Ubuntu
python-octavia-lib package

[MIR] python-octavia-lib, ovn-octavia-provider

Bug #1864666 reported by Corey Bryant
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ovn-octavia-provider (Ubuntu)
Fix Released
Medium
Unassigned
Ubuntu ubuntu-20.10
python-octavia-lib (Ubuntu)
Fix Released
Medium
Unassigned
Ubuntu ubuntu-20.10

Bug Description

[MIR] ovn-octavia-provider

[Availability]
Currently in universe.

[Rationale]
This package provides integration of OpenStack Octavia with OVN.

[Security]
No security history.

[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.

[Dependencies]
All are in main except python3-octavia-lib.

[Standards Compliance]
FHS and Debian Policy compliant.

[Maintenance]
Simple python package that the OpenStack Team will take care of.

[Background]
OVN provides virtual networking for Open vSwitch and is a component of the Open vSwitch project. This package provides the Python 3 module for the integration between Octavia and OVN.

--------------------------------------------------------------------------

[MIR] python-octavia-lib

[Availability]
Currently in universe.

[Rationale]
This package provides python library support for OpenStack Octavia provider drivers.

[Security]
No security history.

[Quality Assurance]
Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.

[Dependencies]
All are in main.

[Standards Compliance]
FHS and Debian Policy compliant.

[Maintenance]
Python package that the OpenStack Team will take care of.

[Background]
Octavia provides the Load Balancer as a Service for OpenStack clouds.

See original description
Corey Bryant (corey.bryant)
description: updated
Corey Bryant (corey.bryant)
description: updated
Christian Ehrhardt  (paelzer)
Changed in ovn-octavia-provider (Ubuntu):
assignee: nobody → James Page (james-page)
Changed in python-octavia-lib (Ubuntu):
assignee: nobody → James Page (james-page)
Revision history for this message
James Page (james-page) wrote :

As Octavia is still in Universe there seems little point in reviewing these packages by themselves.

Changed in ovn-octavia-provider (Ubuntu):
status: New → Incomplete
Changed in python-octavia-lib (Ubuntu):
status: New → Incomplete
Changed in ovn-octavia-provider (Ubuntu):
importance: Undecided → Medium
Changed in python-octavia-lib (Ubuntu):
importance: Undecided → Medium
Changed in octavia (Ubuntu):
status: New → Incomplete
importance: Undecided → Medium
milestone: none → later
Changed in ovn-octavia-provider (Ubuntu):
milestone: none → later
Changed in python-octavia-lib (Ubuntu):
milestone: none → later
Revision history for this message
James Page (james-page) wrote :

Deferring to 20.10 cycle as we're to late to include Octavia for 20.04 main.

Changed in octavia (Ubuntu):
assignee: nobody → Corey Bryant (corey.bryant)
Revision history for this message
Corey Bryant (corey.bryant) wrote :

The octavia MIR is being tracked at LP: #1888309

Changed in ovn-octavia-provider (Ubuntu):
status: Incomplete → New
Changed in python-octavia-lib (Ubuntu):
status: Incomplete → New
no longer affects: octavia (Ubuntu)
Revision history for this message
James Page (james-page) wrote :

[Summary]
python-octavia-lib provides a python library for developers of Octavia provider drivers, allowing alternative LB solutions to be integrated into Octavia.

https://docs.openstack.org/octavia/latest/contributor/guides/providers.html

This does need a security review, so assigning to ubuntu-security.

MIR team ack for main inclusion (pending security team review).

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
 - no other Dependencies to MIR due to this
 - no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
 - no embedded source present
 - no static linking

TODO: Problems:

[Security]
OK:
 - history of CVEs does not look concerning
   No security history
   https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=octavia-lib

 - does not run a daemon as root
 - does not use webkit1,2
 - does not use lib*v8 directly
 - does not parse data formats
   JSON is used as the on-the-wire format for communication
   between drivers and Octavia (using oslo_serialization which
   is already in main).

