kolan/Overlay
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

sys-cluster/ removed from the overlay.

Browse Source
This commit is contained in:
Kolan Sh 2014-09-24 16:15:34 +04:00
parent 6c80b01a83
commit 33f0c2aa6e
23 changed files with 0 additions and 771 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sys-cluster/neutron/Manifest
View File

@ -1 +0,0 @@
DIST neutron-2014.1.1.tar.gz 6404237 SHA256 4723713b124ec7be0ae5f280d30a53b00ab5bec8a27be6165bdc630b8f22c1b5 SHA512 8a586741c035700ed8f33089830278e9eee9745a8fa58ef4ec71638ffecbd7c8689387f1597d948ca18a7f7edbad1ff67aab6d5304b61069556d5418e55738c5 WHIRLPOOL 6b7d139f1265a719edf05dbe2648fb7a056f708984da3e2b7b89f17746694137b5201bc69587e0af1a9729710205538c5841c860180ea9d7e7f5f0a17ece43dc

2
sys-cluster/neutron/files/neutron-confd
View File

@ -1,2 +0,0 @@
#Don't touch this unless you know what you are doing
PID_PATH=/run/quantum

2
sys-cluster/neutron/files/neutron-confd-2
View File

@ -1,2 +0,0 @@
#Don't touch this unless you know what you are doing
PID_PATH=/run/neutron

2
sys-cluster/neutron/files/neutron-dhcp-agent.confd
View File

@ -1,2 +0,0 @@
NEUTRON_CONFS=("/etc/neutron/neutron.conf" "/etc/neutron/dhcp_agent.ini")

60
sys-cluster/neutron/files/neutron-initd
View File

@ -1,60 +0,0 @@
#!/sbin/runscript
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
depend() {
need net
}
BASENAME=$(echo $SVCNAME | cut -d '-' -f 1)
SERVERNAME=$(echo $SVCNAME | cut -d '-' -f 2)
checkconfig() {
if [ ! -r /etc/conf.d/$BASENAME ]; then
eerror "No quantum conf.d file found: /etc/conf.d/$BASENAME)"
return 1
fi
return 0
}
start() {
checkconfig || return $?
. /etc/conf.d/$BASENAME
ebegin "Starting ${SVCNAME}"
if [ ! -d ${PID_PATH} ]; then
mkdir ${PID_PATH}
fi
start-stop-daemon --start \
--user neutron:neutron \
--quiet \
--pidfile "${PID_PATH}/${SVCNAME}.pid" \
--make-pidfile \
--background \
--exec /usr/bin/${SVCNAME} -- \
--config-file /etc/quantum/quantum.conf \
--config-file /etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini \
--log-file /var/log/quantum/server.log
eend $? "Failed to start ${SVCNAME}"
}
stop() {
checkconfig || return $?
. /etc/conf.d/$BASENAME
ebegin "Stopping ${SVCNAME}"
start-stop-daemon --stop --user neutron --quiet --pidfile "${PID_PATH}/${SVCNAME}.pid" \
--exec /usr/bin/${SVCNAME} -- \
--config-file /etc/quantum/quantum.conf \
--config-file /etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini \
--log-file /var/log/quantum/server.log
eend $? "Failed to stop ${SVCNAME}"
}
#restart() {
#
#}

60
sys-cluster/neutron/files/neutron-initd-2
View File

@ -1,60 +0,0 @@
#!/sbin/runscript
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
depend() {
need net
}
BASENAME=$(echo $SVCNAME | cut -d '-' -f 1)
SERVERNAME=$(echo $SVCNAME | cut -d '-' -f 2)
checkconfig() {
if [ ! -r /etc/conf.d/$BASENAME ]; then
eerror "No neutron conf.d file found: /etc/conf.d/$BASENAME)"
return 1
fi
return 0
}
start() {
checkconfig || return $?
. /etc/conf.d/$BASENAME
ebegin "Starting ${SVCNAME}"
if [ ! -d ${PID_PATH} ]; then
mkdir ${PID_PATH}
fi
start-stop-daemon --start \
--user neutron:neutron \
--quiet \
--pidfile "${PID_PATH}/${SVCNAME}.pid" \
--make-pidfile \
--background \
--exec /usr/bin/${SVCNAME} -- \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini \
--log-file /var/log/neutron/server.log
eend $? "Failed to start ${SVCNAME}"
}
stop() {
checkconfig || return $?
. /etc/conf.d/$BASENAME
ebegin "Stopping ${SVCNAME}"
start-stop-daemon --stop --user neutron --quiet --pidfile "${PID_PATH}/${SVCNAME}.pid" \
--exec /usr/bin/${SVCNAME} -- \
--config-file /etc/neutron/neutron.conf \
--config-file /etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini \
--log-file /var/log/neutron/server.log
eend $? "Failed to stop ${SVCNAME}"
}
#restart() {
#
#}

