Thanks, will send a separate patch for the nit. On Mon, 4 Jan 2016 at 17:34 Hrvoje Ribicic <r...@google.com> wrote:
> LGTM - the nit might be better removed in a separate patch though. > > On Mon, Jan 4, 2016 at 5:11 PM, 'Helga Velroyen' via ganeti-devel < > ganeti-devel@googlegroups.com> wrote: > >> commit 1f87aa036cd887e15240415d73c5ea5fc5b2e18a >> Merge: ceb09b5 625c8ea >> Author: Helga Velroyen <hel...@google.com> >> Date: Mon Jan 4 17:07:50 2016 +0100 >> >> Merge branch 'stable-2.15' into stable-2.16 >> >> * stable-2.15 >> Add more documentation to testutils_ssh.py >> renew-crypto: use bulk-removal of SSH keys >> Use bulk-removal of SSH keys for single keys >> Bulk-removing SSH keys of diverse set of nodes >> Bulk-removal of SSH keys of normal nodes >> Bulk-remove SSH keys of potential master candidates >> Bulk-removal of SSH keys >> testutils: add keys to own 'authorized_keys' file >> Make mock SSH file manager deal with lists >> Don't deepcopy the config if the old value is not needed >> Revision bump for 2.15.2 >> Update NEWS file for 2.15.2 >> Compute lock allocation strictly >> >> * stable-2.14 >> Revision bump for 2.14.2 >> Update NEWS file for 2.14.2 >> Fix lines with more than 80 characters >> Add more detach/attach sequence tests >> Allow disk attachment to diskless instances >> Improve tests for attaching disks >> >> * stable-2.13 >> Revision bump for 2.13.3 >> Update NEWS file for 2.13.3 >> >> * stable-2.12 >> Bump revision number for 2.12.6 >> Update NEWS file for 2.12.6 >> Restrict showing of DRBD secret using types >> Calculate correct affected nodes set in InstanceChangeGroup >> >> * stable-2.11 >> Revision bump for 2.11.8 >> Update NEWS file for 2.11.8 >> >> * stable-2.10 >> Version bump for 2.10.8 >> Update NEWS file for 2.10.8 >> >> * stable-2.9 >> Bump revision number >> Update NEWS file for 2.9.7 release >> Improve RAPI section on security >> QA: Ensure the DRBD secret is not retrievable via RAPI >> Redact the DRBD secret in instance queries >> Do not attempt to use the DRBD secret in gnt-instance info >> >> Conflicts: >> NEWS >> configure.ac >> >> Resolutions: >> NEWS: merge contents in right order >> configure.ac: keep version number of 2.16 >> >> diff --cc NEWS >> index 898a739,f212ca2..3e8e00a >> --- a/NEWS >> +++ b/NEWS >> @@@ -2,55 -2,87 +2,137 @@@ New >> ==== >> >> >> +Version 2.16.0 beta2 >> +-------------------- >> + >> +*(unreleased)* >> + >> +Incompatible/important changes >> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> + >> +- The options ``--no-node-setup`` of ``gnt-node add`` is disabled. >> > > Nit: s/options/option/ > > >> + Instead, the cluster configuration parameter ``modify_ssh_setup`` is >> + used to determine whether or not to manipulate the SSH setup of a new >> + node. >> + >> + >> +Version 2.16.0 beta1 >> +-------------------- >> + >> +*(Released Tue, 28 Jul 2015)* >> + >> +Incompatible/important changes >> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> + >> +- The IAllocator protocol has been extended by a new >> ``allocate-secondary`` >> + request type. Currently, this new request type is only used when in >> disk >> + conversion to DRBD no secondary node is specified. As long as this new >> + feature is not used, a third-party IAllocator not aware of this >> extension can >> + be continued to be used. >> +- ``htools`` now also take into account N+1 redundancy for plain and >> shared >> + storage. To obtain the old behavior, add the ``--no-capacity-checks`` >> option. >> +- ``hail`` now tries to keep the overall cluster balanced; in >> particular it >> + now prefers more empty groups over groups that are internally more >> balanced. >> + >> +New features >> +~~~~~~~~~~~~ >> + >> +- ``hbal`` can now be made aware of common causes of failures (for >> + nodes). Look at ``hbal`` man page's LOCATION TAGS section for more >> details. >> +- ``hbal`` can now be made aware of