Hello community,
here is the log from the commit of package python-oslo.privsep for
openSUSE:Factory checked in at 2020-02-18 10:41:33
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-oslo.privsep (Old)
and /work/SRC/openSUSE:Factory/.python-oslo.privsep.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-oslo.privsep"
Tue Feb 18 10:41:33 2020 rev:11 rq:774918 version:1.33.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-oslo.privsep/python-oslo.privsep.changes
2019-05-03 22:42:36.503264433 +0200
+++
/work/SRC/openSUSE:Factory/.python-oslo.privsep.new.26092/python-oslo.privsep.changes
2020-02-18 10:41:47.109113413 +0100
@@ -1,0 +2,17 @@
+Wed Oct 9 12:28:01 UTC 2019 - [email protected]
+
+- update to version 1.33.3
+ - Pass correct arguments to six.reraise
+ - Cap Bandit below 1.6.0 and update Sphinx requirement
+ - OpenDev Migration Patch
+ - Convert dict keys received in _ClientChannel from byte to str
+ - Move doc related modules to doc/requirements.txt
+ - Replace git.openstack.org URLs with opendev.org URLs
+ - Add more usage documentation
+ - Self-resetting PrivContext
+ - Add sample_default for thread_pool_size Opt
+ - Update master for stable/stein
+ - Add Python 3 Train unit tests
+ - Reno for SIGHUP fix
+
+-------------------------------------------------------------------
Old:
----
oslo.privsep-1.32.1.tar.gz
New:
----
oslo.privsep-1.33.3.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-oslo.privsep.spec ++++++
--- /var/tmp/diff_new_pack.LgbhEe/_old 2020-02-18 10:41:47.645114506 +0100
+++ /var/tmp/diff_new_pack.LgbhEe/_new 2020-02-18 10:41:47.649114515 +0100
@@ -17,21 +17,19 @@
Name: python-oslo.privsep
-Version: 1.32.1
+Version: 1.33.3
Release: 0
Summary: OpenStack library for privilege separation
License: Apache-2.0
Group: Development/Languages/Python
URL: https://launchpad.net/oslo.privsep
-Source0:
https://files.pythonhosted.org/packages/source/o/oslo.privsep/oslo.privsep-1.32.1.tar.gz
+Source0:
https://files.pythonhosted.org/packages/source/o/oslo.privsep/oslo.privsep-1.33.3.tar.gz
BuildRequires: openstack-macros
-BuildRequires: python2-Sphinx
BuildRequires: python2-cffi >= 1.7.0
BuildRequires: python2-eventlet >= 0.18.2
BuildRequires: python2-greenlet >= 0.4.10
BuildRequires: python2-mock
BuildRequires: python2-msgpack >= 0.5.0
-BuildRequires: python2-openstackdocstheme
BuildRequires: python2-oslo.config >= 5.2.0
BuildRequires: python2-oslo.i18n >= 3.15.3
BuildRequires: python2-oslo.log >= 3.36.0
@@ -40,13 +38,11 @@
BuildRequires: python2-pbr
BuildRequires: python2-setuptools
BuildRequires: python2-stestr
-BuildRequires: python3-Sphinx
BuildRequires: python3-cffi >= 1.7.0
BuildRequires: python3-eventlet >= 0.18.2
BuildRequires: python3-greenlet >= 0.4.10
BuildRequires: python3-mock
BuildRequires: python3-msgpack >= 0.5.0
-BuildRequires: python3-openstackdocstheme
BuildRequires: python3-oslo.config >= 5.2.0
BuildRequires: python3-oslo.i18n >= 3.15.3
BuildRequires: python3-oslo.log >= 3.36.0
@@ -86,19 +82,21 @@
%package -n python-oslo.privsep-doc
Summary: oslo.privsep documentation
Group: Development/Languages/Python
-Requires: %{name} = %{version}
+BuildRequires: python3-Sphinx
+BuildRequires: python3-openstackdocstheme
+BuildRequires: python3-sphinxcontrib-apidoc
%description -n python-oslo.privsep-doc
Documentation for oslo.privsep
%prep
-%autosetup -p1 -n oslo.privsep-1.32.1
+%autosetup -p1 -n oslo.privsep-1.33.3
%py_req_cleanup
%build