2
sys-cluster/neutron/files/neutron-l3-agent.confd
View File

@ -1,2 +0,0 @@
NEUTRON_CONFS=("/etc/neutron/neutron.conf" "/etc/neutron/l3_agent.ini")

1
sys-cluster/neutron/files/neutron-linuxbridge-agent.confd
View File

@ -1 +0,0 @@
NEUTRON_CONFS=("/etc/neutron/neutron.conf" "/etc/neutron/plugins/linuxbridge/linuxbridge_conf.ini")

2
sys-cluster/neutron/files/neutron-metadata-agent.confd
View File

@ -1,2 +0,0 @@
NEUTRON_CONFS=("/etc/neutron/neutron.conf" "/etc/neutron/metadata_agent.ini")

1
sys-cluster/neutron/files/neutron-openvswitch-agent.confd
View File

@ -1 +0,0 @@
NEUTRON_CONFS=("/etc/neutron/neutron.conf" "/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini")

1
sys-cluster/neutron/files/neutron-ovs-cleanup.confd
View File

@ -1 +0,0 @@
NEUTRON_CONFS=("/etc/neutron/neutron.conf" "/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini")

1
sys-cluster/neutron/files/neutron-server.confd
View File

@ -1 +0,0 @@
NEUTRON_CONFS=("/etc/neutron/neutron.conf" "/etc/neutron/plugin.ini")

4
sys-cluster/neutron/files/neutron-sudoers
View File

@ -1,4 +0,0 @@
Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/quantum-rootwrap

21
sys-cluster/neutron/files/neutron.initd
View File

@ -1,21 +0,0 @@
#!/sbin/runscript
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/files/neutron.initd,v 1.1 2014/05/11 13:03:17 vadimk Exp $
description="Starts ${SVCNAME} service for OpenStack"
command=/usr/bin/"${SVCNAME}"
command_background=yes
pidfile=/var/run/neutron/"${SVCNAME}".pid
required_files=(${NEUTRON_CONFS[@]:-/etc/neutron/neutron.conf})
command_args="${required_files[@]/#/--config-file } --log-file /var/log/neutron/${SVCNAME#*-}.log"
start_stop_daemon_args="--quiet --user ${NEUTRON_USER:-neutron}"
depend() {
need net
}
start_pre() {
checkpath --directory --owner "${NEUTRON_USER:-neutron}":"${NEUTRON_GROUP:-neutron}" --mode 0755 "${NEUTRON_RUN:-/var/run/neutron}"
}

4
sys-cluster/neutron/files/neutron.sudoersd
View File

@ -1,4 +0,0 @@
Defaults:neutron !requiretty
neutron ALL = (root) NOPASSWD: /usr/bin/neutron-rootwrap /etc/neutron/rootwrap.conf *