 - does not open a port
 - does not process arbitrary web content
 - does not use centralized online accounts
 - does not integrate arbitrary javascript into the desktop
 - does not deal with system authentication (e.g. pam), etc)

[Common blockers]
OK:
 - does not FTBFS currently
 - does have a test suite that runs at build time
   - test suite fails will fail the build upon error.
 - does have a test suite that runs as autopkgtest
   No - but covered by autopkgtests in octavia

 - The package has a team bug subscriber
   ubuntu-openstack

 - no translation present, but none needed for this case
 - no new python2 dependency
 - Python package that is using dh_python

[Packaging red flags]
OK:
 - Ubuntu does carry a delta, but it is reasonable and maintenance under control
   OpenStack ahead of Debian in terms of versions

 - symbols tracking not applicable for this kind of code.
 - d/watch is present and looks ok
 - Upstream update history is good
 - Debian/Ubuntu update history is good but diverged
 - the current release is packaged
 - promoting this does not seem to cause issues for MOTUs that so far
   maintained the package
 - no massive Lintian warnings
 - d/rules is rather clean
 - Does not have Built-Using

[Upstream red flags]
OK:
 - no Errors/warnings during the build
 - no incautious use of malloc/sprintf (as far as I can check it)
 - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
 - no use of user nobody
 - no use of setuid
 - no important open bugs (crashers, etc) in Debian or Ubuntu
 - no dependency on webkit, qtwebkit, seed or libgoa-*
 - no embedded source copies
 - not part of the UI for extra checks

Changed in python-octavia-lib (Ubuntu):
assignee: James Page (james-page) → Ubuntu Security Team (ubuntu-security)
milestone: later → ubuntu-20.10
Changed in ovn-octavia-provider (Ubuntu):
milestone: later → ubuntu-20.10
Revision history for this message
James Page (james-page) wrote :

[Summary]
ovn-octavia-provider provides integration between OpenStack Octavia and OVN, supporting provisioing of load balancers as part of the SDN function of the cloud (vs use of instances for Load Balancers).

MIR team ack for inclusion in Ubuntu main.

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
 - no other Dependencies to MIR due to this
   (other than those already on this bug report)
 - no -dev/-debug/-doc packages that need exclusion

[Embedded sources and static linking]
OK:
 - no embedded source present
 - no static linking

[Security]
OK:
 - history of CVEs does not look concerning
   no security history
   https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ovn-octavia-provider

 - does not run a daemon as root
 - does not use webkit1,2
 - does not use lib*v8 directly
 - does not parse data formats
   Uses JSON for communication between the driver manager and Octavia
   (using oslo_serialization which is already in main).

 - does not open a port
 - does not process arbitrary web content
 - does not use centralized online accounts
 - does not integrate arbitrary javascript into the desktop
 - does not deal with system authentication (e.g. pam), etc)

[Common blockers]
OK:
 - does not FTBFS currently
 - does have a test suite that runs at build time
   - test suite fails will fail the build upon error.
 - does have a test suite that runs as autopkgtest
   autopkgtest-pkg-python

 - The package has a team bug subscriber
   ubuntu-openstack

 - no translation present, but none needed for this case
 - no new python2 dependency
 - Python package that is using dh_python

[Packaging red flags]
OK:
 - Ubuntu does carry a delta, but it is reasonable and maintenance under control
   OpenStack ahead of Debian in Ubuntu.
 - symbols tracking not applicable for this kind of code.
 - d/watch is present and looks ok
 - Upstream update history is good
 - Debian/Ubuntu update history is good but divereged
 - the current release is packaged
 - promoting this does not seem to cause issues for MOTUs that so far
   maintained the package
 - no massive Lintian warnings
 - d/rules is rather clean
 - not using Built-Using

[Upstream red flags]
OK:
 - no Errors/warnings during the build
 - no incautious use of malloc/sprintf (as far as I can check it)
 - no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
 - no use of user nobody
 - no use of setuid
 - no important open bugs (crashers, etc) in Debian or Ubuntu
 - no dependency on webkit, qtwebkit, seed or libgoa-*
 - no embedded source copies
 - not part of the UI for extra checks

Changed in ovn-octavia-provider (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

James, I see ovn-octavia-provider is marked 'confirmed' but still assigned to you; does this package need security review or is it ready for promotion if the other packages are approved?

