Comment 18 for bug 1844579

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to integ (f/centos8)

Submitter: Zuul
Branch: f/centos8

commit 4aa661ce5666220d6beb2a3a3fac987cba4feb74
Author: Martin, Chen <email address hidden>
Date: Thu Nov 21 10:28:13 2019 +0800

    Build layering
    Rebase tarball for i40e Driver
    Rebase srpm for systemd 219-67.el7
    Rebase srpm for sudo
    Rebase srpm for ntp


    Story: 2006166
    Task: 37570

    Change-Id: I7f33e0fb1319df3421318c4927d2a5675a490273
    Signed-off-by: Martin, Chen <email address hidden>

commit 5d854355d873702b78ff6aa8c6fddc025c45be2d
Author: Jim Somerville <email address hidden>
Date: Mon Nov 25 16:07:17 2019 -0500

    Uprev ntp to version 4.2.6p5-29.el7

    This solves:
    ntp: Stack-based buffer overflow in ntpq and ntpdc allows
    denial of service or code execution (CVE-2018-12327)

    See the announcement link:

    for more details.

    Here we refresh the meta patches and correct the crime of
    "name of patch file differs from git format-patch". We
    also clean up the commit short logs.

    Change-Id: I263465d85f06096296fdd478a302eb110ab1259c
    Closes-Bug: 1849197
    Signed-off-by: Jim Somerville <email address hidden>

commit 11fd5d9cd48a1539b9c7a4ebc8aaad69ed24ae5b
Author: Dan Voiculeasa <email address hidden>
Date: Thu Nov 21 15:01:36 2019 +0200

    ceph-init-wrapper: Detect stuck peering OSDs and restart them

    OSDs might become stuck peering.
    Recover from such state.

    Closes-bug: 1851287

    Change-Id: I2ef1a0e93d38c3d041ee0c5c1e66a4ac42785a68
    Signed-off-by: Dan Voiculeasa <email address hidden>

commit f30cb74fef4b97721010ca9bc6a6b6dde03c4add
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 11:01:27 2019 +0800

    Update sudo srpm patch for CVE bug

    To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
    And we have to update some patches according to new srpm.

    CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

    Closes-Bug: 1852825
    Change-Id: Ifc0a3423464fafce06cd504d9b427fc3433fb756
    Signed-off-by: Robin Lu <email address hidden>

commit 0231aba5cdcb96b15106591acfff280159050366
Author: Jim Somerville <email address hidden>
Date: Thu Nov 21 15:54:15 2019 -0500

    Uprev systemd to version 219-67.el7

    This solves:
    systemd: line splitting via fgets() allows for state injection
    during daemon-reexec (CVE-2018-15686)

    along with some other less critical issues. See the security
    announcement link:

    for more details.

    Here we rebase the patches, and fix the atrocious crime of "name of patch file
    doesn't match what git format-patch generates". We also squash down the
    meta patches which add the patches to the spec file as part of
    good housekeeping.

    Change-Id: I01a3fa329bbad541a063cb604d1756892139967f
    Closes-Bug: 1849200
    Signed-off-by: Jim Somerville <email address hidden>

commit 2718976ddc5c272a97cc60651fe5d63a9a037406
Author: Jim Somerville <email address hidden>
Date: Tue Oct 29 15:39:05 2019 -0400

    i40e Driver Upgrade in support of N3000 on-board NICs

    Uprev i40e to version
    i40evf gets replaced by iavf version

    The iavf driver supports both fortville and columbiaville,
    so they decided to rename from i40evf to something more generic.

    We get to drop the patch which polls for coming out of
    reset as it was incorporated upstream.

    The Intel FPGA Programmable Acceleration Card N3000 contains
    dual Intel XL710 NICs and an FPGA for acceleration purposes.
    This driver upgrade is required to support those NICs.

    Change-Id: Ifbec94bcc00a8cce9fe97bf0eb41556b8bd3e592
    Story: 2006740
    Task: 37542
    Signed-off-by: Jim Somerville <email address hidden>

commit 8a3722089d821573ce6766e6fa40d78a0fdbaded
Author: Joseph Richard <email address hidden>
Date: Tue Oct 29 10:54:58 2019 -0400

    Drop initscripts patch running ipv6 dhcp as daemon

    This commit rebases initscripts patch set, dropping

    Currently, ifup-eth tries running ipv6 dhclient with the one-shot
    option, and if that fails, then retries indefinitely in the background.
    That has the side-effect of causing the ifup-post script to not be run
    if the first dhclient attempt fails, which will prevent routes on that
    interface from being created. This is especially problematic in the
    case of a DOR, where the compute nodes may come up before dnsmasq is up
    on the controller.
    This is different from upstream centos, which will only try running
    dhclient with the one-shot option for ipv6.
    By reverting the initscripts patch to run as a daemon, ipv6 dhclient now
    runs as one-shot only, and if it fails, ifup-eth script exits without
    getting an address, and then the node fails to come up and reboot.
    While this may result in the compute node having an extra reboot in a DOR,
    that is preferable to the compute coming up incorrectly and requiring a
    lock/unlock to recover.

    Closes-bug: 1844579
    Change-Id: I5b7f6b7c878dc4e4737d986f11fae3301585fb1c
    Signed-off-by: Joseph Richard <email address hidden>

commit 5afd5f90b29f6e097824f7c6f2fe7762597d9ad6
Author: Andy Ning <email address hidden>
Date: Tue Nov 5 00:12:26 2019 -0500

    update Barbican admin secret's user/project IDs during bootstrap

    In a DC system when subcloud is managed, keystone user/project IDs are
    synced with Central Cloud, including admin user and project. But the
    admin's secrets in Barbian still use the original user/project IDs,
    causing docker registry access failure when platform-integ-apps is

    This change added a patch to keystone puppet manifest, that updates
    keystone admin user/project IDs to be the same as Central Cloud right
    after keystone is bootstrapped during subcloud deployment. This way any
    referece to admin user/project IDs after bootstrap will be using the
    IDs same as Central Cloud, including the ones in Barbican. This will
    solve the problem of retrieving central registry credential failure
    when platform-integ-apps is reapplied.

    Change-Id: I509a06b4b810620a1b3648837726f7f2771162a5
    Closes-Bug: 1851247
    Signed-off-by: Andy Ning <email address hidden>