164
sys-cluster/neutron/files/nicira.patch
View File

@ -1,164 +0,0 @@
https://review.openstack.org/gitweb?p=openstack%2Fneutron.git;a=commitdiff;h=a52ef6ecf19b8b015465ddda2a3ca087f0e12122
index 04dbfef..77f233a 100755 (executable)
--- a/neutron/plugins/nicira/vshield/tasks/tasks.py
+++ b/neutron/plugins/nicira/vshield/tasks/tasks.py
@@ -15,8 +15,6 @@
# License for the specific language governing permissions and limitations
# under the License.
-from __future__ import print_function
-
import collections
import uuid
@@ -167,6 +165,9 @@ class TaskManager():
# A dict to store resource -> resource's tasks
self._tasks = {}
+ # Current task being executed in main thread
+ self._main_thread_exec_task = None
+
# New request event
self._req = event.Event()
@@ -311,8 +312,10 @@ class TaskManager():
continue
try:
+ self._main_thread_exec_task = task
self._execute(task)
finally:
+ self._main_thread_exec_task = None
if task.status is None:
# The thread is killed during _execute(). To guarantee
# the task been aborted correctly, put it to the queue.
@@ -348,20 +351,19 @@ class TaskManager():
self._thread = None
def has_pending_task(self):
- if self._tasks_queue:
- return True
-
- if self._tasks:
+ if self._tasks_queue or self._tasks or self._main_thread_exec_task:
return True
-
- return False
+ else:
+ return False
def show_pending_tasks(self):
for task in self._tasks_queue:
- print(str(task))
+ LOG.info(str(task))
for resource, tasks in self._tasks.iteritems():
for task in tasks:
- print(str(task))
+ LOG.info(str(task))
+ if self._main_thread_exec_task:
+ LOG.info(str(self._main_thread_exec_task))
def count(self):
count = 0
diff --git a/neutron/tests/unit/nicira/test_edge_router.py b/neutron/tests/unit/nicira/test_edge_router.py
index 41efeed..a360b71 100644 (file)
--- a/neutron/tests/unit/nicira/test_edge_router.py
+++ b/neutron/tests/unit/nicira/test_edge_router.py
@@ -135,7 +135,8 @@ class ServiceRouterTest(test_nicira_plugin.NiciraL3NatTest,
def tearDown(self):
plugin = NeutronManager.get_plugin()
manager = plugin.vcns_driver.task_manager
- for i in range(20):
+ # wait max ~10 seconds for all tasks to be finished
+ for i in range(100):
if not manager.has_pending_task():
break
greenthread.sleep(0.1)
@@ -183,8 +184,8 @@ class ServiceRouterTestCase(ServiceRouterTest, NvpRouterTestCase):
for k, v in expected_value_1:
self.assertEqual(router['router'][k], v)
- # wait ~1 seconds for router status update
- for i in range(2):
+ # wait max ~10 seconds for router status update
+ for i in range(20):
greenthread.sleep(0.5)
res = self._show('routers', router['router']['id'])
if res['router']['status'] == 'ACTIVE':
diff --git a/neutron/tests/unit/nicira/test_vcns_driver.py b/neutron/tests/unit/nicira/test_vcns_driver.py
index b0d69a4..ddc0c33 100644 (file)
--- a/neutron/tests/unit/nicira/test_vcns_driver.py
+++ b/neutron/tests/unit/nicira/test_vcns_driver.py
@@ -253,6 +253,31 @@ class VcnsDriverTaskManagerTestCase(base.BaseTestCase):
def test_task_manager_stop_4(self):
self._test_task_manager_stop(False, False, 1)
+ def test_task_pending_task(self):
+ def _exec(task):
+ task.userdata['executing'] = True
+ while not task.userdata['tested']:
+ greenthread.sleep(0)
+ task.userdata['executing'] = False
+ return TaskStatus.COMPLETED
+
+ userdata = {
+ 'executing': False,
+ 'tested': False
+ }
+ manager = ts.TaskManager().start(100)
+ task = ts.Task('name', 'res', _exec, userdata=userdata)
+ manager.add(task)
+
+ while not userdata['executing']:
+ greenthread.sleep(0)
+ self.assertTrue(manager.has_pending_task())
+
+ userdata['tested'] = True
+ while userdata['executing']:
+ greenthread.sleep(0)
+ self.assertFalse(manager.has_pending_task())
+
class VcnsDriverTestCase(base.BaseTestCase):
@@ -298,6 +323,10 @@ class VcnsDriverTestCase(base.BaseTestCase):
self.edge_id = None
self.result = None
+ def tearDown(self):
+ self.vcns_driver.task_manager.stop()
+ super(VcnsDriverTestCase, self).tearDown()
+
def _deploy_edge(self):
task = self.vcns_driver.deploy_edge(
'router-id', 'myedge', 'internal-network', {}, wait_for_exec=True)
@@ -355,12 +384,13 @@ class VcnsDriverTestCase(base.BaseTestCase):
self.assertTrue(jobdata.get('edge_deploy_result'))
def test_deploy_edge_fail(self):
- self.vcns_driver.deploy_edge(
+ task1 = self.vcns_driver.deploy_edge(
'router-1', 'myedge', 'internal-network', {}, wait_for_exec=True)
- task = self.vcns_driver.deploy_edge(
+ task2 = self.vcns_driver.deploy_edge(
'router-2', 'myedge', 'internal-network', {}, wait_for_exec=True)
- task.wait(TaskState.RESULT)
- self.assertEqual(task.status, TaskStatus.ERROR)
+ task1.wait(TaskState.RESULT)
+ task2.wait(TaskState.RESULT)
+ self.assertEqual(task2.status, TaskStatus.ERROR)
def test_get_edge_status(self):
self._deploy_edge()