desired location for instances. Look >> + at ``hbal`` man page's DESIRED LOCATION TAGS section for more details. >> +- Secret parameters are now readacted in job files >> + >> +New dependencies >> +~~~~~~~~~~~~~~~~ >> + >> +- Using the metadata daemon now requires the presence of the 'setcap' >> utility. >> + On Debian-based systems, it is available as a part of the >> 'libcap2-bin' >> + package. >> + >> + >> + Version 2.15.2 >> + -------------- >> + >> + *(Released Wed, 16 Dec 2015)* >> + >> + Important changes and security notes >> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> + >> + Security release. >> + >> + CVE-2015-7944 >> + >> + Ganeti provides a RESTful control interface called the RAPI. Its HTTPS >> + implementation is vulnerable to DoS attacks via client-initiated SSL >> + parameter renegotiation. While the interface is not meant to be exposed >> + publicly, due to the fact that it binds to all interfaces, we believe >> + some users might be exposing it unintentionally and are vulnerable. A >> + DoS attack can consume resources meant for Ganeti daemons and instances >> + running on the master node, making both perform badly. >> + >> + Fixes are not feasible due to the OpenSSL Python library not exposing >> + functionality needed to disable client-side renegotiation. Instead, we >> + offer instructions on how to control RAPI's exposure, along with info >> + on how RAPI can be setup alongside an HTTPS proxy in case users still >> + want or need to expose the RAPI interface. The instructions are >> + outlined in Ganeti's security document: doc/html/security.html >> + >> + CVE-2015-7945 >> + >> + Ganeti leaks the DRBD secret through the RAPI interface. Examining job >> + results after an instance information job reveals the secret. With the >> + DRBD secret, access to the local cluster network, and ARP poisoning, >> + an attacker can impersonate a Ganeti node and clone the disks of a >> + DRBD-based instance. While an attacker with access to the cluster >> + network is already capable of accessing any data written as DRBD >> + traffic is unencrypted, having the secret expedites the process and >> + allows access to the entire disk. >> + >> + Fixes contained in this release prevent the secret from being exposed >> + via the RAPI. The DRBD secret can be changed by converting an instance >> + to plain and back to DRBD, generating a new secret, but redundancy will >> + be lost until the process completes. >> + Since attackers with node access are capable of accessing some and >> + potentially all data even without the secret, we do not recommend that >> + the secret be changed for existing instances. >> + >> + Minor changes >> + ~~~~~~~~~~~~~ >> + >> + - Allow disk aittachment to diskless instances >> + - Reduce memory footprint: Compute lock allocation strictly >> + - Calculate correct affected nodes set in InstanceChangeGroup >> + (Issue 1144) >> + - Reduce memory footprint: Don't keep input for error messages >> + - Use bulk-adding of keys in renew-crypto >> + - Reduce memory footprint: Send answers strictly >> + - Reduce memory footprint: Store keys as ByteStrings >> + - Reduce memory footprint: Encode UUIDs as ByteStrings >> + - Do not retry all requests after connection timeouts to prevent >> + repeated job submission >> + - Fix reason trails of expanding opcodes >> + - Make lockConfig call retryable >> + - Extend timeout for gnt-cluster renew-crypto >> + - Return the correct error code in the post-upgrade script >> + - Make OpenSSL refrain from DH altogether >> + - Fix faulty iallocator type check >> + - Improve cfgupgrade output in case of errors >> + - Fix upgrades of instances with missing creation time >> + - Support force option for deactivate disks on RAPI >> + - Make htools tolerate missing "dtotal" and "dfree" on luxi >> + - Fix default for --default-iallocator-params >> + - Renew-crypto: stop daemons on master node