Thanks, will send a separate patch for the nit.
On Mon, 4 Jan 2016 at 17:34 Hrvoje Ribicic <r...@google.com> wrote:
> LGTM - the nit might be better removed in a separate patch though.
>
> On Mon, Jan 4, 2016 at 5:11 PM, 'Helga Velroyen' via ganeti-devel <
> ganeti-devel@googlegroups.com> wrote:
>
>> commit 1f87aa036cd887e15240415d73c5ea5fc5b2e18a
>> Merge: ceb09b5 625c8ea
>> Author: Helga Velroyen <hel...@google.com>
>> Date: Mon Jan 4 17:07:50 2016 +0100
>>
>> Merge branch 'stable-2.15' into stable-2.16
>>
>> * stable-2.15
>> Add more documentation to testutils_ssh.py
>> renew-crypto: use bulk-removal of SSH keys
>> Use bulk-removal of SSH keys for single keys
>> Bulk-removing SSH keys of diverse set of nodes
>> Bulk-removal of SSH keys of normal nodes
>> Bulk-remove SSH keys of potential master candidates
>> Bulk-removal of SSH keys
>> testutils: add keys to own 'authorized_keys' file
>> Make mock SSH file manager deal with lists
>> Don't deepcopy the config if the old value is not needed
>> Revision bump for 2.15.2
>> Update NEWS file for 2.15.2
>> Compute lock allocation strictly
>>
>> * stable-2.14
>> Revision bump for 2.14.2
>> Update NEWS file for 2.14.2
>> Fix lines with more than 80 characters
>> Add more detach/attach sequence tests
>> Allow disk attachment to diskless instances
>> Improve tests for attaching disks
>>
>> * stable-2.13
>> Revision bump for 2.13.3
>> Update NEWS file for 2.13.3
>>
>> * stable-2.12
>> Bump revision number for 2.12.6
>> Update NEWS file for 2.12.6
>> Restrict showing of DRBD secret using types
>> Calculate correct affected nodes set in InstanceChangeGroup
>>
>> * stable-2.11
>> Revision bump for 2.11.8
>> Update NEWS file for 2.11.8
>>
>> * stable-2.10
>> Version bump for 2.10.8
>> Update NEWS file for 2.10.8
>>
>> * stable-2.9
>> Bump revision number
>> Update NEWS file for 2.9.7 release
>> Improve RAPI section on security
>> QA: Ensure the DRBD secret is not retrievable via RAPI
>> Redact the DRBD secret in instance queries
>> Do not attempt to use the DRBD secret in gnt-instance info
>>
>> Conflicts:
>> NEWS
>> configure.ac
>>
>> Resolutions:
>> NEWS: merge contents in right order
>> configure.ac: keep version number of 2.16
>>
>> diff --cc NEWS
>> index 898a739,f212ca2..3e8e00a
>> --- a/NEWS
>> +++ b/NEWS
>> @@@ -2,55 -2,87 +2,137 @@@ New
>> ====
>>
>>
>> +Version 2.16.0 beta2
>> +--------------------
>> +
>> +*(unreleased)*
>> +
>> +Incompatible/important changes
>> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> +
>> +- The options ``--no-node-setup`` of ``gnt-node add`` is disabled.
>>
>
> Nit: s/options/option/
>
>
>> + Instead, the cluster configuration parameter ``modify_ssh_setup`` is
>> + used to determine whether or not to manipulate the SSH setup of a new
>> + node.
>> +
>> +
>> +Version 2.16.0 beta1
>> +--------------------
>> +
>> +*(Released Tue, 28 Jul 2015)*
>> +
>> +Incompatible/important changes
>> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> +
>> +- The IAllocator protocol has been extended by a new
>> ``allocate-secondary``
>> + request type. Currently, this new request type is only used when in
>> disk
>> + conversion to DRBD no secondary node is specified. As long as this new
>> + feature is not used, a third-party IAllocator not aware of this
>> extension can
>> + be continued to be used.
>> +- ``htools`` now also take into account N+1 redundancy for plain and
>> shared
>> + storage. To obtain the old behavior, add the ``--no-capacity-checks``
>> option.
>> +- ``hail`` now tries to keep the overall cluster balanced; in
>> particular it
>> + now prefers more empty groups over groups that are internally more
>> balanced.