16
sys-cluster/neutron/files/sphinx_mapping.patch
View File

@ -1,16 +0,0 @@
diff -ur neutron-2013.2.orig/doc/source/conf.py neutron-2013.2/doc/source/conf.py
--- doc/source/conf.py 2013-10-17 22:01:20.000000000 +0800
+++ doc/source/conf.py 2013-11-15 19:42:42.701213324 +0800
@@ -238,12 +238,3 @@
# If false, no module index is generated.
#latex_use_modindex = True
-
-# Example configuration for intersphinx: refer to the Python standard library.
-intersphinx_mapping = {'python': ('http://docs.python.org/', None),
- 'nova': ('http://nova.openstack.org', None),
- 'swift': ('http://swift.openstack.org', None),
- 'glance': ('http://glance.openstack.org', None),
- 'horizon': ('http://horizon.openstack.org', None),
- 'keystone': ('http://keystone.openstack.org', None),
- }

178
sys-cluster/neutron/neutron-2014.1.1.ebuild
View File

@ -1,178 +0,0 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-cluster/neutron/neutron-2014.1.1.ebuild,v 1.3 2014/07/13 03:40:50 idella4 Exp $
EAPI=5
PYTHON_COMPAT=( python2_7 )
inherit distutils-r1 user
DESCRIPTION="A virtual network service for Openstack."
HOMEPAGE="https://launchpad.net/neutron"
SRC_URI="http://launchpad.net/${PN}/icehouse/${PV}/+download/${P}.tar.gz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~x86"
IUSE="dhcp doc l3 metadata openvswitch linuxbridge server test sqlite mysql postgres"
REQUIRED_USE="|| ( mysql postgres sqlite )"
#the cliff dep is as below because it depends on pyparsing, which only has 2.7 OR 3.2, not both
DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
>=dev-python/pbr-0.6[${PYTHON_USEDEP}]
<dev-python/pbr-1.0[${PYTHON_USEDEP}]
app-admin/sudo
test? ( >=dev-python/hacking-0.8.0[${PYTHON_USEDEP}]
<dev-python/hacking-0.9[${PYTHON_USEDEP}]
>=dev-python/cliff-1.4.3[${PYTHON_USEDEP}]
>=dev-python/coverage-3.6[${PYTHON_USEDEP}]
>=dev-python/fixtures-0.3.14[${PYTHON_USEDEP}]
>=dev-python/mock-1.0[${PYTHON_USEDEP}]
>=dev-python/subunit-0.0.18[${PYTHON_USEDEP}]
>=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
<dev-python/sphinx-1.2[${PYTHON_USEDEP}]
>=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}]
>=dev-python/testtools-0.9.34[${PYTHON_USEDEP}]
>=dev-python/webtest-2.0[${PYTHON_USEDEP}]
dev-python/configobj[${PYTHON_USEDEP}] )"
RDEPEND="dev-python/paste[${PYTHON_USEDEP}]
>=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
>=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
>=dev-python/amqplib-0.6.1-r1[${PYTHON_USEDEP}]
>=dev-python/anyjson-0.3.3[${PYTHON_USEDEP}]
>=dev-python/Babel-1.3[${PYTHON_USEDEP}]
>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
>=dev-python/httplib2-0.7.5[${PYTHON_USEDEP}]
>=dev-python/requests-1.1[${PYTHON_USEDEP}]
>=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}]
dev-python/jsonrpclib[${PYTHON_USEDEP}]
dev-python/jinja[${PYTHON_USEDEP}]
>=dev-python/kombu-2.4.8[${PYTHON_USEDEP}]
>=dev-python/netaddr-0.7.6[${PYTHON_USEDEP}]
>=dev-python/python-neutronclient-2.3.4[${PYTHON_USEDEP}]
<=dev-python/python-neutronclient-3.0.0[${PYTHON_USEDEP}]
>=dev-python/sqlalchemy-0.7.8[${PYTHON_USEDEP}]
<=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
mysql? ( dev-python/mysql-python[${PYTHON_USEDEP}] )
postgres? ( >=dev-python/psycopg-2[${PYTHON_USEDEP}] )
sqlite? ( dev-db/sqlite )
>=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
>=dev-python/python-keystoneclient-0.7.0[${PYTHON_USEDEP}]
>=dev-python/alembic-0.4.1[${PYTHON_USEDEP}]
>=dev-python/six-1.5.2[${PYTHON_USEDEP}]
