[gentoo-commits] repo/gentoo:master commit in: sys-cluster/heat/files/, sys-cluster/heat/
commit: 9502763aafd263d8b2fba40cbfc5e4a96673e750 Author: Matthew Thode gentoo org> AuthorDate: Mon Feb 27 06:41:09 2017 + Commit: Matt Thode gentoo org> CommitDate: Mon Feb 27 06:43:07 2017 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9502763a sys-cluster/heat: OCATA Package-Manager: Portage-2.3.3, Repoman-2.3.1 RepoMan-Options: --force sys-cluster/heat/Manifest |1 + sys-cluster/heat/files/ocata-heat.conf.sample | 2635 + sys-cluster/heat/heat-2017.1..ebuild | 149 ++ sys-cluster/heat/heat-8.0.0.ebuild| 148 ++ 4 files changed, 2933 insertions(+) diff --git a/sys-cluster/heat/Manifest b/sys-cluster/heat/Manifest index 562f0f2be0..31d8b385c4 100644 --- a/sys-cluster/heat/Manifest +++ b/sys-cluster/heat/Manifest @@ -1 +1,2 @@ DIST heat-7.0.2.tar.gz 2257003 SHA256 5fb78bdb8859e3f037ffe11180b9a526830e8ce56a294bbb2dc79b638b7c99da SHA512 0655b8e264bbfa227405759d28d74c9f71eefb8d2abce3f75d3a72fd0d927c114a5bb4658e73c553302632a086af34faa1e37f5bbef1b84f3564ca3fbac624e7 WHIRLPOOL d1e3806534ad5d2930cd7b135ee78200b1d43f937cfcc3c3864263c6da8d0271476450f86b0ea2b84461a05ee794a3a1f3ed08086db9f0c1d1ed9d4f05a37db3 +DIST heat-8.0.0.tar.gz 2311784 SHA256 edccf56b31a9c4cc01ba47c66f7b7197e3056f66c333c0c3f29b4ee44000f583 SHA512 bbc4d19b254069e46f2bda554336f4fd0bc5eeb96974e1c997efca94304e32668ca6584671b5121af07004925829c770345356ebb0b113a4c1ff5dc2a949bcd7 WHIRLPOOL 7787008629aba8ad4e369822e2fd555df2d95a127246bd080de5d7b728bcc3ab049cd8097cc9618ce29e10e1f66af9335b58fa45cb604ca1b01208219cf3bc3c diff --git a/sys-cluster/heat/files/ocata-heat.conf.sample b/sys-cluster/heat/files/ocata-heat.conf.sample new file mode 100644 index 00..200ae61940 --- /dev/null +++ b/sys-cluster/heat/files/ocata-heat.conf.sample @@ -0,0 +1,2635 @@ +[DEFAULT] + +# +# From heat.api.middleware.ssl +# + +# The HTTP Header that will be used to determine what the original request +# protocol scheme was, even if it was removed by an SSL terminator proxy. +# (string value) +# Deprecated group/name - [DEFAULT]/secure_proxy_ssl_header +#secure_proxy_ssl_header = X-Forwarded-Proto + +# +# From heat.common.config +# + +# Name of the engine node. This can be an opaque identifier. It is not +# necessarily a hostname, FQDN, or IP address. (string value) +#host = slaanesh + +# List of directories to search for plug-ins. (list value) +#plugin_dirs = /usr/lib64/heat,/usr/lib/heat,/usr/local/lib/heat,/usr/local/lib64/heat + +# The directory to search for environment files. (string value) +#environment_dir = /etc/heat/environment.d + +# The directory to search for template files. (string value) +#template_dir = /etc/heat/templates + +# Select deferred auth method, stored password or trusts. (string value) +# Allowed values: password, trusts +#deferred_auth_method = trusts + +# Allow reauthentication on token expiry, such that long-running tasks may +# complete. Note this defeats the expiry of any provided user tokens. (string +# value) +# Allowed values: '', trusts +#reauthentication_auth_method = + +# Gap, in seconds, to determine whether the given token is about to expire. +# (integer value) +#stale_token_duration = 30 + +# Subset of trustor roles to be delegated to heat. If left unset, all roles of +# a user will be delegated to heat when creating a stack. (list value) +#trusts_delegated_roles = + +# Maximum resources allowed per top-level stack. -1 stands for unlimited. +# (integer value) +#max_resources_per_stack = 1000 + +# Maximum number of stacks any one tenant may have active at one time. (integer +# value) +#max_stacks_per_tenant = 100 + +# Number of times to retry to bring a resource to a non-error state. Set to 0 +# to disable retries. (integer value) +#action_retry_limit = 5 + +# Number of times to retry when a client encounters an expected intermittent +# error. Set to 0 to disable retries. (integer value) +#client_retry_limit = 2 + +# Maximum length of a server name to be used in nova. (integer value) +# Maximum value: 53 +#max_server_name_length = 53 + +# Number of times to check whether an interface has been attached or detached. +# (integer value) +# Minimum value: 1 +#max_interface_check_attempts = 10 + +# Controls how many events