching disks * stable-2.13 Revision bump for 2.13.3 Update NEWS file for 2.13.3 * stable-2.12 Bump revision number for 2.12.6 Update NEWS file for 2.12.6 Restrict showing of DRBD secret using types Calculate correct affected nodes set in InstanceChangeGroup * stable-2.11 Revision bump for 2.11.8 Update NEWS file for 2.11.8 * stable-2.10 Version bump for 2.10.8 Update NEWS file for 2.10.8 * stable-2.9 Bump revision number Update NEWS file for 2.9.7 release Improve RAPI section on security QA: Ensure the DRBD secret is not retrievable via RAPI Redact the DRBD secret in instance queries Do not attempt to use the DRBD secret in gnt-instance info Conflicts: NEWS configure.ac Resolutions: NEWS: merge contents in right order configure.ac: keep version number of 2.16 diff --cc NEWS index 898a739,f212ca2..3e8e00a --- a/NEWS +++ b/NEWS @@@ -2,55 -2,87 +2,137 @@@ New ==== +Version 2.16.0 beta2 +-------------------- + +*(unreleased)* + +Incompatible/important changes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- The options ``--no-node-setup`` of ``gnt-node add`` is disabled. + Instead, the cluster configuration parameter ``modify_ssh_setup`` is + used to determine whether or not to manipulate the SSH setup of a new + node. + + +Version 2.16.0 beta1 +-------------------- + +*(Released Tue, 28 Jul 2015)* + +Incompatible/important changes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- The IAllocator protocol has been extended by a new ``allocate-secondary`` + request type. Currently, this new request type is only used when in disk + conversion to DRBD no secondary node is specified. As long as this new + feature is not used, a third-party IAllocator not aware of this extension can + be continued to be used. +- ``htools`` now also take into account N+1 redundancy for plain and shared + storage. To obtain the old behavior, add the ``--no-capacity-checks`` option. +- ``hail`` now tries to keep the overall cluster balanced; in particular it + now prefers more empty groups over groups that are internally more balanced. + +New features +~~~~~~~~~~~~ + +- ``hbal`` can now be made aware of common causes of failures (for + nodes). Look at ``hbal`` man page's LOCATION TAGS section for more details. +- ``hbal`` can now be made aware of desired location for instances. Look + at ``hbal`` man page's DESIRED LOCATION TAGS section for more details. +- Secret parameters are now readacted in job files + +New dependencies +~~~~~~~~~~~~~~~~ + +- Using the metadata daemon now requires the presence of the 'setcap' utility. + On Debian-based systems, it is available as a part of the 'libcap2-bin' + package. + + + Version 2.15.2 + -------------- + + *(Released Wed, 16 Dec 2015)* + + Important changes and security notes + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Security release. + + CVE-2015-7944 + + Ganeti provides a RESTful control interface called the RAPI. Its HTTPS + implementation is vulnerable to DoS attacks via client-initiated SSL + parameter renegotiation. While the interface is not meant to be exposed + publicly, due to the fact that it binds to all interfaces, we believe + some users might be exposing it unintentionally and are vulnerable. A + DoS attack can consume resources meant for Ganeti daemons and instances + running on the master node, making both perform badly. + + Fixes are not feasible due to the OpenSSL Python library not exposing + functionality needed to disable client-side renegotiation. Instead, we + offer instructions on how to control RAPI's exposure, along with info + on how RAPI can be setup alongside an HTTPS proxy in case users still + want or need to expose the RAPI interface. The instructions are + outlined in Ganeti's security document: doc/html/security.html + + CVE-2015-7945 + + Ganeti leaks the DRBD secret through the RAPI interface. Examining job + results after an instance information job reveals the secret. With the + DRBD secret, access to the local cluster network, and ARP poisoning, + an attacker can impersonate a Ganeti node and clone the disks of a + DRBD-based instance. While an attacker with access to the cluster + network is already capable of accessing any data