>=dev-python/stevedore-0.14[${PYTHON_USEDEP}]
>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
dev-python/oslo-rootwrap[${PYTHON_USEDEP}]
>=dev-python/python-novaclient-2.17.0[${PYTHON_USEDEP}]
dev-python/pyudev[${PYTHON_USEDEP}]
sys-apps/iproute2
openvswitch? ( net-misc/openvswitch )
dhcp? ( net-dns/dnsmasq[dhcp-tools] )"
PATCHES=(
"${FILESDIR}/sphinx_mapping.patch"
)
pkg_setup() {
enewgroup neutron
enewuser neutron -1 -1 /var/lib/neutron neutron
}
pkg_config() {
fperms 0700 /var/log/neutron
fowners neutron:neutron /var/log neutron
}
src_prepare() {
#it's /bin/ip not /sbin/ip
sed -i 's/sbin\/ip\,/bin\/ip\,/g' etc/neutron/rootwrap.d/*
distutils-r1_src_prepare
}
python_compile_all() {
use doc && make -C doc html
}
python_test() {
# https://bugs.launchpad.net/neutron/+bug/1234857
# https://bugs.launchpad.net/swift/+bug/1249727
# https://bugs.launchpad.net/neutron/+bug/1251657
# turn multiprocessing off, testr will use it --parallel
local DISTUTILS_NO_PARALLEL_BUILD=1
# Move tests out that attempt net connection, have failures
mv $(find . -name test_ovs_tunnel.py) . || die
sed -e 's:test_app_using_ipv6_and_ssl:_&:' \
-e 's:test_start_random_port_with_ipv6:_&:' \
-i neutron/tests/unit/test_wsgi.py || die
testr init
testr run --parallel || die "failed testsuite under python2.7"
}
python_install() {
distutils-r1_python_install
if use server; then
newinitd "${FILESDIR}/neutron.initd" "neutron-server"
newconfd "${FILESDIR}/neutron-server.confd" "neutron-server"
dosym /etc/neutron/plugin.ini /etc/neutron/plugins/ml2/ml2_conf.ini
fi
if use dhcp; then
newinitd "${FILESDIR}/neutron.initd" "neutron-dhcp-agent"
newconfd "${FILESDIR}/neutron-dhcp-agent.confd" "neutron-dhcp-agent"
fi
if use l3; then
newinitd "${FILESDIR}/neutron.initd" "neutron-l3-agent"
newconfd "${FILESDIR}/neutron-l3-agent.confd" "neutron-l3-agent"
fi
if use metadata; then
newinitd "${FILESDIR}/neutron.initd" "neutron-metadata-agent"
newconfd "${FILESDIR}/neutron-metadata-agent.confd" "neutron-metadata-agent"
fi
if use openvswitch; then
newinitd "${FILESDIR}/neutron.initd" "neutron-openvswitch-agent"
newconfd "${FILESDIR}/neutron-openvswitch-agent.confd" "neutron-openvswitch-agent"
newinitd "${FILESDIR}/neutron.initd" "neutron-ovs-cleanup"
newconfd "${FILESDIR}/neutron-openvswitch-agent.confd" "neutron-ovs-cleanup"
fi
if use linuxbridge; then
newinitd "${FILESDIR}/neutron.initd" "neutron-linuxbridge-agent"
newconfd "${FILESDIR}/neutron-linuxbridge-agent.confd" "neutron-linuxbridge-agent"
fi
diropts -m 755 -o neutron -g neutron
dodir /var/log/neutron /var/lib/neutron
keepdir /etc/neutron
insinto /etc/neutron
insopts -m 0640 -o neutron -g neutron
doins "etc/neutron.conf"
doins "etc/api-paste.ini"
doins "etc/dhcp_agent.ini"
doins "etc/fwaas_driver.ini"
doins "etc/l3_agent.ini"
doins "etc/lbaas_agent.ini"
doins "etc/metadata_agent.ini"
doins "etc/metering_agent.ini"
doins "etc/policy.json"
doins "etc/vpn_agent.ini"
doins -r "etc/neutron/plugins"
insopts -m 0640 -o root -g root
doins "etc/rootwrap.conf"
doins -r "etc/neutron/rootwrap.d"
insinto "/usr/lib64/python2.7/site-packages/neutron/db/migration/alembic_migrations/"
doins -r "neutron/db/migration/alembic_migrations/versions"
#add sudoers definitions for user neutron
insinto /etc/sudoers.d/
insopts -m 0440 -o root -g root
newins "${FILESDIR}/neutron.sudoersd" neutron
#remove superfluous stuff
rm -R "${D}/usr/etc/"
}
python_install_all() {
use doc && local HTML_DOCS=( doc/build/html/. )
distutils-r1_python_install_all
}

