Bug#696424: Possible patch
Hi Salvatore
Hi David
On Thu, Jan 10, 2013 at 10:16:35AM +, David Weber wrote:
Hi David
On Mon, Jan 07, 2013 at 09:06:53AM +, David Weber wrote:
Attached is the debdiff contianing these three refreshed for the
version in unstable and testing. But I'm not yet ready to propose a
NMU. Testing of the resulting package is welcome!
Thanks for the debdiff!
It works as expected: It creates the files with the right
permissions without breaking functionality.
A problem could be that the files aren't freshly created by a simple
restart of the daemon. Should something be done about that?
Some options could be:
- Notify the user to stop libvirtd and sanlock and run
rm /var/run/sanlock/sanlock.sock; rm /var/log/sanlock.log
- Change the file permissions through the package update
- Do nothing because most likely nobody uses sanlock on Debain atm.
I have not a final answer here, but it might be easy to implement like
libvirt-bin does in postint, mabye only conditionally checking (so
doing it during package update from a 'broken' version):
[...]
if ! dpkg-statoverride --list /var/log/sanlock.log /dev/null 21;
then
# fix permissions
fi
[...]
and the same for /var/run/sanlock/sanlock.sock.
Great hint. I modified the patch in that way and also added the
fix for #689696
Btw, after thinking about further on it: As both /var/log/sanlock.log
and /var/run/sanlock/sanlock.sock are not files installed by the
package, I think the check with dpkg-statoverride is in this case
wrong! Sorry about the wrong suggestion.
So I think it's best to remove this again.
Ops, thats right. I now check the permissions and change
them in case they are wrong
Regarding the second: I suggest to include in this upload only fixes
compliant with the freeze policy:
[1]: http://release.debian.org/wheezy/freeze_policy.html
(but I have not looked if #689696 can be considered RC).
Since it is a build fix, I guess it classifys
+sanlock (2.2-1.1) unstable; urgency=low
+
+ * Fix CVE-2012-5638 sanlock world writable /var/log/sanlock.log. Thanks to
Salvatore Bonaccorso (Closes: #696424)
would wrap this line
+ Add patches cherry-picked from git repository:
+ - 0001-sanlock-remove-umask-0.patch
+ - 0001-sanlock-use-lockfile-mode-644.patch
+ - 0001-wdmd-use-lockfile-mode-644.patch
+ * Replace restrict field name (Closes: #689696)
+ Add patche cherry.picked from git repository:
^ s{patche}{patch} and s{cherry.picked}{cherry picked}
Ops, fixed
Again thanks for your work!
Thank you too!
Regards,
Salvatore
Cheers,
David
To: car...@debian.org
696...@bugs.debian.org
Cc: martin.quin...@loria.fr
j...@inutil.org
a...@sigxcpu.org
sanlock_cve2.debdiff
Description: Binary data
Bug#696424: Possible patch
Hi David On Mon, Jan 07, 2013 at 09:06:53AM +, David Weber wrote: Attached is the debdiff contianing these three refreshed for the version in unstable and testing. But I'm not yet ready to propose a NMU. Testing of the resulting package is welcome! Thanks for the debdiff! It works as expected: It creates the files with the right permissions without breaking functionality. A problem could be that the files aren't freshly created by a simple restart of the daemon. Should something be done about that? Some options could be: - Notify the user to stop libvirtd and sanlock and run rm /var/run/sanlock/sanlock.sock; rm /var/log/sanlock.log - Change the file permissions through the package update - Do nothing because most likely nobody uses sanlock on Debain atm. I have not a final answer here, but it might be easy to implement like libvirt-bin does in postint, mabye only conditionally checking (so doing it during package update from a 'broken' version): [...] if ! dpkg-statoverride --list /var/log/sanlock.log /dev/null 21; then # fix permissions fi [...] and the same for /var/run/sanlock/sanlock.sock. Great hint. I modified the patch in that way and also added the fix for #689696 Guido, can you pull that debdiff directly or should I send you an updated debian.tar.gz? Regards, Salvatore To: car...@debian.org Cc: martin.quin...@loria.fr 696...@bugs.debian.org j...@inutil.org a...@sigxcpu.org sanlock_cve.debdiff Description: Binary data
Bug#696424: Possible patch