written as DRBD + traffic is unencrypted, having the secret expedites the process and + allows access to the entire disk. + + Fixes contained in this release prevent the secret from being exposed + via the RAPI. The DRBD secret can be changed by converting an instance + to plain and back to DRBD, generating a new secret, but redundancy will + be lost until the process completes. + Since attackers with node access are capable of accessing some and + potentially all data even without the secret, we do not recommend that + the secret be changed for existing instances. + + Minor changes + ~~~~~~~~~~~~~ + + - Allow disk aittachment to diskless instances + - Reduce memory footprint: Compute lock allocation strictly + - Calculate correct affected nodes set in InstanceChangeGroup + (Issue 1144) + - Reduce memory footprint: Don't keep input for error messages + - Use bulk-adding of keys in renew-crypto + - Reduce memory footprint: Send answers strictly + - Reduce memory footprint: Store keys as ByteStrings + - Reduce memory footprint: Encode UUIDs as ByteStrings + - Do not retry all requests after connection timeouts to prevent + repeated job submission + - Fix reason trails of expanding opcodes + - Make lockConfig call retryable + - Extend timeout for gnt-cluster renew-crypto + - Return the correct error code in the post-upgrade script + - Make OpenSSL refrain from DH altogether + - Fix faulty iallocator type check + - Improve cfgupgrade output in case of errors + - Fix upgrades of instances with missing creation time + - Support force option for deactivate disks on RAPI + - Make htools tolerate missing "dtotal" and "dfree" on luxi + - Fix default for --default-iallocator-params + - Renew-crypto: stop daemons on master node first + - Don't warn about broken SSH setup of offline nodes (Issue 1131) + - Fix computation in network blocks + - At IAlloc backend guess state from admin state + - Set node tags in iallocator htools backend + - Only search for Python-2 interpreters + - Handle Xen 4.3 states better + - Improve xl socat migrations ++>>>>>>> stable-2.15 + + Version 2.15.1 -------------- diff --cc lib/backend.py index 6c51df8,520a6e7..a787ed6 --- a/lib/backend.py +++ b/lib/backend.py @@@ -2027,9 -2132,10 +2138,11 @@@ def RenewSshKeys(node_uuids, node_names continue master_candidate = node_uuid in master_candidate_uuids potential_master_candidate = node_name in potential_master_candidates + node_list.append((node_uuid, node_name, master_candidate, + potential_master_candidate)) - keys_by_uuid = ssh.QueryPubKeyFile([node_uuid], key_file=pub_key_file) + keys_by_uuid = ssh.QueryPubKeyFile([node_uuid], + key_file=ganeti_pub_keys_file) if not keys_by_uuid: raise errors.SshUpdateError("No public key of node %s (UUID %s) found," " not generating a new key." @@@ -2061,9 -2165,22 +2172,22 @@@ logging.debug("Old key of node '%s' is the same as the current master" " key. Not deleting that key on the node.", node_name) + logging.debug("Removing old SSH keys of all master candidates.") + if node_info_to_remove: + node_errors = RemoveNodeSshKeyBulk( + node_info_to_remove, + master_candidate_uuids, + potential_master_candidates, + master_uuid=master_node_uuid) + if node_errors: + all_node_errors = all_node_errors + node_errors + + for (node_uuid, node_name, master_candidate, potential_master_candidate) \ + in node_list: + logging.debug("Generating new SSH key for node '%s'.", node_name) - _GenerateNodeSshKey(node_uuid, node_name, ssh_port_map, - pub_key_file=pub_key_file, + _GenerateNodeSshKey(node_uuid, node_name, ssh_port_map, new_key_type, + new_key_bits, pub_key_file=ganeti_pub_keys_file, ssconf_store=ssconf_store, noded_cert_file=noded_cert_file, run_cmd_fn=run_cmd_fn) -- Helga Velroyen Software Engineer hel...@google.com Google Germany GmbH Dienerstraße 12 80331 München Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind, leiten Sie diese bitte nicht weiter, informieren Sie den Absender und löschen Sie die E-Mail und alle Anhänge. Vielen Dank. This e-mail is confidential. If you are not the right addressee please do not forward it, please inform the sender, and please erase this e-mail including any attachments. Thanks.