%python_build
# generate html docs
-%{__python2} setup.py build_sphinx
+PBR_VERSION=%{version} %sphinx_build -b html doc/source doc/build/html
# remove the sphinx-build leftovers
rm -rf doc/build/html/.{doctrees,buildinfo}
++++++ _service ++++++
--- /var/tmp/diff_new_pack.LgbhEe/_old 2020-02-18 10:41:47.673114564 +0100
+++ /var/tmp/diff_new_pack.LgbhEe/_new 2020-02-18 10:41:47.677114572 +0100
@@ -1,8 +1,8 @@
<services>
<service mode="disabled" name="renderspec">
- <param
name="input-template">https://raw.githubusercontent.com/openstack/rpm-packaging/stable/stein/openstack/oslo.privsep/oslo.privsep.spec.j2</param>
+ <param
name="input-template">https://raw.githubusercontent.com/openstack/rpm-packaging/stable/train/openstack/oslo.privsep/oslo.privsep.spec.j2</param>
<param name="output-name">python-oslo.privsep.spec</param>
- <param
name="requirements">https://raw.githubusercontent.com/openstack/oslo.privsep/stable/stein/requirements.txt</param>
+ <param
name="requirements">https://raw.githubusercontent.com/openstack/oslo.privsep/stable/train/requirements.txt</param>
<param name="changelog-email">[email protected]</param>
<param name="changelog-provider">gh,openstack,oslo.privsep</param>
</service>
++++++ oslo.privsep-1.32.1.tar.gz -> oslo.privsep-1.33.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/.zuul.yaml
new/oslo.privsep-1.33.3/.zuul.yaml
--- old/oslo.privsep-1.32.1/.zuul.yaml 2019-02-28 19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/.zuul.yaml 2019-09-12 18:38:03.000000000 +0200
@@ -5,9 +5,7 @@
- lib-forward-testing-python3
- openstack-lower-constraints-jobs
- openstack-python-jobs
- - openstack-python35-jobs
- - openstack-python36-jobs
- - openstack-python37-jobs
+ - openstack-python3-train-jobs
- periodic-stable-jobs
- publish-openstack-docs-pti
- release-notes-jobs-python3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/AUTHORS
new/oslo.privsep-1.33.3/AUTHORS
--- old/oslo.privsep-1.32.1/AUTHORS 2019-02-28 19:05:39.000000000 +0100
+++ new/oslo.privsep-1.33.3/AUTHORS 2019-09-12 18:38:43.000000000 +0200
@@ -6,11 +6,14 @@
ChangBo Guo(gcb) <[email protected]>
Chuck Short <[email protected]>
Claudiu Belu <[email protected]>
+Corey Bryant <[email protected]>
Cédric Jeanneret <[email protected]>
Davanum Srinivas <[email protected]>
Dirk Mueller <[email protected]>
Doug Hellmann <[email protected]>
Eric Brown <[email protected]>
+Eric Fried <[email protected]>
+Eric Harney <[email protected]>
Flavio Percoco <[email protected]>
Hongbin Lu <[email protected]>
Javier Pena <[email protected]>
@@ -20,8 +23,10 @@
Kirill Bespalov <[email protected]>
OpenStack Release Bot <[email protected]>
Pavlo Shchelokovskyy <[email protected]>
+Rodolfo Alonso Hernandez <[email protected]>
Sam Wan <[email protected]>
Swapnil Kulkarni (coolsvap) <[email protected]>
+Thierry Carrez <[email protected]>
TommyLike <[email protected]>
Tony Breeds <[email protected]>
Vieri <[email protected]>
@@ -31,6 +36,8 @@
ZhijunWei <[email protected]>
ZhongShengping <[email protected]>
avnish <[email protected]>
+caoyuan <[email protected]>
+jacky06 <[email protected]>
liangcui <[email protected]>
loooosy <[email protected]>
melissaml <[email protected]>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/ChangeLog
new/oslo.privsep-1.33.3/ChangeLog
--- old/oslo.privsep-1.32.1/ChangeLog 2019-02-28 19:05:39.000000000 +0100
+++ new/oslo.privsep-1.33.3/ChangeLog 2019-09-12 18:38:43.000000000 +0200