will be pruned whenever a stack's events are purged. +# Set this lower to keep more events at the expense of more frequent purges. +# (integer value) +# Minimum value: 1 +#event_purge_batch_size = 200 + +# Rough number of maximum events that will be available per stack. Actual +# number of events can be a bit higher since purge checks take place randomly +# 200/event_purge_batch_size percent of the time. Older events are deleted when +# events are purged. Set to 0 for unlimited events per stack. (integer value) +#max_events_per_stack = 1000 + +# Timeout in seconds for stack action (ie. create or update). (integer value) +#stack_action_timeout = 3600 + +# The amount of time in seconds after an
[gentoo-commits] repo/gentoo:master commit in: sys-cluster/heat/files/, sys-cluster/heat/
commit: 3930fb660c9d11c546f1959d4a2bdf66dd8f67e2 Author: Matthew Thode gentoo org> AuthorDate: Fri Nov 4 14:48:04 2016 + Commit: Matt Thode gentoo org> CommitDate: Fri Nov 4 14:48:04 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3930fb66 sys-cluster/heat: fix CVE-2016-9185 bug 598940 Package-Manager: portage-2.3.0 sys-cluster/heat/files/CVE-2016-9185.patch | 53 ++ .../{heat-7.0.0.ebuild => heat-7.0.0-r1.ebuild}| 5 +- 2 files changed, 56 insertions(+), 2 deletions(-) diff --git a/sys-cluster/heat/files/CVE-2016-9185.patch b/sys-cluster/heat/files/CVE-2016-9185.patch new file mode 100644 index ..7b6bd86 --- /dev/null +++ b/sys-cluster/heat/files/CVE-2016-9185.patch @@ -0,0 +1,53 @@ +From 02dfb1a64f8a545a6dfed15245ac54c8ea835b81 Mon Sep 17 00:00:00 2001 +From: Daniel Gonzalez +Date: Mon, 17 Oct 2016 10:22:42 +0200 +Subject: Prevent template validate from scanning ports + +The template validation method in the heat API allows to specify the +template to validate using a URL with the 'template_url' parameter. + +By entering invalid http URLs, like 'http://localhost:22' it is +possible to scan ports by evaluating the error message of the request. + +For example, the request + +curl -H "Content-Type: application/json" -H "X-Auth-Token: " \ +-X POST -d '{"template_url": "http://localhost:22"}' \ +http://127.0.0.1:8004/v1//validate + +causes the following error message to be returned to the user: + +"Could not retrieve template: Failed to retrieve template: +('Connection aborted.', +BadStatusLine('SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1\\r\\n',))" + +This could be misused by tenants to gain knowledge about the internal +network the heat API runs in. + +To prevent this information leak, this patch alters the error message +to not include such details when the url scheme is not 'file'. + +SecurityImpact + +Closes-Bug: #1606500 + +Change-Id: Id1f86f41c1e6c028d889eca7ccbb9cde67631950 +(cherry picked from commit eab9a33ce760c55695a5beb2e541487588b08c98) +--- + heat/common/urlfetch.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/heat/common/urlfetch.py b/heat/common/urlfetch.py +index 7efd968..8a7deae 100644 +--- a/heat/common/urlfetch.py b/heat/common/urlfetch.py +@@ -75,4 +75,5 @@ def get(url, allowed_schemes=('http', 'https')): + return result + + except exceptions.RequestException as ex: +-raise URLFetchError(_('Failed to retrieve template: %s') % ex) ++LOG.info(_LI('Failed to retrieve template: %s') % ex) ++raise URLFetchError(_('Failed to retrieve template from %s') % url) +-- +cgit v0.12 + diff --git a/sys-cluster/heat/heat-7.0.0.ebuild b/sys-cluster/heat/heat-7.0.0-r1.ebuild similarity index 99% rename from sys-cluster/heat/heat-7.0.0.ebuild rename to sys-cluster/heat/heat-7.0.0-r1.ebuild index 9477a14..37461d9 100644 --- a/sys-cluster/heat/heat-7.0.0.ebuild +++ b/sys-cluster/heat/heat-7.0.0-r1.ebuild @@ -113,8 +113,9 @@ RDEPEND=" >=dev-python/webob-1.2.3-r1[${PYTHON_USEDEP}] >=dev-python/yaql-1.1.0[${PYTHON_USEDEP}]" -#PATCHES=( -#) +PATCHES=( + "${FILESDIR}/CVE-2016-9185.patch" +) pkg_setup() { enewgroup heat
[gentoo-commits] repo/gentoo:master commit in: sys-cluster/heat/files/, sys-cluster/heat/