1
sys-cluster/nova/Manifest
View File

@ -1 +0,0 @@
DIST nova-2014.1.1.tar.gz 7979809 SHA256 3cb3b48c72c39e7637d6016039d353ad33de69bcd6ed04dbfdb0db9313eb9a5b SHA512 6f7b449e09e796c483d93399af24c2cd77042776e1c4d36c3bcd34814b42a252151542b684785ba6c1b28bc0b302cc15f5057da7f90884c73ff6b11ec748323e WHIRLPOOL 0d959b4655d6010825b0ef73b6ce983cd6a0679f5aa5d41ebfbddce26e74d402d9d571c65d26f71e60bb627fc9d4d924d1e4622c1d96d73e3b484f1c68502df7

100
sys-cluster/nova/files/nova-2014.1.1-CVE-2014-3517.patch
View File

@ -1,100 +0,0 @@
From 3dd2cb0452b63d5de04606d79bbbf41a4e50a42a Mon Sep 17 00:00:00 2001
From: Grant Murphy <gmurphy@redhat.com>
Date: Tue, 8 Jul 2014 03:35:40 +0000
Subject: [PATCH 1/1] Avoid possible timing attack in metadata api
Introduce a constant time comparison function to
nova utils for comparing authentication tokens.
Original code taken from:
https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/memcache_crypt.py#L86
Change-Id: I7374f2edc6f03c7da59cf73ae91a87147e53d0de
Closes-bug: #1325128
---
nova/api/metadata/handler.py | 3 ++-
nova/tests/test_utils.py | 7 +++++++
nova/utils.py | 27 +++++++++++++++++++++++++++
3 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
index a14db67..be866ef 100644
--- a/nova/api/metadata/handler.py
+++ b/nova/api/metadata/handler.py
@@ -30,6 +30,7 @@ from nova import exception
from nova.openstack.common.gettextutils import _
from nova.openstack.common import log as logging
from nova.openstack.common import memorycache
+from nova import utils
from nova import wsgi
CACHE_EXPIRATION = 15 # in seconds
@@ -169,7 +170,7 @@ class MetadataRequestHandler(wsgi.Application):
instance_id,
hashlib.sha256).hexdigest()
- if expected_signature != signature:
+ if not utils.constant_time_compare(expected_signature, signature):
if instance_id:
LOG.warn(_('X-Instance-ID-Signature: %(signature)s does not '
'match the expected value: %(expected_signature)s '
diff --git a/nova/tests/test_utils.py b/nova/tests/test_utils.py
index 59d08fd..c2969a6 100644
--- a/nova/tests/test_utils.py
+++ b/nova/tests/test_utils.py
@@ -979,3 +979,10 @@ class VersionTestCase(test.NoDBTestCase):
def test_convert_version_to_tuple(self):
self.assertEqual(utils.convert_version_to_tuple('6.7.0'), (6, 7, 0))
+
+
+class ConstantTimeCompareTestCase(test.NoDBTestCase):
+ def test_constant_time_compare(self):
+ self.assertTrue(utils.constant_time_compare("abcd1234", "abcd1234"))
+ self.assertFalse(utils.constant_time_compare("abcd1234", "a"))
+ self.assertFalse(utils.constant_time_compare("abcd1234", "ABCD234"))
diff --git a/nova/utils.py b/nova/utils.py
index 0c3ee94..7dfa0cc 100644
--- a/nova/utils.py
+++ b/nova/utils.py
@@ -21,6 +21,7 @@ import contextlib
import datetime
import functools
import hashlib
+import hmac
import inspect
import multiprocessing
import os
@@ -1170,3 +1171,29 @@ def cpu_count():
return multiprocessing.cpu_count()
except NotImplementedError:
return 1
+
+
+# NOTE(gm) Constant time comparison taken from keystone. This is a
+# candidate for inclusion in oslo.
+#
+# Original code: master/keystoneclient/middleware/memcache_crypt.py#L86
+if sys.version_info >= (3, 3):
+ constant_time_compare = hmac.compare_digest
+else:
+ def constant_time_compare(first, second):
+ """Returns True if both string inputs are equal, otherwise False.
+
+ This function should take a constant amount of time regardless of
+ how many characters in the strings match.
+
+ """
+ if len(first) != len(second):
+ return False
+ result = 0
+ if six.PY3 and isinstance(first, bytes) and isinstance(second, bytes):
+ for x, y in zip(first, second):
+ result |= x ^ y
+ else:
+ for x, y in zip(first, second):
+ result |= ord(x) ^ ord(y)
+ return result == 0
--
1.9.3

