kolla

  1. Bug #1969096
  2. Activity log

Activity log for bug #1969096

Date Who What changed Old value New value Message
2022-04-14 10:20:44 Mark Goddard bug added bug
2022-04-14 10:21:08 Mark Goddard description Images that have a source with type=git are currently failing to build. By default, this includes the gnocchi-base image. INFO:kolla.common.utils.gnocchi-base:Step 6/9 : RUN ln -s gnocchi-base-source/* gnocchi && SETUPTOOLS_USE_DISTUTILS=stdlib python3 -m pip --no-cache-dir install --upgrade -c /requirements/upper-constraints.txt gnocchiclient /gnocchi[keystone,mysql,file,ceph,s3] && mkdir -p /etc/gnocchi && chown -R gnocchi: /etc/gnocchi INFO:kolla.common.utils.gnocchi-base: ---> Running in d6b2a86e3d65 INFO:kolla.common.utils.gnocchi-base:Looking in indexes: http://mirror.iad3.inmotion.opendev.org:8080/pypi/simple, https://mirror.iad3.inmotion.opendev.org/wheel/ubuntu-20.04-x86_64 INFO:kolla.common.utils.gnocchi-base:Processing /gnocchi INFO:kolla.common.utils.gnocchi-base: Preparing metadata (setup.py): started INFO:kolla.common.utils.gnocchi-base: Preparing metadata (setup.py): finished with status 'error' INFO:kolla.common.utils.gnocchi-base: error: subprocess-exited-with-error INFO:kolla.common.utils.gnocchi-base: INFO:kolla.common.utils.gnocchi-base: × python setup.py egg_info did not run successfully. INFO:kolla.common.utils.gnocchi-base: │ exit code: 1 INFO:kolla.common.utils.gnocchi-base: ╰─> [30 lines of output] INFO:kolla.common.utils.gnocchi-base: /var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/installer.py:27: SetuptoolsDeprecationWarning: setuptools.installer is deprecated. Requirements should be satisfied by a PEP 517 installer. INFO:kolla.common.utils.gnocchi-base: warnings.warn( INFO:kolla.common.utils.gnocchi-base: Traceback (most recent call last): INFO:kolla.common.utils.gnocchi-base: File "<string>", line 2, in <module> INFO:kolla.common.utils.gnocchi-base: File "<pip-setuptools-caller>", line 34, in <module> INFO:kolla.common.utils.gnocchi-base: File "/gnocchi/setup.py", line 34, in <module> INFO:kolla.common.utils.gnocchi-base: setuptools.setup( INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/__init__.py", line 155, in setup INFO:kolla.common.utils.gnocchi-base: return distutils.core.setup(**attrs) INFO:kolla.common.utils.gnocchi-base: File "/usr/lib/python3.8/distutils/core.py", line 108, in setup INFO:kolla.common.utils.gnocchi-base: _setup_distribution = dist = klass(attrs) INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 458, in __init__ INFO:kolla.common.utils.gnocchi-base: _Distribution.__init__( INFO:kolla.common.utils.gnocchi-base: File "/usr/lib/python3.8/distutils/dist.py", line 292, in __init__ INFO:kolla.common.utils.gnocchi-base: self.finalize_options() INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 851, in finalize_options INFO:kolla.common.utils.gnocchi-base: ep(self) INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 872, in _finalize_setup_keywords INFO:kolla.common.utils.gnocchi-base: ep.load()(self, ep.name, value) INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/integration.py", line 75, in version_keyword INFO:kolla.common.utils.gnocchi-base: _assign_version(dist, config) INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/integration.py", line 51, in _assign_version INFO:kolla.common.utils.gnocchi-base: _version_missing(config) INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/__init__.py", line 106, in _version_missing INFO:kolla.common.utils.gnocchi-base: raise LookupError( INFO:kolla.common.utils.gnocchi-base: LookupError: setuptools-scm was unable to detect version for /gnocchi-base-source/gnocchi-base-archive-4.4.1. INFO:kolla.common.utils.gnocchi-base: INFO:kolla.common.utils.gnocchi-base: Make sure you're either building from a