@@ -1,6 +1,34 @@
CHANGES
=======
+1.33.3
+------
+
+* Reno for SIGHUP fix
+
+1.33.2
+------
+
+* Self-resetting PrivContext
+* Add Python 3 Train unit tests
+* Move doc related modules to doc/requirements.txt
+
+1.33.1
+------
+
+* Pass correct arguments to six.reraise
+* Cap Bandit below 1.6.0 and update Sphinx requirement
+* Replace git.openstack.org URLs with opendev.org URLs
+
+1.33.0
+------
+
+* OpenDev Migration Patch
+* Add more usage documentation
+* Convert dict keys received in \_ClientChannel from byte to str
+* Update master for stable/stein
+* Add sample\_default for thread\_pool\_size Opt
+
1.32.1
------
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/PKG-INFO
new/oslo.privsep-1.33.3/PKG-INFO
--- old/oslo.privsep-1.32.1/PKG-INFO 2019-02-28 19:05:39.000000000 +0100
+++ new/oslo.privsep-1.33.3/PKG-INFO 2019-09-12 18:38:43.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: oslo.privsep
-Version: 1.32.1
+Version: 1.33.3
Summary: OpenStack library for privilege separation
Home-page: https://docs.openstack.org/oslo.privsep/latest/
Author: OpenStack
@@ -33,7 +33,7 @@
* Free software: Apache license
* Documentation: https://docs.openstack.org/oslo.privsep/latest/
- * Source: https://git.openstack.org/cgit/openstack/oslo.privsep
+ * Source: https://opendev.org/openstack/oslo.privsep
* Bugs: https://bugs.launchpad.net/oslo.privsep
* Release Notes: https://docs.openstack.org/releasenotes/oslo.privsep
@@ -53,4 +53,5 @@
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.5
+Classifier: Programming Language :: Python :: 3.6
+Classifier: Programming Language :: Python :: 3.7
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/README.rst
new/oslo.privsep-1.33.3/README.rst
--- old/oslo.privsep-1.32.1/README.rst 2019-02-28 19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/README.rst 2019-09-12 18:38:03.000000000 +0200
@@ -25,7 +25,7 @@
* Free software: Apache license
* Documentation: https://docs.openstack.org/oslo.privsep/latest/
-* Source: https://git.openstack.org/cgit/openstack/oslo.privsep
+* Source: https://opendev.org/openstack/oslo.privsep
* Bugs: https://bugs.launchpad.net/oslo.privsep
* Release Notes: https://docs.openstack.org/releasenotes/oslo.privsep
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/doc/requirements.txt
new/oslo.privsep-1.33.3/doc/requirements.txt
--- old/oslo.privsep-1.32.1/doc/requirements.txt 1970-01-01
01:00:00.000000000 +0100
+++ new/oslo.privsep-1.33.3/doc/requirements.txt 2019-09-12
18:38:03.000000000 +0200
@@ -0,0 +1,9 @@
+# The order of packages is significant, because pip processes them in the order
+# of appearance. Changing the order has an impact on the overall integration
+# process, which may cause wedges in the gate later.
+
+openstackdocstheme>=1.18.1 # Apache-2.0
+sphinx!=1.6.6,!=1.6.7,>=1.6.2,<2.0.0;python_version=='2.7' # BSD
+sphinx!=1.6.6,!=1.6.7,>=1.6.2;python_version>='3.4' # BSD
+reno>=2.5.0 # Apache-2.0
+sphinxcontrib-apidoc>=0.2.0 # BSD
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/doc/source/conf.py
new/oslo.privsep-1.33.3/doc/source/conf.py
--- old/oslo.privsep-1.32.1/doc/source/conf.py 2019-02-28 19:02:41.000000000
+0100
+++ new/oslo.privsep-1.33.3/doc/source/conf.py 2019-09-12 18:38:03.000000000
+0200
@@ -22,6 +22,7 @@
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
extensions = [
'sphinx.ext.autodoc',
+ 'sphinxcontrib.apidoc',
#'sphinx.ext.intersphinx',
'openstackdocstheme'
]