Thanks

Revision history for this message
James Page (james-page) wrote :

Hi Seth

Apologies - I forgot to un-assign myself.

I acked ovn-octavia-provider - only python-octavia-lib required security review.

Changed in ovn-octavia-provider (Ubuntu):
assignee: James Page (james-page) → nobody
status: Confirmed → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
ovn-octavia-provider 0.2.1~git2020073017.fac554d-0ubuntu1 in groovy: universe/net -> main
python3-ovn-octavia-provider 0.2.1~git2020073017.fac554d-0ubuntu1 in groovy amd64: universe/python/optional/100% -> main
python3-ovn-octavia-provider 0.2.1~git2020073017.fac554d-0ubuntu1 in groovy arm64: universe/python/optional/100% -> main
python3-ovn-octavia-provider 0.2.1~git2020073017.fac554d-0ubuntu1 in groovy armhf: universe/python/optional/100% -> main
python3-ovn-octavia-provider 0.2.1~git2020073017.fac554d-0ubuntu1 in groovy i386: universe/python/optional/100% -> main
python3-ovn-octavia-provider 0.2.1~git2020073017.fac554d-0ubuntu1 in groovy ppc64el: universe/python/optional/100% -> main
python3-ovn-octavia-provider 0.2.1~git2020073017.fac554d-0ubuntu1 in groovy riscv64: universe/python/optional/100% -> main
python3-ovn-octavia-provider 0.2.1~git2020073017.fac554d-0ubuntu1 in groovy s390x: universe/python/optional/100% -> main
8 publications overridden.

Changed in ovn-octavia-provider (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

I reviewed python-octavia-lib 2.2.0-0ubuntu1 as checked into groovy. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

python-octavia-lib is a python3 library for developers writing Octavia
load balancer provider drivers.

- No CVE history.
- No concerning build or runtime depends.
- Only autogenerated maintainer scripts for removing python compiled
  bytecode.
- No init scripts.
- No systemd units.
- No dbus services.
- No setuid binaries.
- No binaries in PATH.
- No sudo fragments.
- No polkit files.
- No udev rules.
- Some unit tests, run at build time. No autopkgtests.
- No cron jobs.
- Build log is okay, no lintian warnings or errors.:

- No apparent processes spawned.
- Limited file IO. Uses AF_UNIX sockets to communicate with driver
  agents.
- No apparent logging.
- No apparent environment variable usage.
- No use of privileged functions.
- Cryptography: allows use of SSLv3 for pools and listeners.
- No apparent use of temp files.
- No use of WebKit.
- No use of PolicyKit.

- No Coverity findings.
- No significant bandit results.

Security team ACK for promoting python-octavia-lib to main.

tags: added: security-review-done
Changed in python-octavia-lib (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

python-octavia-lib: python3-octavia-lib
MIR: #1864666 (New)
[Reverse-Depends: python3-octavia]

This is ready and shows in mismatches, setting python3-octavia-lib to Fix Committed

Changed in python-octavia-lib (Ubuntu):
status: New → Fix Committed
Revision history for this message
Iain Lane (laney) wrote :

laney@dev> ./change-override --suite groovy --component main python3-octavia-lib ~/dev/canonical/release/ubuntu-archive-tools
Override component to main
python3-octavia-lib 2.2.0-0ubuntu1 in groovy amd64: universe/python/optional/100% -> main
python3-octavia-lib 2.2.0-0ubuntu1 in groovy arm64: universe/python/optional/100% -> main
python3-octavia-lib 2.2.0-0ubuntu1 in groovy armhf: universe/python/optional/100% -> main
python3-octavia-lib 2.2.0-0ubuntu1 in groovy i386: universe/python/optional/100% -> main
python3-octavia-lib 2.2.0-0ubuntu1 in groovy ppc64el: universe/python/optional/100% -> main
python3-octavia-lib 2.2.0-0ubuntu1 in groovy riscv64: universe/python/optional/100% -> main
python3-octavia-lib 2.2.0-0ubuntu1 in groovy s390x: universe/python/optional/100% -> main
Override [y|N]? y
7 publications overridden.

Changed in python-octavia-lib (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.