commit: 1e60fdfa463928bd5340fb6933c3455dec69d370 Author: Matthew Thode gentoo org> AuthorDate: Mon Oct 3 20:24:39 2016 + Commit: Matt Thode gentoo org> CommitDate: Mon Oct 3 20:36:13 2016 + URL:https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e60fdfa sys-cluster/heat: adding heat :D Package-Manager: portage-2.3.0 sys-cluster/heat/files/heat.initd | 53 + sys-cluster/heat/files/newton-heat.conf.sample | 1225 sys-cluster/heat/heat-2016.2..ebuild | 152 +++ sys-cluster/heat/metadata.xml | 19 + 4 files changed, 1449 insertions(+) diff --git a/sys-cluster/heat/files/heat.initd b/sys-cluster/heat/files/heat.initd new file mode 100644 index ..a3fa50e --- /dev/null +++ b/sys-cluster/heat/files/heat.initd @@ -0,0 +1,53 @@ +#!/sbin/openrc-run +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +BASENAME=$(echo $SVCNAME | cut -d '-' -f 1) +SERVERNAME=$(echo $SVCNAME | cut -d '-' -f 2) + +depend() { +need net +} + +checkconfig() { +if [ ! -r /etc/conf.d/$BASENAME ]; then +eerror "No heat conf.d file found: /etc/conf.d/$BASENAME)" +return 1 +else +. /etc/conf.d/$BASENAME +fi +} + +start() { +checkconfig || return $? + +ebegin "Starting ${SVCNAME}" +if [ ! -d ${PID_PATH} ]; then +mkdir ${PID_PATH} +chown heat:root ${PID_PATH} +fi + +start-stop-daemon --start \ + --quiet \ + --user heat \ + --pidfile "${PID_PATH}/${SVCNAME}.pid" \ + --make-pidfile \ + --background \ + --exec /usr/bin/heat-${SERVERNAME} -- --config-file /etc/heat/heat.conf --log-file /var/log/heat/heat-${SERVERNAME} + +eend $? "Failed to start ${SVCNAME}" +} + +stop() { +checkconfig || return $? + +ebegin "Stopping ${SVCNAME}" + +start-stop-daemon --stop \ + --quiet \ + --user heat \ + --pidfile "${PID_PATH}/${SVCNAME}.pid" \ + --exec /usr/bin/heat-${SERVERNAME} -- --config-file /etc/heat/heat.conf + +eend $? "Failed to stop ${SVCNAME}" +} diff --git a/sys-cluster/heat/files/newton-heat.conf.sample b/sys-cluster/heat/files/newton-heat.conf.sample new file mode 100644 index ..433b8ba --- /dev/null +++ b/sys-cluster/heat/files/newton-heat.conf.sample @@ -0,0 +1,1225 @@ +[DEFAULT] + +# +# From oslo.log +# + +# If set to true, the logging level will be set to DEBUG instead of the default +# INFO level. (boolean value) +# Note: This option can be changed without restarting. +#debug = false + +# DEPRECATED: If set to false, the logging level will be set to WARNING instead +# of the default INFO level. (boolean value) +# This option is deprecated for removal. +# Its value may be silently ignored in the future. +#verbose = true + +# The name of a logging configuration file. This file is appended to any +# existing logging configuration files. For details about logging configuration +# files, see the Python logging module documentation. Note that when logging +# configuration files are used then all logging configuration is set in the +# configuration file and other logging configuration options are ignored (for +# example, logging_context_format_string). (string value) +# Note: This option can be changed without restarting. +# Deprecated group/name - [DEFAULT]/log_config +#log_config_append = + +# Defines the format string for %%(asctime)s in log records. Default: +# %(default)s . This option is ignored if log_config_append is set. (string +# value) +#log_date_format = %Y-%m-%d %H:%M:%S + +# (Optional) Name of log file to send logging output to. If no default is set, +# logging will go to stderr as defined by use_stderr. This option is ignored if +# log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logfile +#log_file = + +# (Optional) The base directory used for relative log_file paths. This option +# is ignored if log_config_append is set. (string value) +# Deprecated group/name - [DEFAULT]/logdir +#log_dir = + +# Uses logging handler designed to watch file system. When log file is moved or +# removed this handler will open a new log file with specified path +# instantaneously. It makes sense only if log_file option is specified and +# Linux platform is used. This option is ignored if log_config_append is set. +# (boolean value) +#watch_log_file = false + +# Use syslog for logging. Existing syslog format is DEPRECATED and will be +# changed later to honor RFC5424. This option is ignored if log_config_append +# is set. (boolean value) +#use_syslog = false + +# Syslog facility to receive log lines. This option is ignored if +# log_config_append is set. (string value) +#syslog_log_facility = LOG_USER + +# Log output to standard error. This option is ignored if log_config_append is +# s