fully intact git repository or PyPI tarballs. Most other sources (such as GitHub's tarballs, a git checkout without the .git folder) don't contain the necessary metadata and will not work. INFO:kolla.common.utils.gnocchi-base: INFO:kolla.common.utils.gnocchi-base: For example, if you're using pip, instead of https://github.com/user/proj/archive/master.zip use git+https://github.com/user/proj.git#egg=proj INFO:kolla.common.utils.gnocchi-base: [end of output] INFO:kolla.common.utils.gnocchi-base: INFO:kolla.common.utils.gnocchi-base: note: This error originates from a subprocess, and is likely not a problem with pip. INFO:kolla.common.utils.gnocchi-base: INFO:kolla.common.utils.gnocchi-base:error: metadata-generation-failed INFO:kolla.common.utils.gnocchi-base:× Encountered error while generating package metadata. INFO:kolla.common.utils.gnocchi-base:╰─> See above for output. INFO:kolla.common.utils.gnocchi-base:note: This is an issue with the package mentioned above, not pip. INFO:kolla.common.utils.gnocchi-base:hint: See above for details. This is currently affecting Ubuntu builds, which presumably include a backport of the git fix for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765. This happens because kolla clones the git repository, then creates a tarball from it, preserving the ownership of the user running kolla-build on the files in the tarball. When we ADD this tarball into the image, Docker extracts it and preserves ownership of the files. The build runs as the root user, which typically is different than the user running kolla-build. Hence we hit CVE-2022-24765. Images that have a source with type=git are currently failing to build. By default, this includes the gnocchi-base image. INFO:kolla.common.utils.gnocchi-base:Step 6/9 : RUN ln -s gnocchi-base-source/* gnocchi && SETUPTOOLS_USE_DISTUTILS=stdlib python3 -m pip --no-cache-dir install --upgrade -c /requirements/upper-constraints.txt gnocchiclient /gnocchi[keystone,mysql,file,ceph,s3] && mkdir -p /etc/gnocchi && chown -R gnocchi: /etc/gnocchi INFO:kolla.common.utils.gnocchi-base: ---> Running in d6b2a86e3d65 INFO:kolla.common.utils.gnocchi-base:Looking in indexes: http://mirror.iad3.inmotion.opendev.org:8080/pypi/simple, https://mirror.iad3.inmotion.opendev.org/wheel/ubuntu-20.04-x86_64 INFO:kolla.common.utils.gnocchi-base:Processing /gnocchi INFO:kolla.common.utils.gnocchi-base: Preparing metadata (setup.py): started INFO:kolla.common.utils.gnocchi-base: Preparing metadata (setup.py): finished with status 'error' INFO:kolla.common.utils.gnocchi-base: error: subprocess-exited-with-error INFO:kolla.common.utils.gnocchi-base: INFO:kolla.common.utils.gnocchi-base: × python setup.py egg_info did not run successfully. INFO:kolla.common.utils.gnocchi-base: │ exit code: 1 INFO:kolla.common.utils.gnocchi-base: ╰─> [30 lines of output] INFO:kolla.common.utils.gnocchi-base: /var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/installer.py:27: SetuptoolsDeprecationWarning: setuptools.installer is deprecated. Requirements should be satisfied by a PEP 517 installer. INFO:kolla.common.utils.gnocchi-base: warnings.warn( INFO:kolla.common.utils.gnocchi-base: Traceback (most recent call last): INFO:kolla.common.utils.gnocchi-base: File "<string>", line 2, in <module> INFO:kolla.common.utils.gnocchi-base: File "<pip-setuptools-caller>", line 34, in <module> INFO:kolla.common.utils.gnocchi-base: File "/gnocchi/setup.py", line 34, in <module> INFO:kolla.common.utils.gnocchi-base: setuptools.setup( INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/__init__.py", line 155, in setup INFO:kolla.common.utils.gnocchi-base: return distutils.core.setup(**attrs) INFO:kolla.common.utils.gnocchi-base: File "/usr/lib/python3.8/distutils/core.py", line 108, in setup INFO:kolla.common.utils.gnocchi-base: _setup_distribution = dist = klass(attrs) INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 458, in __init__ INFO:kolla.common.utils.gnocchi-base: _Distribution.