@@ -79,3 +80,7 @@
# Example configuration for intersphinx: refer to the Python standard library.
#intersphinx_mapping = {'http://docs.python.org/': None}
+
+# -- sphinxcontrib.apidoc configuration --------------------------------------
+apidoc_module_dir = '../../oslo_privsep'
+apidoc_output_dir = 'reference/api'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/doc/source/index.rst
new/oslo.privsep-1.33.3/doc/source/index.rst
--- old/oslo.privsep-1.32.1/doc/source/index.rst 2019-02-28
19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/doc/source/index.rst 2019-09-12
18:38:03.000000000 +0200
@@ -2,7 +2,16 @@
oslo.privsep
==============
-OpenStack library for privilege separation
+oslo.privsep is an OpenStack library for privilege separation.
+
+It helps applications perform actions which require more or less
+privileges than they were started with in a safe, easy to code
+and easy to use manner. For more information on why this is generally
+a good idea please read over the `principle of least privilege`_ and
+the `specification`_ which created this library.
+
+.. _principle of least privilege:
https://en.wikipedia.org/wiki/Principle_of_least_privilege
+.. _specification:
https://specs.openstack.org/openstack/oslo-specs/specs/liberty/privsep.html
Contents
========
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/doc/source/reference/index.rst
new/oslo.privsep-1.33.3/doc/source/reference/index.rst
--- old/oslo.privsep-1.32.1/doc/source/reference/index.rst 2019-02-28
19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/doc/source/reference/index.rst 2019-09-12
18:38:03.000000000 +0200
@@ -5,4 +5,4 @@
.. toctree::
:maxdepth: 2
- api/autoindex
+ api/modules
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/doc/source/user/index.rst
new/oslo.privsep-1.33.3/doc/source/user/index.rst
--- old/oslo.privsep-1.32.1/doc/source/user/index.rst 2019-02-28
19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/doc/source/user/index.rst 2019-09-12
18:38:03.000000000 +0200
@@ -2,14 +2,109 @@
Usage
=======
-To use oslo.privsep in a project::
+oslo.privsep lets you define in your code specific functions that will run
+in predefined privilege contexts. This lets you run functions with more (or
+less) privileges than the rest of the code. Privsep functions live in a
+specific ``privsep`` submodule (for example, ``nova.privsep`` for nova).
- import oslo_privsep
+Defining a context
+==================
-You can read the following blog posts in order to know a bit more:
+Contexts are defined in the ``privsep/__init__.py`` file. For example, this
+defines a sys_admin_pctxt with ``CAP_CHOWN``, ``CAP_DAC_OVERRIDE``,
+``CAP_DAC_READ_SEARCH``, ``CAP_FOWNER``, ``CAP_NET_ADMIN``, and
+``CAP_SYS_ADMIN`` rights (equivalent to ``sudo`` rights)::
+
+ from oslo_privsep import capabilities
+ from oslo_privsep import priv_context
+
+ sys_admin_pctxt = priv_context.PrivContext(
+ 'nova',
+ cfg_section='nova_sys_admin',
+ pypath=__name__ + '.sys_admin_pctxt',
+ capabilities=[capabilities.CAP_CHOWN,
+ capabilities.CAP_DAC_OVERRIDE,
+ capabilities.CAP_DAC_READ_SEARCH,
+ capabilities.CAP_FOWNER,
+ capabilities.CAP_NET_ADMIN,
+ capabilities.CAP_SYS_ADMIN],
+ )
+
+Defining a privileged function
+==============================
+
+Functions are defined in files under the ``privsep/`` subdirectory, for
+example in a ``privsep/motd.py`` file for functions touching the MOTD file.
+They make use of a decorator pointing to the context we defined above::
+
+ import nova.privsep
+
+ @nova.privsep.sys_admin_pctxt.entrypoint
+ def update_motd(message):
+ with open('/etc/motd', 'w') as f:
+ f.write(message)
+
+Privileged functions must be as simple, specialized and narrow as possible,
+so as to prevent further escalation. In this example, ``update_motd(message)``
+is narrow: it only allows the service to overwrite the MOTD file. If a more
+generic ``update_file(filename, content)`` was created, it could be used to
+overwrite any file in the filesystem, allowing easy escalation to root
+rights. That would defeat the whole purpose of oslo.privsep.
