[MIR] designate

Mathieu, got time for this?

MIR team, note that we're in the midst of dropping debconf/dbconfig from this package.

We've just uploaded a new version of designate that drops the debconf/dbconfig bits.

Some lintian warnings should be fixed:
I: designate-common: package-contains-empty-directory usr/share/designate/
W: designate-common: binary-without-manpage usr/bin/designate-agent
W: designate-common: binary-without-manpage usr/bin/designate-api
W: designate-common: binary-without-manpage usr/bin/designate-central
W: designate-common: binary-without-manpage usr/bin/designate-manage
W: designate-common: binary-without-manpage usr/bin/designate-mdns
W: designate-common: binary-without-manpage usr/bin/designate-pool-manager
W: designate-common: binary-without-manpage usr/bin/designate-rootwrap
W: designate-common: binary-without-manpage usr/bin/designate-sink
W: designate-common: binary-without-manpage usr/bin/designate-zone-manager
P: designate-common: maintainer-script-without-set-e postinst

Not all Build-Depends are in main:
Checking support status of build dependencies...
 * python-sphinxcontrib-httpdomain binary and source package is in universe

The package is missing a team subscriber for its bugs.

There are also 2 open bugs in LP which impact should be investigated.

This packages (and this applies to barbican too) exists in the same version in Debian experimental. Please see if it would make sense to merge the package, so that we can benefit from fixes in Debian (and so that they can benefit from any fixes we do too).

Please fix the issues identified above (or document why they should not be changed, or why they can't).

This package handles DNS, which is typically a common security target, and furthermore ships a sudoers file to have the service do modifications on the system. I feel this warrants a code review by the security team.

I've added a team bug subscriber for designate.

Also it looks like the MIR for sphinxcontrib-httpdomain was approved a while back but never was promoted: https://bugs.launchpad.net/bugs/1420329

I've uploaded a new version of designate with man page stubs created. Upstream doesn't ship them so this gets us ahead a little bit. The Lintian issues should all be settled at this point.

> This packages (and this applies to barbican too) exists in the same version in Debian experimental.

While we try to stay in sync as much as possible with OpenStack dependencies, we carry our own versions of most of the core OpenStack packages for a few reasons. One reason is that Debian version use debconf and we don't do that in Ubuntu. Another reason is that historically we released earlier than Debian.

https://bugs.launchpad.net/ubuntu/+source/designate/+bug/1280522
* I marked this as fix released as this was fixed in the 2.0.0.0b3 release.

https://bugs.launchpad.net/ubuntu/+source/designate/+bug/1486335
* I marked this as invalid as it doesn't have anything to do with the package.

I believe I've handled all of Mathieu's original comments for this MIR at this point. Thanks for the review Mathieu!

I reviewed designate version 1:3.0.0~b2-0ubuntu1 as checked into Ubuntu
Yakkety. This shouldn't be considered a full security audit but rather a
quick gauge of maintainability.

- Two CVEs in our UCT database, both related to a tenant publishing
  invalid DNS data that caused other DNS services problems. The OpenStack
  security team handled the issue well.

- designate provides an API to backend storage systems for several DNS
  servers so OpenStack tenants can publish DNS data using designate's API.
  It has extremely complicated interfaces:
  - It provides a REST API for clients to use
  - It directly interacts with backend databases for a variety of DNS servers
  - It interacts with DNS servers to trigger AXFR/IXFR transfers and
    verify that updates completed as anticipated
  - It supports both synchronous and asynchronous modes of operation which
    introduce complicated native threading and green threading interfaces
    internally.

- Build-Depends: debhelper, dh-python, dh-systemd, openstack-pkg-tools,
  python-all, python-setuptools, python-sphinx, python-babel, python-coverage,
  python-debtcollector, python-designateclient, python-dnspython,
  python-eventlet, python-fixtures, python-flask, python-greenlet,
  python-hacking, python-jinja2, python-jsonschema, python-keystonemiddleware,
  python-memcache, python-migrate, python-mock, python-netaddr,
  python-neutronclient, python-oslo.concurrency, python-oslo.config,
  python-oslo.context, python-oslo.db, python-oslo.i18n, python-oslo.log,
  python-oslo.messaging, python-oslo.middleware, python-oslo.policy,
  python-oslo.reports, python-oslo.rootwrap, python-oslo.serialization,
  python-oslo.service, python-oslo.utils, python-oslosphinx, python-oslotest,
  python-paste, python-pastedeploy, python-pbr, python-pecan,
  python-pkg-resources, python-requests, python-requests-mock, python-routes,
  python-six, python-sphinxcontrib-httpdomain, python-sqlalchemy,
  python-stevedore, python-suds, python-tempest-lib, python-testscenarios,
  python-testtools, python-tooz, python-webob, python-webtest, python-werkzeug,
  python-keystoneauth1, python-zake, subunit, testrepository,
- Usual oslo_service openstack service startup
- pre/post inst/rm look to be entirely automatically added boilerplates
- init scripts look like usual boilerplate
- No dbus service
- No setuid executables
- A handful of new binaries in the PATH:
  - designate-agent
  - designate-api
  - designate-central
  - designate-manage
  - designate-mdns
  - designate-pool-manager
  - designate-rootwrap
  - designate-sink
  - designate-zone-manager
- Includes sudo configuration:
  Defaults:designate !requiretty
  designate ALL = (root) NOPASSWD: /usr/sbin/rndc
  designate ALL = (root) NOPASSWD: /usr/bin/designate-rootwrap /etc/designate/rootwrap.conf *
  Note that the Ubuntu security teams does not consider rootwrap to be a
  root-hard boundary layer. rndc is also unlikely to be programmed to be
  root-hard. designate should be considered equivalent to root.
- No udev rules
- No cronjobs
- Large test suite run during build

- Processes are spawned, all using array-mechnanisms in real code, test
  code used strings
- Environmen...