__init__( INFO:kolla.common.utils.gnocchi-base: File "/usr/lib/python3.8/distutils/dist.py", line 292, in __init__ INFO:kolla.common.utils.gnocchi-base: self.finalize_options() INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 851, in finalize_options INFO:kolla.common.utils.gnocchi-base: ep(self) INFO:kolla.common.utils.gnocchi-base: File "/var/lib/kolla/venv/lib/python3.8/site-packages/setuptools/dist.py", line 872, in _finalize_setup_keywords INFO:kolla.common.utils.gnocchi-base: ep.load()(self, ep.name, value) INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/integration.py", line 75, in version_keyword INFO:kolla.common.utils.gnocchi-base: _assign_version(dist, config) INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/integration.py", line 51, in _assign_version INFO:kolla.common.utils.gnocchi-base: _version_missing(config) INFO:kolla.common.utils.gnocchi-base: File "/gnocchi-base-source/gnocchi-base-archive-4.4.1/.eggs/setuptools_scm-6.4.2-py3.8.egg/setuptools_scm/__init__.py", line 106, in _version_missing INFO:kolla.common.utils.gnocchi-base: raise LookupError( INFO:kolla.common.utils.gnocchi-base: LookupError: setuptools-scm was unable to detect version for /gnocchi-base-source/gnocchi-base-archive-4.4.1. INFO:kolla.common.utils.gnocchi-base: INFO:kolla.common.utils.gnocchi-base: Make sure you're either building from a fully intact git repository or PyPI tarballs. Most other sources (such as GitHub's tarballs, a git checkout without the .git folder) don't contain the necessary metadata and will not work. INFO:kolla.common.utils.gnocchi-base: INFO:kolla.common.utils.gnocchi-base: For example, if you're using pip, instead of https://github.com/user/proj/archive/master.zip use git+https://github.com/user/proj.git#egg=proj INFO:kolla.common.utils.gnocchi-base: [end of output] INFO:kolla.common.utils.gnocchi-base: INFO:kolla.common.utils.gnocchi-base: note: This error originates from a subprocess, and is likely not a problem with pip. INFO:kolla.common.utils.gnocchi-base: INFO:kolla.common.utils.gnocchi-base:error: metadata-generation-failed INFO:kolla.common.utils.gnocchi-base:× Encountered error while generating package metadata. INFO:kolla.common.utils.gnocchi-base:╰─> See above for output. INFO:kolla.common.utils.gnocchi-base:note: This is an issue with the package mentioned above, not pip. INFO:kolla.common.utils.gnocchi-base:hint: See above for details. This is currently affecting Ubuntu builds, which presumably include a backport of the git fix for https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765. This happens because kolla clones the git repository, then creates a tarball from it, preserving the ownership of the user running kolla-build on the files in the tarball. When we ADD this tarball into the image, Docker extracts it and preserves ownership of the files. The build runs as the root user, which typically is different than the user running kolla-build. Hence we hit CVE-2022-24765. Related PBR bug: https://bugs.launchpad.net/pbr/+bug/1968877
2022-04-14 10:21:12 Mark Goddard kolla: importance Undecided Critical
2022-04-14 10:21:18 Mark Goddard kolla: status New Triaged
2022-04-14 10:33:26 OpenStack Infra kolla: status Triaged In Progress
2022-04-14 15:44:37 OpenStack Infra kolla: status In Progress Fix Released
2022-04-14 15:44:42 OpenStack Infra cve linked 2022-24765
2022-04-14 18:32:54 OpenStack Infra tags in-stable-wallaby
2022-04-14 18:45:48 OpenStack Infra tags in-stable-wallaby in-stable-wallaby in-stable-xena
2022-04-14 18:55:50 OpenStack Infra tags in-stable-wallaby in-stable-xena in-stable-wallaby in-stable-xena in-stable-yoga