+
+
+Using a privileged function
+===========================
+
+To use the privileged function in the regular code, you can just call it::
+
+ import nova.privsep.motd
+ ...
+
+ nova.privsep.motd.update_motd('This node is currently idle')
+
+It is better to import the complete path (``import nova.privsep.motd``) rather
+than the motd name (``from nova.privsep import motd``) so that it is easier to
+spot that the function runs in a different privileged context.
+
+For more details, you can read the following blog post:
* `How to make a privileged call with oslo privsep`_
-* `Adding oslo privsep to a new project, a worked example`_
.. _How to make a privileged call with oslo privsep:
https://www.madebymikal.com/how-to-make-a-privileged-call-with-oslo-privsep/
+
+
+Converting from rootwrap to privsep
+===================================
+
+oslo.rootwrap is a precursor of oslo.privsep to allow code to run commands
+under sudo if they match a predefined filter. For example, you could define
+a filter that would allow you to run chmod as root using the following
+filter::
+
+ chmod: CommandFilter, chmod, root
+
+Beyond the bad performance of calling full commands in order to accomplish
+simple tasks, rootwrap also led to bad security: it was difficult to filter
+commands in a way that would not easily allow privilege escalation.
+
+Replacing rootwrap filters with privsep functions is easy. The chmod filter
+above can be replaced with a function that calls ``os.chmod()``. However a
+straight 1:1 filter:function replacement generally results in functions that
+are still too broad for good security. It is better to replace each chmod
+rootwrap *call* with a narrow privsep function that will limit it to specific
+files.
+
+Sometimes it is necessary to refactor the calling code: the rootwrap design
+discouraged the creation of new filters and therefore often resulted in the
+creation of overly-broad calling functions.
+
+As an example, this `patch series`_ is work-in-progress to transition Nova
+from rootwrap to privsep.
+
+For more details, you can read the following blog post:
+
+* `Adding oslo privsep to a new project, a worked example`_
+
+.. _patch series:
https://review.openstack.org/#/q/project:openstack/nova+branch:master+topic:my-own-personal-alternative-universe
+
.. _Adding oslo privsep to a new project, a worked example:
https://www.madebymikal.com/adding-oslo-privsep-to-a-new-project-a-worked-example/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/oslo.privsep.egg-info/PKG-INFO
new/oslo.privsep-1.33.3/oslo.privsep.egg-info/PKG-INFO
--- old/oslo.privsep-1.32.1/oslo.privsep.egg-info/PKG-INFO 2019-02-28
19:05:39.000000000 +0100
+++ new/oslo.privsep-1.33.3/oslo.privsep.egg-info/PKG-INFO 2019-09-12
18:38:43.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: oslo.privsep
-Version: 1.32.1
+Version: 1.33.3
Summary: OpenStack library for privilege separation
Home-page: https://docs.openstack.org/oslo.privsep/latest/
Author: OpenStack
@@ -33,7 +33,7 @@
* Free software: Apache license
* Documentation: https://docs.openstack.org/oslo.privsep/latest/
- * Source: https://git.openstack.org/cgit/openstack/oslo.privsep
+ * Source: https://opendev.org/openstack/oslo.privsep
* Bugs: https://bugs.launchpad.net/oslo.privsep
* Release Notes: https://docs.openstack.org/releasenotes/oslo.privsep
@@ -53,4 +53,5 @@
Classifier: Programming Language :: Python :: 2
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.5
+Classifier: Programming Language :: Python :: 3.6
+Classifier: Programming Language :: Python :: 3.7