>> +
>> +New features
>> +~~~~~~~~~~~~
>> +
>> +- ``hbal`` can now be made aware of common causes of failures (for
>> + nodes). Look at ``hbal`` man page's LOCATION TAGS section for more
>> details.
>> +- ``hbal`` can now be made aware of desired location for instances. Look
>> + at ``hbal`` man page's DESIRED LOCATION TAGS section for more details.
>> +- Secret parameters are now readacted in job files
>> +
>> +New dependencies
>> +~~~~~~~~~~~~~~~~
>> +
>> +- Using the metadata daemon now requires the presence of the 'setcap'
>> utility.
>> + On Debian-based systems, it is available as a part of the
>> 'libcap2-bin'
>> + package.
>> +
>> +
>> + Version 2.15.2
>> + --------------
>> +
>> + *(Released Wed, 16 Dec 2015)*
>> +
>> + Important changes and security notes
>> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> +
>> + Security release.
>> +
>> + CVE-2015-7944
>> +
>> + Ganeti provides a RESTful control interface called the RAPI. Its HTTPS
>> + implementation is vulnerable to DoS attacks via client-initiated SSL
>> + parameter renegotiation. While the interface is not meant to be exposed
>> + publicly, due to the fact that it binds to all interfaces, we believe
>> + some users might be exposing it unintentionally and are vulnerable. A
>> + DoS attack can consume resources meant for Ganeti daemons and instances
>> + running on the master node, making both perform badly.
>> +
>> + Fixes are not feasible due to the OpenSSL Python library not exposing
>> + functionality needed to disable client-side renegotiation. Instead, we
>> + offer instructions on how to control RAPI's exposure, along with info
>> + on how RAPI can be setup alongside an HTTPS proxy in case users still
>> + want or need to expose the RAPI interface. The instructions are
>> + outlined in Ganeti's security document: doc/html/security.html
>> +
>> + CVE-2015-7945
>> +
>> + Ganeti leaks the DRBD secret through the RAPI interface. Examining job
>> + results after an instance information job reveals the secret. With the
>> + DRBD secret, access to the local cluster network, and ARP poisoning,
>> + an attacker can impersonate a Ganeti node and clone the disks of a
>> + DRBD-based instance. While an attacker with access to the cluster
>> + network is already capable of accessing any data written as DRBD
>> + traffic is unencrypted, having the secret expedites the process and
>> + allows access to the entire disk.
>> +
>> + Fixes contained in this release prevent the secret from being exposed
>> + via the RAPI. The DRBD secret can be changed by converting an instance
>> + to plain and back to DRBD, generating a new secret, but redundancy will
>> + be lost until the process completes.
>> + Since attackers with node access are capable of accessing some and
>> + potentially all data even without the secret, we do not recommend that
>> + the secret be changed for existing instances.
>> +
>> + Minor changes
>> + ~~~~~~~~~~~~~
>> +
>> + - Allow disk aittachment to diskless instances
>> + - Reduce memory footprint: Compute lock allocation strictly
>> + - Calculate correct affected nodes set in InstanceChangeGroup
>> + (Issue 1144)
>> + - Reduce memory footprint: Don't keep input for error messages
>> + - Use bulk-adding of keys in renew-crypto
>> + - Reduce memory footprint: Send answers strictly
>> + - Reduce memory footprint: Store keys as ByteStrings
>> + - Reduce memory footprint: Encode UUIDs as ByteStrings
>> + - Do not retry all requests after connection timeouts to prevent
>> + repeated job submission
>> + - Fix reason trails of expanding opcodes
>> + - Make lockConfig call retryable
>> + - Extend timeout for gnt-cluster renew-crypto
>> + - Return the correct error code in the post-upgrade script
>> + - Make OpenSSL refrain from DH altogether
>> + - Fix faulty iallocator type check
>> + - Improve cfgupgrade output in case of errors
>> + - Fix upgrades of instances with missing creation time
>> + - Support force option for deactivate disks on RAPI
>> + - Make htools tolerate missing "dtotal" and "dfree" on luxi
>> + - Fix default for --default-iallocator-params
>> + - Renew-crypto: stop daemons on master node first
>> + - Don't warn about broken SSH setup of offline nodes (Issue 1131)
>> + - Fix computation in network blocks
>> + - At IAlloc backend guess state from admin state
>> + - Set node tags in iallocator htools backend
>> + - Only search for Python-2 interpreters
>> + - Handle Xen 4.3 states better
>> + - Improve xl socat migrations
>> ++>>>>>>> stable-2.15
>> +
>> +
>> Version 2.15.1
>> --------------
>>
>> diff --cc lib/backend.py
>> index 6c51df8,520a6e7..a787ed6
>> --- a/lib/backend.py
>> +++ b/lib/backend.py
>> @@@ -2027,9 -2132,10 +2138,11 @@@ def RenewSshKeys(node_uuids, node_names
>> continue
>> master_candidate = node_uuid in master_candidate_uuids
>> potential_master_candidate = node_name in
>> potential_master_candidates
>> + node_list.append((node_uuid, node_name, master_candidate,
>> + potential_master_candidate))
>>
>> - keys_by_uuid = ssh.QueryPubKeyFile([node_uuid],
>> key_file=pub_key_file)
>> + keys_by_uuid = ssh.QueryPubKeyFile([node_uuid],
>> + key_file=ganeti_pub_keys_file)
>> if not keys_by_uuid:
>> raise errors.SshUpdateError("No public key of node %s (UUID %s)
>> found,"
>> " not generating a new key."