Hi - please could a member of the MIR team review again based on the security teams review - I'd like to get this into main this week if possible.

Yeah, this looks fine. Sorry for delayed response.

It would be nice if we built a python3 version to be ready for the transition on the server there. But not a blocker.

We also might want to consider merging with Debian experimental. They have 3.0.0 now.

designate added to the misc-servers seed.

Override component to main
designate 1:3.0.0~b3-0ubuntu1 in yakkety: universe/misc -> main
designate 1:3.0.0~b3-0ubuntu1 in yakkety amd64: universe/net/extra/100% -> main
designate 1:3.0.0~b3-0ubuntu1 in yakkety arm64: universe/net/extra/100% -> main
designate 1:3.0.0~b3-0ubuntu1 in yakkety armhf: universe/net/extra/100% -> main
designate 1:3.0.0~b3-0ubuntu1 in yakkety i386: universe/net/extra/100% -> main
designate 1:3.0.0~b3-0ubuntu1 in yakkety powerpc: universe/net/extra/100% -> main
designate 1:3.0.0~b3-0ubuntu1 in yakkety ppc64el: universe/net/extra/100% -> main
designate 1:3.0.0~b3-0ubuntu1 in yakkety s390x: universe/net/extra/100% -> main
designate-agent 1:3.0.0~b3-0ubuntu1 in yakkety amd64: universe/net/extra/100% -> main
designate-agent 1:3.0.0~b3-0ubuntu1 in yakkety arm64: universe/net/extra/100% -> main
designate-agent 1:3.0.0~b3-0ubuntu1 in yakkety armhf: universe/net/extra/100% -> main
designate-agent 1:3.0.0~b3-0ubuntu1 in yakkety i386: universe/net/extra/100% -> main
designate-agent 1:3.0.0~b3-0ubuntu1 in yakkety powerpc: universe/net/extra/100% -> main
designate-agent 1:3.0.0~b3-0ubuntu1 in yakkety ppc64el: universe/net/extra/100% -> main
designate-agent 1:3.0.0~b3-0ubuntu1 in yakkety s390x: universe/net/extra/100% -> main
designate-api 1:3.0.0~b3-0ubuntu1 in yakkety amd64: universe/net/extra/100% -> main
designate-api 1:3.0.0~b3-0ubuntu1 in yakkety arm64: universe/net/extra/100% -> main
designate-api 1:3.0.0~b3-0ubuntu1 in yakkety armhf: universe/net/extra/100% -> main
designate-api 1:3.0.0~b3-0ubuntu1 in yakkety i386: universe/net/extra/100% -> main
designate-api 1:3.0.0~b3-0ubuntu1 in yakkety powerpc: universe/net/extra/100% -> main
designate-api 1:3.0.0~b3-0ubuntu1 in yakkety ppc64el: universe/net/extra/100% -> main
designate-api 1:3.0.0~b3-0ubuntu1 in yakkety s390x: universe/net/extra/100% -> main
designate-central 1:3.0.0~b3-0ubuntu1 in yakkety amd64: universe/net/extra/100% -> main
designate-central 1:3.0.0~b3-0ubuntu1 in yakkety arm64: universe/net/extra/100% -> main
designate-central 1:3.0.0~b3-0ubuntu1 in yakkety armhf: universe/net/extra/100% -> main
designate-central 1:3.0.0~b3-0ubuntu1 in yakkety i386: universe/net/extra/100% -> main
designate-central 1:3.0.0~b3-0ubuntu1 in yakkety powerpc: universe/net/extra/100% -> main
designate-central 1:3.0.0~b3-0ubuntu1 in yakkety ppc64el: universe/net/extra/100% -> main
designate-central 1:3.0.0~b3-0ubuntu1 in yakkety s390x: universe/net/extra/100% -> main
designate-common 1:3.0.0~b3-0ubuntu1 in yakkety amd64: universe/net/extra/100% -> main
designate-common 1:3.0.0~b3-0ubuntu1 in yakkety arm64: universe/net/extra/100% -> main
designate-common 1:3.0.0~b3-0ubuntu1 in yakkety armhf: universe/net/extra/100% -> main
designate-common 1:3.0.0~b3-0ubuntu1 in yakkety i386: universe/net/extra/100% -> main
designate-common 1:3.0.0~b3-0ubuntu1 in yakkety powerpc: universe/net/extra/100% -> main
designate-common 1:3.0.0~b3-0ubuntu1 in yakkety ppc64el: universe/net/extra/100% -> main
designate-common 1:3.0.0~b3-0ubuntu1 in yakkety s390x: universe/net/extra/100% -> main
designate-doc 1:3.0.0~b3-0ubuntu1 in yakkety amd64: universe/doc/extra/100% -> mai...