Attached is the debdiff contianing these three refreshed for the version in unstable and testing. But I'm not yet ready to propose a NMU. Testing of the resulting package is welcome! Thanks for the debdiff! It works as expected: It creates the files with the right permissions without breaking functionality. A problem could be that the files aren't freshly created by a simple restart of the daemon. Should something be done about that? Some options could be: - Notify the user to stop libvirtd and sanlock and run rm /var/run/sanlock/sanlock.sock; rm /var/log/sanlock.log - Change the file permissions through the package update - Do nothing because most likely nobody uses sanlock on Debain atm. Cheers, David sanlock_2.2-1.1.debdiff Description: Binary data
Bug#695859: Now available on mentors
Sorry for the long wait! Version 2.6 is now available on mentors: https://mentors.debian.net/package/sanlock Tested with libvirt 1.0.1-3 It already includes the fixes for #696424 and #689696 Can you pull it from there or should I send it to you a different way? Cheers, David -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689696: restrict is a keyword in C99
Package: sanlock Version: 2.2-1 src/sanlock_internal.h, line 495, uses restrict as a field name in a struct. This collides with the fact that in C99 restrict is a keyword. Compilers that default to C99-mode, or gcc -std=c99, fail to compile this code. Best, Michael I sent a patch upstream. https://fedorahosted.org/pipermail/sanlock-devel/ (is down ATM) This should be backported to wheezy, right? I will do that after it got applied. I will also try to package the latest release soon. Thanks for reporting! Cheers, David To: m...@debian.org b...@debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#676345: Re-2: Bug#676345: libvirt: [Patch] Enable sanlock
Hi David,
On Wed, Jun 06, 2012 at 12:17:15PM +0200, David Weber wrote:
Package: libvirt0
Version: 0.9.12-1.1
Severity: wishlist
File: libvirt
Hi,
please apply the attached patch to enable sanlock in libvirt
Thanks for the patch some quick questions:
+ libsanlock-dev,
+ libsanlock-client1,
Shouldn't libsanlock-dev pull in libsanlock-client1?
You're right, the line can be dropped.
# For make check
dwarves,
libxml2-utils,
-95,6 +97,18 Description: library for interfacing with different
virtualization systems
.
This package contains the debugging symbols.
+Package: libvirt-sanlock
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libvirt0 (= ${binary:Version})
, augeas-tools
What is augeas-tools needed for?
It is needed for the cleanup cronjob, it uses augeas-tools to read the config
files. See /usr/sbin/virt-sanlock-cleanup
[..snip..]
usr/share/man/man8/*
diff --git a/debian/libvirt-sanlock.cron.weekly b/debian/libvirt-sanlock.
cron.weekly
new file mode 100644
index 000..170d91b
--- /dev/null
+++ b/debian/libvirt-sanlock.cron.weekly
-0,0 +1,10
+#!/bin/sh
+
+#Disabled by default, uncomment to enable
+exit 0
Why would we disable this by default?
I experienced some problems like crashing the sanlock deamon when running
the script. It was with a bit older version so it maybe works better
now but I wouldn't recommend it. I hope I can re-test it soon.
Fedora btw. also doesn't enable it as far as I can see.
+
+
+/usr/sbin/virt-sanlock-cleanup -q 2/dev/null
Why would we discard stderr here?
Fixed.
Updated patch attached.
Cheers,
-- Guido
To: a...@sigxcpu.org
676...@bugs.debian.org
libvirt_enable_sanlock.diff
Description: Binary data
Bug#676345: libvirt: [Patch] Enable sanlock
Package: libvirt0
Version: 0.9.12-1.1
Severity: wishlist
File: libvirt
Hi,
please apply the attached patch to enable sanlock in libvirt
Thanks!
Cheers,
David
commit 778f9c0232b916f99174ce4a2a6139090a1495e1
Author: David Weber w...@munzinger.de
Date: Mon Jun 4 17:18:39 2012 +0200
Enable sanlock
diff --git a/debian/changelog b/debian/changelog
index 7d3c5bb..9bbea9e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libvirt (0.9.12-1.1) UNRELEASED; urgency=low
+
+ * Non-maintainer upload.
+ * Enable Sanlock
+
+ -- David Weber w...@munzinger.de Mon, 04 Jun 2012 16:12:04 +0200
+
libvirt (0.9.12-1) experimental; urgency=low
* [75e280b] New upstream version 0.9.12
diff --git a/debian/control b/debian/control
index 6092f86..5d5997a 100644
--- a/debian/control
+++ b/debian/control
@@ -33,6 +33,8 @@ Build-Depends: cdbs (= 0.4.90~),
libnuma-dev [amd64 i386 ia64 mips mipsel powerpc],
radvd [linux-any],
libnetcf-dev [linux-any],
+ libsanlock-dev,
+ libsanlock-client1,
# For make check
dwarves,
libxml2-utils,
@@ -95,6 +97,18 @@ Description: library for interfacing with different virtualization systems
.