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo.privsep-1.32.1/oslo.privsep.egg-info/SOURCES.txt
new/oslo.privsep-1.33.3/oslo.privsep.egg-info/SOURCES.txt
--- old/oslo.privsep-1.32.1/oslo.privsep.egg-info/SOURCES.txt 2019-02-28
19:05:39.000000000 +0100
+++ new/oslo.privsep-1.33.3/oslo.privsep.egg-info/SOURCES.txt 2019-09-12
18:38:43.000000000 +0200
@@ -15,6 +15,7 @@
setup.py
test-requirements.txt
tox.ini
+doc/requirements.txt
doc/source/conf.py
doc/source/index.rst
doc/source/contributor/contributing.rst
@@ -49,6 +50,7 @@
oslo_privsep/tests/testctx.py
releasenotes/notes/add_reno-3b4ae0789e9c45b4.yaml
releasenotes/notes/add_thread_pool_size-a54e6f27ab019f96.yaml
+releasenotes/notes/auto-restart-client-channel-619545294557bf2b.yaml
releasenotes/source/conf.py
releasenotes/source/index.rst
releasenotes/source/newton.rst
@@ -56,6 +58,7 @@
releasenotes/source/pike.rst
releasenotes/source/queens.rst
releasenotes/source/rocky.rst
+releasenotes/source/stein.rst
releasenotes/source/unreleased.rst
releasenotes/source/_static/.placeholder
releasenotes/source/_templates/.placeholder
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/oslo.privsep.egg-info/pbr.json
new/oslo.privsep-1.33.3/oslo.privsep.egg-info/pbr.json
--- old/oslo.privsep-1.32.1/oslo.privsep.egg-info/pbr.json 2019-02-28
19:05:39.000000000 +0100
+++ new/oslo.privsep-1.33.3/oslo.privsep.egg-info/pbr.json 2019-09-12
18:38:43.000000000 +0200
@@ -1 +1 @@
-{"git_version": "130d715", "is_release": true}
\ No newline at end of file
+{"git_version": "ddde706", "is_release": true}
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/oslo_privsep/comm.py
new/oslo.privsep-1.33.3/oslo_privsep/comm.py
--- old/oslo.privsep-1.32.1/oslo_privsep/comm.py 2019-02-28
19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/oslo_privsep/comm.py 2019-09-12
18:38:03.000000000 +0200
@@ -113,6 +113,7 @@
class ClientChannel(object):
def __init__(self, sock):
+ self.running = False
self.writer = Serializer(sock)
self.lock = threading.Lock()
self.reader_thread = threading.Thread(
@@ -127,6 +128,8 @@
def _reader_main(self, reader):
"""This thread owns and demuxes the read channel"""
+ with self.lock:
+ self.running = True
for msg in reader:
msgid, data = msg
if msgid is None:
@@ -148,6 +151,7 @@
with self.lock:
for mbox in self.outstanding_msgs.values():
mbox.set_exception(exc)
+ self.running = False
def out_of_band(self, msg):
"""Received OOB message. Subclasses might want to override this."""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/oslo_privsep/daemon.py
new/oslo.privsep-1.33.3/oslo_privsep/daemon.py
--- old/oslo.privsep-1.32.1/oslo_privsep/daemon.py 2019-02-28
19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/oslo_privsep/daemon.py 2019-09-12
18:38:03.000000000 +0200
@@ -59,6 +59,7 @@
import eventlet
from oslo_config import cfg
from oslo_log import log as logging
+from oslo_utils import encodeutils
from oslo_utils import importutils
import six
@@ -207,7 +208,9 @@
def out_of_band(self, msg):
if msg[0] == Message.LOG:
# (LOG, LogRecord __dict__)
- record = pylogging.makeLogRecord(msg[1])
+ message = {encodeutils.safe_decode(k): v
+ for k, v in msg[1].items()}
+ record = pylogging.makeLogRecord(message)
if LOG.isEnabledFor(record.levelno):
LOG.logger.handle(record)
else:
@@ -501,7 +504,7 @@
if error[1].errno == errno.EPIPE:
# Write stream closed, exit loop
break
- six.reraise(error)
+ six.reraise(*error)
# Submit the command for execution
future = self.thread_pool.submit(self._process_cmd, msgid, *msg)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/oslo_privsep/priv_context.py
new/oslo.privsep-1.33.3/oslo_privsep/priv_context.py