3
sys-cluster/nova/files/nova-sudoers
View File

@ -1,3 +0,0 @@
Defaults:nova !requiretty
nova ALL = (root) NOPASSWD: /usr/bin/nova-rootwrap

20
sys-cluster/nova/files/nova.initd
View File

@ -1,20 +0,0 @@
#!/sbin/runscript
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
description="Starts ${SVCNAME} service for OpenStack"
command=/usr/bin/${SVCNAME}
command_background=yes
pidfile=/var/run/nova/${SVCNAME}.pid
required_files=/etc/nova/nova.conf
start_stop_daemon_args="--quiet --user ${NOVA_USER:-nova}"
depend() {
need net
}
start_pre() {
checkpath --directory --owner ${NOVA_USER:-nova}:${NOVA_GROUP:-nova} --mode 0775 ${NOVA_RUN:-/var/run/nova}
checkpath --directory --owner ${NOVA_USER:-nova}:${NOVA_GROUP:-nova} --mode 0775 ${NOVA_RUN:-/var/lock/nova}
}

125
sys-cluster/nova/nova-2014.1.1-r1.ebuild
View File

@ -1,125 +0,0 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-cluster/nova/nova-2014.1.1-r1.ebuild,v 1.1 2014/07/17 07:06:48 prometheanfire Exp $
EAPI=5
PYTHON_COMPAT=( python2_7 )
inherit distutils-r1 eutils multilib user
DESCRIPTION="A cloud computing fabric controller (main part of an IaaS system) written in Python."
HOMEPAGE="https://launchpad.net/nova"
SRC_URI="http://launchpad.net/${PN}/icehouse/${PV}/+download/${P}.tar.gz"
LICENSE="Apache-2.0"
SLOT="0"
KEYWORDS="~amd64 ~x86"
IUSE="+compute +kvm +network +novncproxy sqlite mysql postgres xen"
REQUIRED_USE="|| ( mysql postgres sqlite )
compute? ( || ( kvm xen ) )"
DEPEND="dev-python/setuptools[${PYTHON_USEDEP}]
>=dev-python/pbr-0.6[${PYTHON_USEDEP}]
<dev-python/pbr-1.0[${PYTHON_USEDEP}]
app-admin/sudo"
RDEPEND="sqlite? ( >=dev-python/sqlalchemy-0.7.8[sqlite,${PYTHON_USEDEP}]
<dev-python/sqlalchemy-0.9.99[sqlite,${PYTHON_USEDEP}] )
mysql? ( >=dev-python/sqlalchemy-0.7.8[${PYTHON_USEDEP}]
<dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}] )
postgres? ( >=dev-python/sqlalchemy-0.7.8[postgres,${PYTHON_USEDEP}]
<dev-python/sqlalchemy-0.9.99[postgres,${PYTHON_USEDEP}] )
>=dev-python/amqplib-0.6.1[${PYTHON_USEDEP}]
>=dev-python/anyjson-0.3.3[${PYTHON_USEDEP}]
>=dev-python/boto-2.12.0[${PYTHON_USEDEP}]
!~dev-python/boto-2.13.0[${PYTHON_USEDEP}]
>=dev-python/eventlet-0.13.0[${PYTHON_USEDEP}]
dev-python/jinja[${PYTHON_USEDEP}]
>=dev-python/kombu-2.4.8[${PYTHON_USEDEP}]
>=dev-python/lxml-2.3[${PYTHON_USEDEP}]
>=dev-python/routes-1.12.3-r1[${PYTHON_USEDEP}]
>=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
>=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
>=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
dev-python/paste[${PYTHON_USEDEP}]
>=dev-python/sqlalchemy-migrate-0.8.2[${PYTHON_USEDEP}]
!~dev-python/sqlalchemy-migrate-0.8.4[${PYTHON_USEDEP}]
>=dev-python/netaddr-0.7.6[${PYTHON_USEDEP}]