This package contains the debugging symbols.
+Package: libvirt-sanlock
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, libvirt0 (= ${binary:Version}), augeas-tools
+Priority: extra
+Description: library for interfacing with different virtualization systems
+ Libvirt is a C toolkit to interact with the virtualization capabilities
+ of recent versions of Linux (and other OSes). The library aims at providing
+ a long term stable C API for different virtualization mechanisms. It currently
+ supports QEMU, KVM, XEN, OpenVZ, LXC, and VirtualBox.
+ .
+ This package contains the sanlock plugin.
+
Package: libvirt-doc
Architecture: all
Section: doc
diff --git a/debian/libvirt-bin.install b/debian/libvirt-bin.install
index dd9b344..72f23a4 100644
--- a/debian/libvirt-bin.install
+++ b/debian/libvirt-bin.install
@@ -3,7 +3,8 @@ usr/sbin/*
etc/libvirt/*
etc/sasl2/*
usr/share/polkit-1
-usr/lib/libvirt/*
+usr/lib/libvirt/libvirt*
+usr/lib/libvirt/connection-driver
usr/share/augeas/*
usr/share/libvirt/*
usr/share/man/man8/*
diff --git a/debian/libvirt-sanlock.cron.weekly b/debian/libvirt-sanlock.cron.weekly
new file mode 100644
index 000..170d91b
--- /dev/null
+++ b/debian/libvirt-sanlock.cron.weekly
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+#Disabled by default, uncomment to enable
+exit 0
+
+
+/usr/sbin/virt-sanlock-cleanup -q 2/dev/null
+exit 0
+
+
diff --git a/debian/libvirt-sanlock.install b/debian/libvirt-sanlock.install
new file mode 100644
index 000..d8a7348
--- /dev/null
+++ b/debian/libvirt-sanlock.install
@@ -0,0 +1 @@
+usr/lib/libvirt/lock-driver/sanlock.so
diff --git a/debian/patches/add_ignore_param_to_sanlock.patch b/debian/patches/add_ignore_param_to_sanlock.patch
new file mode 100644
index 000..159129e
--- /dev/null
+++ b/debian/patches/add_ignore_param_to_sanlock.patch
@@ -0,0 +1,106 @@
+From b8012ce9312f00947c5ca7250a7a96534c85835f Mon Sep 17 00:00:00 2001
+From: David Weber w...@munzinger.de
+Date: Mon, 14 May 2012 09:53:02 +
+Subject: [PATCH 1/1] sanlock: fix locking for readonly devices
+
+Add ignore param for readonly and shared disk in sanlock
+---
+ AUTHORS |1 +
+ src/locking/libvirt_sanlock.aug |1 +
+ src/locking/lock_driver_sanlock.c| 13 -
+ src/locking/sanlock.conf |7 +++
+ src/locking/test_libvirt_sanlock.aug |2 ++
+ 5 files changed, 23 insertions(+), 1 deletions(-)
+
+diff --git a/src/locking/libvirt_sanlock.aug b/src/locking/libvirt_sanlock.aug
+index 5f5f8a1..d65b002 100644
+--- a/src/locking/libvirt_sanlock.aug
b/src/locking/libvirt_sanlock.aug
+@@ -21,6 +21,7 @@ module Libvirt_sanlock =
+ | bool_entry auto_disk_leases
+ | int_entry host_id
+ | bool_entry require_lease_for_disks
++ | bool_entry ignore_readonly_and_shared_disks
+let comment = [ label #comment . del /#[ \t]*/ # . store /([^ \t\n][^\n]*)?/ . del /\n/ \n ]
+let empty = [ label #empty . eol ]
+
+diff --git a/src/locking/lock_driver_sanlock.c b/src/locking/lock_driver_sanlock.c
+index d344d6a..146aefd 100644
+--- a/src/locking/lock_driver_sanlock.c
b/src/locking/lock_driver_sanlock.c
+@@ -1,7 +1,7 @@
+ /*
+ * lock_driver_sanlock.c: A lock driver for Sanlock
+ *
+- * Copyright (C) 2010-2011 Red Hat, Inc.