>> @@@ -2061,9 -2165,22 +2172,22 @@@
>> logging.debug("Old key of node '%s' is the same as the current
>> master"
>> " key. Not deleting that key on the node.",
>> node_name)
>>
>> + logging.debug("Removing old SSH keys of all master candidates.")
>> + if node_info_to_remove:
>> + node_errors = RemoveNodeSshKeyBulk(
>> + node_info_to_remove,
>> + master_candidate_uuids,
>> + potential_master_candidates,
>> + master_uuid=master_node_uuid)
>> + if node_errors:
>> + all_node_errors = all_node_errors + node_errors
>> +
>> + for (node_uuid, node_name, master_candidate,
>> potential_master_candidate) \
>> + in node_list:
>> +
>> logging.debug("Generating new SSH key for node '%s'.", node_name)
>> - _GenerateNodeSshKey(node_uuid, node_name, ssh_port_map,
>> - pub_key_file=pub_key_file,
>> + _GenerateNodeSshKey(node_uuid, node_name, ssh_port_map,
>> new_key_type,
>> + new_key_bits, pub_key_file=ganeti_pub_keys_file,
>> ssconf_store=ssconf_store,
>> noded_cert_file=noded_cert_file,
>> run_cmd_fn=run_cmd_fn)
>> --
>>
>> Helga Velroyen
>> Software Engineer
>> hel...@google.com
>>
>> Google Germany GmbH
>> Dienerstraße 12
>> 80331 München
>>
>> Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
>> Registergericht und -nummer: Hamburg, HRB 86891
>> Sitz der Gesellschaft: Hamburg
>>
>> Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind,
>> leiten Sie diese bitte nicht weiter, informieren Sie den Absender und
>> löschen Sie die E-Mail und alle Anhänge. Vielen Dank.
>>
>> This e-mail is confidential. If you are not the right addressee please do
>> not forward it, please inform the sender, and please erase this e-mail
>> including any attachments. Thanks.
>>
>>
> Hrvoje Ribicic
> Ganeti Engineering
> Google Germany GmbH
> Dienerstr. 12, 80331, München
>
>
> Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
>
> Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind,
> leiten Sie diese bitte nicht weiter, informieren Sie den Absender und
> löschen Sie die E-Mail und alle Anhänge. Vielen Dank.
>
> This e-mail is confidential. If you are not the right addressee please do
> not forward it, please inform the sender, and please erase this e-mail
> including any attachments. Thanks.
>
> --
Helga Velroyen
Software Engineer
hel...@google.com
Google Germany GmbH
Dienerstraße 12
80331 München
Geschäftsführer: Matthew Scott Sucherman, Paul Terence Manicle
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Diese E-Mail ist vertraulich. Wenn Sie nicht der richtige Adressat sind,
leiten Sie diese bitte nicht weiter, informieren Sie den Absender und
löschen Sie die E-Mail und alle Anhänge. Vielen Dank.
This e-mail is confidential. If you are not the right addressee please do
not forward it, please inform the sender, and please erase this e-mail
including any attachments. Thanks.