first >> + - Don't warn about broken SSH setup of offline nodes (Issue 1131) >> + - Fix computation in network blocks >> + - At IAlloc backend guess state from admin state >> + - Set node tags in iallocator htools backend >> + - Only search for Python-2 interpreters >> + - Handle Xen 4.3 states better >> + - Improve xl socat migrations >> ++>>>>>>> stable-2.15 >> + >> + >> Version 2.15.1 >> -------------- >> >> diff --cc lib/backend.py >> index 6c51df8,520a6e7..a787ed6 >> --- a/lib/backend.py >> +++ b/lib/backend.py >> @@@ -2027,9 -2132,10 +2138,11 @@@ def RenewSshKeys(node_uuids, node_names >> continue >> master_candidate = node_uuid in master_candidate_uuids >> potential_master_candidate = node_name in >> potential_master_candidates >> + node_list.append((node_uuid, node_name, master_candidate, >> + potential_master_candidate)) >> >> - keys_by_uuid = ssh.QueryPubKeyFile([node_uuid], >> key_file=pub_key_file) >> + keys_by_uuid = ssh.QueryPubKeyFile([node_uuid], >> + key_file=ganeti_pub_keys_file) >> if not keys_by_uuid: >> raise errors.SshUpdateError("No public key of node %s (UUID %s) >> found," >> " not generating a new key." >> @@@ -2061,9 -2165,22 +2172,22 @@@ >> logging.debug("Old key of node '%s' is the same as the current >> master" >> " key. Not deleting that key on the node.", >> node_name) >> >> + logging.debug("Removing old SSH keys of all master candidates.") >> + if node_info_to_remove: >> + node_errors = RemoveNodeSshKeyBulk( >> + node_info_to_remove, >> + master_candidate_uuids, >> + potential_master_candidates, >> + master_uuid=master_node_uuid) >> + if node_errors: >> + all_node_errors = all_node_errors + node_errors >> + >> + for (node_uuid, node_name, master_candidate, >> potential_master_candidate) \ >> + in node_list: >> + >> logging.debug("Generating new SSH key for node '%s'.", node_name) >> - _GenerateNodeSshKey(node_uuid, node_name, ssh_port_map, >> - pub_key_file=pub_key_file, >> + _GenerateNodeSshKey(node_uuid, node_name, ssh_port_map, >> new_key_type, >> + new_key_bits, pub_key_file=ganeti_pub_keys_file, >> ssconf_store=ssconf_store, >> noded_cert_file=noded_cert_file, >> run_cmd_fn=run_cmd_fn) >> -- >> >> Helga Velroyen >> Software Engineer >> hel...@google.com >> >> Google Germany GmbH >> Dienerstraße 12 >> 80331 München >> >> Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle >> Registergericht und -nummer: Hamburg, HRB 86891 >> Sitz der Gesellschaft: Hamburg >> >> Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind, >> leiten Sie diese bitte nicht weiter, informieren Sie den Absender und >> löschen Sie die E-Mail und alle Anhänge. Vielen Dank. >> >> This e-mail is confidential. If you are not the right addressee please do >> not forward it, please inform the sender, and please erase this e-mail >> including any attachments. Thanks. >> >> > Hrvoje Ribicic > Ganeti Engineering > Google Germany GmbH > Dienerstr. 12, 80331, München > > > Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle > Registergericht und -nummer: Hamburg, HRB 86891 > Sitz der Gesellschaft: Hamburg > > Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind, > leiten Sie diese bitte nicht weiter, informieren Sie den Absender und > löschen Sie die E-Mail und alle Anhänge. Vielen Dank. > > This e-mail is confidential. If you are not the right addressee please do > not forward it, please inform the sender, and please erase this e-mail > including any attachments. Thanks. > > -- Helga Velroyen Software Engineer hel...@google.com Google Germany GmbH Dienerstraße 12 80331 München Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind, leiten Sie diese bitte nicht weiter, informieren Sie den Absender und löschen Sie die E-Mail und alle Anhänge. Vielen Dank. This e-mail is confidential. If you are not the right addressee please do not forward it, please inform the sender, and please erase this e-mail including any attachments. Thanks.