>=dev-python/suds-0.4[${PYTHON_USEDEP}]
>=dev-python/paramiko-1.9.0[${PYTHON_USEDEP}]
dev-python/pyasn1[${PYTHON_USEDEP}]
>=dev-python/Babel-1.3[${PYTHON_USEDEP}]
>=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}]
>=dev-python/python-cinderclient-1.0.6[${PYTHON_USEDEP}]
>=dev-python/python-neutronclient-2.3.4[${PYTHON_USEDEP}]
<=dev-python/python-neutronclient-3.0.0[${PYTHON_USEDEP}]
>=dev-python/python-glanceclient-0.9.0[${PYTHON_USEDEP}]
>=dev-python/python-keystoneclient-0.7.0[${PYTHON_USEDEP}]
>=dev-python/six-1.5.2[${PYTHON_USEDEP}]
>=dev-python/stevedore-0.14[${PYTHON_USEDEP}]
>=dev-python/websockify-0.5.1[${PYTHON_USEDEP}]
<dev-python/websockify-0.6[${PYTHON_USEDEP}]
>=dev-python/oslo-config-1.2.0[${PYTHON_USEDEP}]
dev-python/oslo-rootwrap[${PYTHON_USEDEP}]
>=dev-python/pycadf-0.4.1[${PYTHON_USEDEP}]
>=dev-python/oslo-messaging-1.3.0[${PYTHON_USEDEP}]
dev-python/libvirt-python[${PYTHON_USEDEP}]
novncproxy? ( www-apps/novnc )
sys-apps/iproute2
net-misc/openvswitch
net-misc/rabbitmq-server
sys-fs/sysfsutils
sys-fs/multipath-tools
kvm? ( app-emulation/qemu )
xen? ( app-emulation/xen
app-emulation/xen-tools )"
PATCHES=(
"${FILESDIR}/nova-2014.1.1-CVE-2014-3517.patch"
)
pkg_setup() {
enewgroup nova
enewuser nova -1 -1 /var/lib/nova nova
}
python_compile() {
distutils-r1_python_compile
./tools/config/generate_sample.sh -b ./ -p nova -o etc/nova
}
python_install() {
distutils-r1_python_install
for svc in api cert compute conductor consoleauth network scheduler spicehtml5proxy xvpvncproxy; do
newinitd "${FILESDIR}/nova.initd" "nova-${svc}"
done
use compute && newinitd "${FILESDIR}/nova.initd" "nova-compute"
use novncproxy && newinitd "${FILESDIR}/nova.initd" "nova-novncproxy"
diropts -m 0750 -o nova -g nova
dodir /var/log/nova /var/lib/nova/instances
insinto /etc/nova
insopts -m 0640 -o nova -g nova
newins "etc/nova/nova.conf.sample" "nova.conf"
doins "etc/nova/api-paste.ini"
doins "etc/nova/logging_sample.conf"
doins "etc/nova/policy.json"
doins "etc/nova/rootwrap.conf"
#rootwrap filters
insinto /etc/nova/rootwrap.d
doins "etc/nova/rootwrap.d/api-metadata.filters"
doins "etc/nova/rootwrap.d/compute.filters"
doins "etc/nova/rootwrap.d/network.filters"
#copy migration conf file (not coppied on install via setup.py script)
insinto /usr/$(get_libdir)/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/
doins "nova/db/sqlalchemy/migrate_repo/migrate.cfg"
#copy the CA cert dir (not coppied on install via setup.py script)
cp -R "${S}/nova/CA" "${D}/usr/$(get_libdir)/python2.7/site-packages/nova/" || die "installing CA files failed"
#add sudoers definitions for user nova
insinto /etc/sudoers.d/
insopts -m 0600 -o root -g root
doins "${FILESDIR}/nova-sudoers"
}