[Summary] Octavia provides Loadbalancing as a service as part of an OpenStack Cloud deployment.
Loadbalancers are provided as virtual machine appliances which run the Octavia amphorae agent for management control between the Octavia control plan and the loadbalancers (typically via a dedicated private virtual network). The central control plan consists of an API service and three backend daemons - health-manager (which monitors Amphorae health, recreating if an LB fails), housekeeping (manages database housekeeping and the pool of spare amphorae workers) and worker (manages the allocation of Loadbalancers to end-users and other operations). https://docs.openstack.org/octavia/queens/reference/introduction.html Communication between the amphorae agent API and the central control plan API is secured with TLS using bi-direction certificates for authentication. This is part of the deployment process for Octavia rather than part of what the packaging provides. This does need a security review, so assigning ubuntu-security MIR team ack for inclusion in main (subject to security team review) [Duplication] There is no other package in main providing the same functionality. [Dependencies] OK: - no other Dependencies to MIR due to this All identified as part of the MIR review. - no -dev/-debug/-doc packages that need exclusion [Embedded sources and static linking] OK: - no embedded source present - no static linking [Security] OK: - history of CVEs does not look concerning Some security history all effecting older Octavia versions than we have in Ubuntu (which is >= 5.0.0) https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=octavia - does not run a daemon as root - does not use webkit1,2 - does not use lib*v8 directly - does not parse data formats API is REST based and parses JSON formatted data using the standard patterns as used by the majority of OpenStack services. - does not open a port API port (OK) Amphorae API port (see summary) - does not process arbitrary web content - does not use centralized online accounts - does not integrate arbitrary javascript into the desktop - does not deal with system authentication (e.g. pam), etc) [Common blockers] OK: - does not FTBFS currently - does have a test suite that runs at build time - test suite fails will fail the build upon error. - does have a test suite that runs as autopkgtest - The package has a team bug subscriber ubuntu-openstack - no translation present, but none needed for this case (user visible)? N/A - not a python package, no extra constraints to consider in that regard - no new python2 dependency - Python package that is using dh_python [Packaging red flags] OK: - Ubuntu does not carry a delta Ubuntu does carry a delta - Ubuntu does carry a delta, but it is reasonable and maintenance under control OpenStack in Ubuntu is typically ahead in terms of version compared to Debian and is managed by the Ubuntu OpenStack team. - symbols tracking not applicable for this kind of code. - d/watch is present and looks ok - Upstream update history is good - Debian/Ubuntu update history is good (but diverged) - the current release is packaged - no massive Lintian warnings - d/rules is rather clean Some complexity but looks managed - not using Built-Using - Does not have Built-Using [Upstream red flags] OK: - no Errors/warnings during the build - no incautious use of malloc/sprintf (as far as I can check it) - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH - no use of user nobody - no use of setuid - no important open bugs (crashers, etc) in Debian or Ubuntu - no dependency on webkit, qtwebkit, seed or libgoa-* - no embedded source copies - not part of the UI for extra checks ** Changed in: octavia (Ubuntu) Assignee: James Page (james-page) => Ubuntu Security Team (ubuntu-security) ** Changed in: octavia (Ubuntu) Milestone: None => ubuntu-20.10 ** Changed in: octavia (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1888309 Title: [MIR] octavia To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/octavia/+bug/1888309/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