--- old/oslo.privsep-1.32.1/oslo_privsep/priv_context.py 2019-02-28
19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/oslo_privsep/priv_context.py 2019-09-12
18:38:03.000000000 +0200
@@ -54,7 +54,8 @@
help=_("The number of threads available for privsep to "
"concurrently run processes. Defaults to the number of "
"CPU cores in the system."),
- default=multiprocessing.cpu_count()),
+ default=multiprocessing.cpu_count(),
+ sample_default='multiprocessing.cpu_count()'),
cfg.StrOpt('helper_command',
help=_('Command to invoke to start the privsep daemon if '
'not using the "fork" method. '
@@ -236,6 +237,9 @@
def _wrap(self, func, *args, **kwargs):
if self.client_mode:
name = '%s.%s' % (func.__module__, func.__name__)
+ if self.channel is not None and not self.channel.running:
+ LOG.warning("RESTARTING PrivContext for %s", name)
+ self.stop()
if self.channel is None:
self.start()
return self.channel.remote_call(name, args, kwargs)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo.privsep-1.32.1/oslo_privsep/tests/test_daemon.py
new/oslo.privsep-1.33.3/oslo_privsep/tests/test_daemon.py
--- old/oslo.privsep-1.32.1/oslo_privsep/tests/test_daemon.py 2019-02-28
19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/oslo_privsep/tests/test_daemon.py 2019-09-12
18:38:03.000000000 +0200
@@ -23,9 +23,11 @@
from oslo_log import formatters
from oslo_log import log as logging
from oslotest import base
+import six
import testtools
from oslo_privsep import capabilities
+from oslo_privsep import comm
from oslo_privsep import daemon
from oslo_privsep.tests import testctx
@@ -178,3 +180,35 @@
self.assertRaisesRegex(
NameError, 'undecorated not exported',
testctx.context._wrap, undecorated)
+
+
+class ClientChannelTestCase(base.BaseTestCase):
+
+ DICT = {
+ 'string_1': ('tuple_1', six.b('tuple_2')),
+ six.b('byte_1'): ['list_1', 'list_2'],
+ }
+
+ EXPECTED = {
+ 'string_1': ('tuple_1', six.b('tuple_2')),
+ 'byte_1': ['list_1', 'list_2'],
+ }
+
+ def setUp(self):
+ super(ClientChannelTestCase, self).setUp()
+ with mock.patch.object(comm.ClientChannel, '__init__'), \
+ mock.patch.object(daemon._ClientChannel, 'exchange_ping'):
+ self.client_channel = daemon._ClientChannel(mock.ANY)
+
+ def test_out_of_band_log_message(self):
+ message = [daemon.Message.LOG, self.DICT]
+ with mock.patch.object(pylogging, 'makeLogRecord') as mock_make_log, \
+ mock.patch.object(daemon.LOG, 'isEnabledFor',
+ return_value=False):
+ self.client_channel.out_of_band(message)
+ mock_make_log.assert_called_once_with(self.EXPECTED)
+
+ def test_out_of_band_not_log_message(self):
+ with mock.patch.object(daemon.LOG, 'warning') as mock_warning:
+ self.client_channel.out_of_band([daemon.Message.PING])
+ mock_warning.assert_called_once()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/oslo.privsep-1.32.1/releasenotes/notes/auto-restart-client-channel-619545294557bf2b.yaml
new/oslo.privsep-1.33.3/releasenotes/notes/auto-restart-client-channel-619545294557bf2b.yaml
---
old/oslo.privsep-1.32.1/releasenotes/notes/auto-restart-client-channel-619545294557bf2b.yaml
1970-01-01 01:00:00.000000000 +0100
+++
new/oslo.privsep-1.33.3/releasenotes/notes/auto-restart-client-channel-619545294557bf2b.yaml
2019-09-12 18:38:03.000000000 +0200
@@ -0,0 +1,15 @@
+---
+fixes:
+ - |
+ When the privsep helper dies, the client side PrivContext now restarts the
+ client channel and the helper so that privileged commands can continue to
+ be processed. See `bug 1715374`_ for details. In conjunction with the fix
+ for `bug 1794708`_ in oslo.service, the nova-compute service now behaves
+ correctly when it receives ``SIGHUP``.