++ * Copyright (C) 2010-2012 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+@@ -65,6 +65,7 @@ struct _virLockManagerSanlockDriver {
+ bool requireLeaseForDisks;
+ int hostID;
+ bool autoDiskLease;
++bool ignoreReadonlyShared;
+ char *autoDiskLeasePath;
+ };
+
+@@ -114,6 +115,10 @@ static int virLockManagerSanlockLoadConfig(const char *configFile)
+ CHECK_TYPE
Bug#674997: Sanlock - Sponsor
Still looking for a sponsor. Anyone interested? Cheers, David -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#669366: New ocfs2-tools version
Hi, I pushed ocfs2-tools 1.8.2 into mentors. The merge was quite a mess because of the missing upstream tarballs and I couldn't really test it so far. But perhaps this helps someone. Is there a chance to see this version in wheezy? http://mentors.debian.net/package/ocfs2-tools Cheers, David -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#674997: RFS: sanlock/2.2-4 [ITP]
Package: sponsorship-requests Severity: wishlist Dear mentors, I am looking for a sponsor for my package sanlock * Package name: sanlock Version : 2.2-4 Upstream Author : David Teigland teigl...@redhat.com * URL : https://fedorahosted.org/sanlock/ * License : (LGPLv2+, GPLv2, GPLv2+) Section : libs It builds those binary packages: libsanlock-client1 - client library for sanlock sanlock- shared storage lock manager sanlock-dev - development files for sanlock To access further information about this package, please visit the following URL: http://mentors.debian.net/package/sanlock Alternatively, one can download the package with dget using this command: dget -x http://mentors.debian.net/debian/pool/main/s/sanlock/sanlock_2.2-4.dsc More information about sanlock can be obtained from https://fedorahosted.org/sanlock/ Changes since the last upload: * Add debian/README.Source Regards, David Weber -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#674997: Re-2: Bug#674997: RFS: sanlock/2.2-4 [ITP]
Thanks a lot for your reply! libsanlock-client1 - client library for sanlock sanlock- shared storage lock manager sanlock-dev - development files for sanlock The descriptions for the development and library packages are not very informative. They give no more information then the package names themselves, something like libsanlock-client1 - shared storage lock manager (client library) sanlock-dev - shared storage lock manager (development files) would be better. Done. Also is there a reason why it's sanlock-dev and not libsanlock-dev? I don't know any so I changed it. It might also be a good idea to merge all changelog entries so you only have the Initial release. entry. Right, done. The new version is again uploaded to http://mentors.debian.net/package/sanlock David Ansgar To: ans...@debian.org Cc: 674...@bugs.debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#669102: Sanlock - How to proceed
Hi, thanks for your work on the package. Some more comments below: On Mon, May 14, 2012 at 12:14:12PM +, David Weber wrote: On Mon, May 14, 2012 at 11:31:44AM +, David Weber wrote: I merged the upstream release 2.2 into mentors. The freeze for Wheezy gets closer, so I ask if anybody has further comments or issues. If not, can any developer do the merge by himself or should I ask for a sponsorship on mentors? You upstream tarball isn't clean. It contains a debian dir and shared objects. Could you fix that? I've no idea how this could happen but it's now fixed (2.2-2) This looks wired in debian/copyright: The current Debian maintainer is YOUR NAME your@email.address Are you going to maintain the package? I'm not an official Debian Maintainer so far, so I guess I would first have to apply to become one, right? Or can I maintain a package with an sponsor? I would prefer the second way when possible. The usual practice is to indent debian/control with spaces not tab but both should work. I'll fix that I'd recommend to also post your next versions to debian-ment...@lists.debian.org since there are more reviewers there. (pleae keep me in cc: since I'll try to find the time to have another look too). I'll do that. BTW where did you fetch the orig tarball from? There aren't any official tarballs, so I downloaded it via gitweb, extracted it, renamed the folder and packaged it again. I guess that's rather problematic because the md5 sum most likely changes sometimes for no reason. David To: a...@sigxcpu.org Cc: 669...@bugs.debian.org gdahl...@hotmail.com bren...@zionetrix.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#669102: Sanlock - How to proceed
I merged the upstream release 2.2 into mentors. The freeze for Wheezy gets closer, so I ask if anybody has further comments or issues. If not, can any developer do the merge by himself or should I ask for a sponsorship on mentors? David -- http://mentors.debian.net/package/sanlock -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#669366: Freeze for Whezzy
