Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
On Dec/09, Adam D. Barratt wrote: > For the record, reviewing the diff of the -security upload, I notice > that the change actually adds *two* runtime dependencies - the second, > which was not mentioned in this pre-approval request, nor included in > the proposed diff, being python-pastescript. I figured python-pastescript had also been approved; I should have verified this myself instead of assuming so... Cheers, --Seb
Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
On Tue, 2017-11-21 at 00:45 +0100, Thomas Goirand wrote: > As a consequence, the init script for the start of nova-placement-api > simply doesn't work. So I'd like to make use of uwsgi, which is a > very good way to run WSGI applications. I've added a runtime depends > on uwsgi, and modified the startup script to use that. [...] > Though the security team (ie: Sebastien Delafond) advised me wisely > to start the discussion with the release team about this new > dependency for nova-placement-api. For the record, reviewing the diff of the -security upload, I notice that the change actually adds *two* runtime dependencies - the second, which was not mentioned in this pre-approval request, nor included in the proposed diff, being python-pastescript. Regards, Adam
Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
Control: tags -1 + confirmed On Tue, 2017-11-21 at 00:45 +0100, Thomas Goirand wrote: > I'd like to push for an update of Nova, to fix the nova-placement-api > package. Indeed, /usr/bin/nova-placement-api is *not* a Daemon, but a > WSGI application, that can work for example with libapache-mod-wsgi > or others. [...] > This update, I'd like to push it in the soon comming security update > for Nova, through a security upload fixing CVE-2017-16239 / #882009. > This update is currently on hold, because the upstream patch adds a > DoS hole. > Though the security team (ie: Sebastien Delafond) advised me wisely > to start the discussion with the release team about this new > dependency for nova-placement-api. Dependency changes in stable updates always make me uneasy, but this sounds like a reasonable way of fixing the issue. Please close this bug once the security update has been released. Regards, Adam
Processed: Re: Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
Processing control commands: > tags -1 + confirmed Bug #882274 [release.debian.org] stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api Added tag(s) confirmed. -- 882274: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882274 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#882274: stretch-pu: package nova/2:14.0.0-4 - using uwsgi-plugin-python for nova-placement-api
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hi, I'd like to push for an update of Nova, to fix the nova-placement-api package. Indeed, /usr/bin/nova-placement-api is *not* a Daemon, but a WSGI application, that can work for example with libapache-mod-wsgi or others. As a consequence, the init script for the start of nova-placement-api simply doesn't work. So I'd like to make use of uwsgi, which is a very good way to run WSGI applications. I've added a runtime depends on uwsgi, and modified the startup script to use that. As I've used uwsgi in other daemons, the modification is just 2 lines in the init template system of openstack-pkg-tools, as per the attached debdiff. This update, I'd like to push it in the soon comming security update for Nova, through a security upload fixing CVE-2017-16239 / #882009. This update is currently on hold, because the upstream patch adds a DoS hole. Though the security team (ie: Sebastien Delafond) advised me wisely to start the discussion with the release team about this new dependency for nova-placement-api. So, does the SRM agree to the attached change? (note: I've stripped out the CVE fix from it) Cheers, Thomas Goirand (zigo) diff -Nru nova-14.0.0/debian/changelog nova-14.0.0/debian/changelog --- nova-14.0.0/debian/changelog2017-04-02 10:52:50.0 + +++ nova-14.0.0/debian/changelog2017-11-17 15:41:15.0 + @@ -1,3 +1,13 @@ +nova (2:14.0.0-4+deb9u1) stretch-security; urgency=medium + + * Fixed nova-placement-api init to use uwsgi. The old init file was simply +not working at all. + + -- Thomas GoirandFri, 17 Nov 2017 15:41:15 + + nova (2:14.0.0-4) unstable; urgency=medium [ David Rabel ] diff -Nru nova-14.0.0/debian/control nova-14.0.0/debian/control --- nova-14.0.0/debian/control 2017-04-02 10:52:50.0 + +++ nova-14.0.0/debian/control 2017-11-17 15:41:15.0 + @@ -653,6 +653,7 @@ Architecture: all Depends: debconf, nova-common (= ${binary:Version}), + uwsgi-plugin-python, ${misc:Depends}, ${ostack-lsb-base}, ${python:Depends}, diff -Nru nova-14.0.0/debian/nova-placement-api.init.in nova-14.0.0/debian/nova-placement-api.init.in --- nova-14.0.0/debian/nova-placement-api.init.in 2017-04-02 10:52:50.0 + +++ nova-14.0.0/debian/nova-placement-api.init.in 2017-11-17 15:41:15.0 + @@ -14,3 +14,5 @@ DESC="OpenStack Compute Placement API" PROJECT_NAME=nova NAME=${PROJECT_NAME}-placement-api +DAEMON=/usr/bin/uwsgi_python +DAEMON_ARGS="--master --die-on-term --logto /var/log/nova/nova-placement-api.log --http-socket :8778 --wsgi-file /usr/bin/nova-placement-api"