+
+ .. note:: This only works for the ``ROOTWRAP`` method of starting the
+ daemon. With the ``FORK`` method we've dropped privileges and no
+ longer have the ability to restart the daemon in privileged mode.
+
+ .. _`bug 1715374`: https://bugs.launchpad.net/nova/+bug/1715374
+ .. _`bug 1794708`: https://bugs.launchpad.net/oslo.service/+bug/1794708
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/releasenotes/source/index.rst
new/oslo.privsep-1.33.3/releasenotes/source/index.rst
--- old/oslo.privsep-1.32.1/releasenotes/source/index.rst 2019-02-28
19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/releasenotes/source/index.rst 2019-09-12
18:38:03.000000000 +0200
@@ -6,6 +6,7 @@
:maxdepth: 1
unreleased
+ stein
rocky
queens
pike
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/releasenotes/source/stein.rst
new/oslo.privsep-1.33.3/releasenotes/source/stein.rst
--- old/oslo.privsep-1.32.1/releasenotes/source/stein.rst 1970-01-01
01:00:00.000000000 +0100
+++ new/oslo.privsep-1.33.3/releasenotes/source/stein.rst 2019-09-12
18:38:03.000000000 +0200
@@ -0,0 +1,6 @@
+===================================
+ Stein Series Release Notes
+===================================
+
+.. release-notes::
+ :branch: stable/stein
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/setup.cfg
new/oslo.privsep-1.33.3/setup.cfg
--- old/oslo.privsep-1.32.1/setup.cfg 2019-02-28 19:05:39.000000000 +0100
+++ new/oslo.privsep-1.33.3/setup.cfg 2019-09-12 18:38:43.000000000 +0200
@@ -16,7 +16,8 @@
Programming Language :: Python :: 2
Programming Language :: Python :: 2.7
Programming Language :: Python :: 3
- Programming Language :: Python :: 3.5
+ Programming Language :: Python :: 3.6
+ Programming Language :: Python :: 3.7
[files]
packages =
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/test-requirements.txt
new/oslo.privsep-1.33.3/test-requirements.txt
--- old/oslo.privsep-1.32.1/test-requirements.txt 2019-02-28
19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/test-requirements.txt 2019-09-12
18:38:03.000000000 +0200
@@ -8,10 +8,5 @@
fixtures>=3.0.0 # Apache-2.0/BSD
stestr>=2.0.0 # Apache-2.0
-# These are needed for docs generation
-openstackdocstheme>=1.18.1 # Apache-2.0
-sphinx!=1.6.6,!=1.6.7,>=1.6.2 # BSD
-reno>=2.5.0 # Apache-2.0
-
# Bandit security code scanner
-bandit>=1.1.0 # Apache-2.0
+bandit>=1.1.0,<1.6.0 # Apache-2.0
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/oslo.privsep-1.32.1/tox.ini
new/oslo.privsep-1.33.3/tox.ini
--- old/oslo.privsep-1.32.1/tox.ini 2019-02-28 19:02:41.000000000 +0100
+++ new/oslo.privsep-1.33.3/tox.ini 2019-09-12 18:38:03.000000000 +0200
@@ -1,13 +1,13 @@
[tox]
minversion = 2.0
-envlist = py35,py27,pypy,pep8
+envlist = py27,py37,pypy,pep8
[testenv]
install_command = pip install {opts} {packages}
whitelist_externals =
/bin/sh
deps =
-
-c{env:UPPER_CONSTRAINTS_FILE:https://git.openstack.org/cgit/openstack/requirements/plain/upper-constraints.txt}
+
-c{env:UPPER_CONSTRAINTS_FILE:https://opendev.org/openstack/requirements/raw/branch/master/upper-constraints.txt}
-r{toxinidir}/test-requirements.txt
-r{toxinidir}/requirements.txt
commands = stestr run --slowest {posargs}
@@ -30,7 +30,14 @@
[testenv:docs]
basepython = python3
-commands = python setup.py build_sphinx
+whitelist_externals =
+ rm
+deps =
+ {[testenv]deps}
+ -r{toxinidir}/doc/requirements.txt
+commands =
+ rm -rf doc/build
+ sphinx-build -W -b html doc/source doc/build/html
[testenv:cover]
basepython = python3