The freeze for Wheezy gets closer. Is anybody working on this? If not, I can try to do a merge by myself and get a sponsor on mentors for it. David -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#669102: Sanlock - How to proceed
On Mon, May 14, 2012 at 11:31:44AM +, David Weber wrote: I merged the upstream release 2.2 into mentors. The freeze for Wheezy gets closer, so I ask if anybody has further comments or issues. If not, can any developer do the merge by himself or should I ask for a sponsorship on mentors? You upstream tarball isn't clean. It contains a debian dir and shared objects. Could you fix that? I've no idea how this could happen but it's now fixed (2.2-2) David To: a...@sigxcpu.org Cc: 669...@bugs.debian.org gdahl...@hotmail.com bren...@zionetrix.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#669102: Package updated
I've fixed all remaining non-upstream problems, see http://mentors.debian.net/package/sanlock Can somebody please review the package? I will meanwhile do some more testing. David -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#669102: ITP: sanlock -- a shared storage lock manager - useful for accessing vm, images
Hi, Hello, Debian support for Libvirt sanlock very insteresting me. I build a sanlock and libvirt-sanlock Debian package from your proposal and I note some problems : * I had a bug about undefined constant SCHED_RESET_ON_FORK building sanlock package. I had to apply this patch : https://build.opensuse.org/package/view_file?file=sanlock-SCHED_RESET_ON_ FORK-undefined.patchpackage=sanlockproject=Virtualizationrev= 4bf0126638bb7c9e02f055b4aa92e543 I've no idea why I havn't hit that but I've added the patch. * In sanlock and wdmd init scripts, I put value of variable DESC in quote to avoid this error during package installation : Setting up sanlock (2.1-1) ... /etc/init.d/sanlock: 17: lock-manager: not found Done * I had augeas-tools dependency to libvirt-bin package because augtool command is required by virt-sanlock-cleanup script. Done Notes : * The Libvirt documentation recommends to weekly run virt-sanlock-cleanup script (see http://libvirt.org/locking.html#sanlockstorage). The corresponding cron could be provide by the Debian package. I've added a weekly cron to libvirt-sanlock which is disabled by default. I personally don't use virt-sanlock-cleanup on my production machines because it crashed sanlock one time. I will investigate that later * I think virt-sanlock-cleanup script should logically provide by libvirt-sanlock debian package. I agree, that would logically be better, but it would increases .install complexity. So I've left it in libvirt-bin for now I've uploaded the updated packages to mentors http://mentors.debian.net/package/sanlock http://mentors.debian.net/package/libvirt There are still a few problems left but I'll try to fix them when I'm back at the office next week. Can somebody give me a hint how to fix the package-name-doesnt-match-sonames error? I can install the libraries to /usr/lib/sanlock but then the sanlock daemon doesn't find it anymore (I don't know much about linking on Linux :) ) Thank's for your work. Thank's for your help! David Benjamin Renard To: bren...@zionetrix.net, 669...@bugs.debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#669102: Libvirt Patch
Patch to enable Sanlock in Libvirt with a libvirt-sanlock package. We could also package the plugin into libvirt-bin. libvirt-sanlock.patch Description: Binary data
Bug#669366: ocfs2-tools: New upstream version 1.8.2
Package: ocfs2-tools Severity: wishlist Hi, new versions of ocfs2-tools are only available via git[1]. They contain a lot of important improvements for fsck.ocfs2. It would be great if somebody could package that Thanks! David [1] http://oss.oracle.com/git/?p=ocfs2-tools.git;a=summary -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#669102: ITP: sanlock -- a shared storage lock manager - useful for accessing vm images on a NAS or SAN
Package: wnpp Severity: wishlist Owner: David Weber w...@munzinger.de * Package name: sanlock Version : 2.1 Upstream Author : David Teigland teigl...@redhat.com * URL : https://fedorahosted.org/sanlock/ * License : (LGPLv2+, GPLv2, GPLv2+) Programming Lang: (C, Python) Description : a shared storage lock manager - useful for accessing vm images on a NAS or SAN Sanlock ensures that single disk cannot be used by more than one running VM at a time, across any host in a network. See http://git.fedorahosted.org/git/?p=sanlock.git;a=blob;f=README.license;h=9bf5cae09fc44d7050c89535f0a8b49f23fcae3d;hb=HEAD for license -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
