Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api

[Sébastien Delafond]

On Dec/09, Adam D. Barratt wrote:
> For the record, reviewing the diff of the -security upload, I notice
> that the change actually adds *two* runtime dependencies - the second,
> which was not mentioned in this pre-approval request, nor included in
> the proposed diff, being python-pastescript.

I figured python-pastescript had also been approved; I should have
verified this myself instead of assuming so...

Cheers,

--Seb

Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api

[Adam D. Barratt]

On Tue, 2017-11-21 at 00:45 +0100, Thomas Goirand wrote:
> As a consequence, the init script for the start of nova-placement-api
> simply doesn't work. So I'd like to make use of uwsgi, which is a
> very good way to run WSGI applications. I've added a runtime depends
> on uwsgi, and modified the startup script to use that.
[...]
> Though the security team (ie: Sebastien Delafond) advised me wisely
> to start the discussion with the release team about this new
> dependency for nova-placement-api.

For the record, reviewing the diff of the -security upload, I notice
that the change actually adds *two* runtime dependencies - the second,
which was not mentioned in this pre-approval request, nor included in
the proposed diff, being python-pastescript.

Regards,

Adam

Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api

[Adam D. Barratt]

Control: tags -1 + confirmed

On Tue, 2017-11-21 at 00:45 +0100, Thomas Goirand wrote:
> I'd like to push for an update of Nova, to fix the nova-placement-api
> package. Indeed, /usr/bin/nova-placement-api is *not* a Daemon, but a
> WSGI application, that can work for example with libapache-mod-wsgi
> or others.
[...]
> This update, I'd like to push it in the soon comming security update
> for Nova, through a security upload fixing CVE-2017-16239 / #882009.
> This update is currently on hold, because the upstream patch adds a
> DoS hole.
> Though the security team (ie: Sebastien Delafond) advised me wisely
> to start the discussion with the release team about this new
> dependency for nova-placement-api.

Dependency changes in stable updates always make me uneasy, but this
sounds like a reasonable way of fixing the issue.

Please close this bug once the security update has been released.

Regards,

Adam

Processed: Re: Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #882274 [release.debian.org] stretch-pu: package nova/2:14.0.0-4 - using 
uwsgi-plugin-python for nova-placement-api
Added tag(s) confirmed.

-- 
882274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882274
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api

[Thomas Goirand]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to push for an update of Nova, to fix the nova-placement-api
package. Indeed, /usr/bin/nova-placement-api is *not* a Daemon, but a WSGI
application, that can work for example with libapache-mod-wsgi or others.

As a consequence, the init script for the start of nova-placement-api
simply doesn't work. So I'd like to make use of uwsgi, which is a very
good way to run WSGI applications. I've added a runtime depends on uwsgi,
and modified the startup script to use that. As I've used uwsgi in other
daemons, the modification is just 2 lines in the init template system
of openstack-pkg-tools, as per the attached debdiff.

This update, I'd like to push it in the soon comming security update for
Nova, through a security upload fixing CVE-2017-16239 / #882009. This
update is currently on hold, because the upstream patch adds a DoS hole.
Though the security team (ie: Sebastien Delafond) advised me wisely to
start the discussion with the release team about this new dependency
for nova-placement-api.

So, does the SRM agree to the attached change? (note: I've stripped
out the CVE fix from it)

Cheers,

Thomas Goirand (zigo)
diff -Nru nova-14.0.0/debian/changelog nova-14.0.0/debian/changelog
--- nova-14.0.0/debian/changelog2017-04-02 10:52:50.0 +
+++ nova-14.0.0/debian/changelog2017-11-17 15:41:15.0 +
@@ -1,3 +1,13 @@
+nova (2:14.0.0-4+deb9u1) stretch-security; urgency=medium
+
+  * Fixed nova-placement-api init to use uwsgi. The old init file was simply
+not working at all.
+
+ -- Thomas Goirand   Fri, 17 Nov 2017 15:41:15 +
+
 nova (2:14.0.0-4) unstable; urgency=medium
 
   [ David Rabel ]
diff -Nru nova-14.0.0/debian/control nova-14.0.0/debian/control
--- nova-14.0.0/debian/control  2017-04-02 10:52:50.0 +
+++ nova-14.0.0/debian/control  2017-11-17 15:41:15.0 +
@@ -653,6 +653,7 @@
 Architecture: all
 Depends: debconf,
  nova-common (= ${binary:Version}),
+ uwsgi-plugin-python,
  ${misc:Depends},
  ${ostack-lsb-base},
  ${python:Depends},
diff -Nru nova-14.0.0/debian/nova-placement-api.init.in 
nova-14.0.0/debian/nova-placement-api.init.in
--- nova-14.0.0/debian/nova-placement-api.init.in   2017-04-02 
10:52:50.0 +
+++ nova-14.0.0/debian/nova-placement-api.init.in   2017-11-17 
15:41:15.0 +
@@ -14,3 +14,5 @@
 DESC="OpenStack Compute Placement API"
 PROJECT_NAME=nova
 NAME=${PROJECT_NAME}-placement-api
+DAEMON=/usr/bin/uwsgi_python
+DAEMON_ARGS="--master --die-on-term --logto 
/var/log/nova/nova-placement-api.log --http-socket :8778 --wsgi-file 
/usr/bin/nova-placement-api"