Comment 17 for bug 1851287
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to integ (f/centos8) | #17 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: f/centos8
commit 4aa661ce5666220
Author: Martin, Chen <email address hidden>
Date: Thu Nov 21 10:28:13 2019 +0800
Build layering
Rebase tarball for i40e Driver
Rebase srpm for systemd 219-67.el7
Rebase srpm for sudo
Rebase srpm for ntp
Depends-On: https:/
Depends-On: https:/
Depends-On: https:/
Depends-On: https:/
Story: 2006166
Task: 37570
Change-Id: I7f33e0fb1319df
Signed-off-by: Martin, Chen <email address hidden>
commit 5d854355d873702
Author: Jim Somerville <email address hidden>
Date: Mon Nov 25 16:07:17 2019 -0500
Uprev ntp to version 4.2.6p5-29.el7
This solves:
ntp: Stack-based buffer overflow in ntpq and ntpdc allows
denial of service or code execution (CVE-2018-12327)
See the announcement link:
https:/
for more details.
Here we refresh the meta patches and correct the crime of
"name of patch file differs from git format-patch". We
also clean up the commit short logs.
Change-Id: I263465d85f0609
Closes-Bug: 1849197
Depends-On: https:/
Signed-off-by: Jim Somerville <email address hidden>
commit 11fd5d9cd48a153
Author: Dan Voiculeasa <email address hidden>
Date: Thu Nov 21 15:01:36 2019 +0200
ceph-
OSDs might become stuck peering.
Recover from such state.
Closes-bug: 1851287
Change-Id: I2ef1a0e93d38c3
Signed-off-by: Dan Voiculeasa <email address hidden>
commit f30cb74fef4b977
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 11:01:27 2019 +0800
Update sudo srpm patch for CVE bug
To fix below CVE, we will use sudo-1.
And we have to update some patches according to new srpm.
https:/
CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists
Closes-Bug: 1852825
Depends-On: https:/
Change-Id: Ifc0a3423464faf
Signed-off-by: Robin Lu <email address hidden>
commit 0231aba5cdcb96b
Author: Jim Somerville <email address hidden>
Date: Thu Nov 21 15:54:15 2019 -0500
Uprev systemd to version 219-67.el7
This solves:
systemd: line splitting via fgets() allows for state injection
during daemon-reexec (CVE-2018-15686)
along with some other less critical issues. See the security
announcement link:
https:/
for more details.
Here we rebase the patches, and fix the atrocious crime of "name of patch file
doesn't match what git format-patch generates". We also squash down the
meta patches which add the patches to the spec file as part of
good housekeeping.
Change-Id: I01a3fa329bbad5
Closes-Bug: 1849200
Depends-On: https:/
Signed-off-by: Jim Somerville <email address hidden>
commit 2718976ddc5c272
Author: Jim Somerville <email address hidden>
Date: Tue Oct 29 15:39:05 2019 -0400
i40e Driver Upgrade in support of N3000 on-board NICs
Uprev i40e to version 2.10.19.30
i40evf gets replaced by iavf version 3.7.61.20
The iavf driver supports both fortville and columbiaville,
so they decided to rename from i40evf to something more generic.
We get to drop the patch which polls for coming out of
reset as it was incorporated upstream.
The Intel FPGA Programmable Acceleration Card N3000 contains
dual Intel XL710 NICs and an FPGA for acceleration purposes.
This driver upgrade is required to support those NICs.
Change-Id: Ifbec94bcc00a8c
Story: 2006740
Task: 37542
Depends-On: https:/
Signed-off-by: Jim Somerville <email address hidden>
commit 8a3722089d82157
Author: Joseph Richard <email address hidden>
Date: Tue Oct 29 10:54:58 2019 -0400
Drop initscripts patch running ipv6 dhcp as daemon
This commit rebases initscripts patch set, dropping
run-
Currently, ifup-eth tries running ipv6 dhclient with the one-shot
option, and if that fails, then retries indefinitely in the background.
That has the side-effect of causing the ifup-post script to not be run
if the first dhclient attempt fails, which will prevent routes on that
interface from being created. This is especially problematic in the
case of a DOR, where the compute nodes may come up before dnsmasq is up
on the controller.
This is different from upstream centos, which will only try running
dhclient with the one-shot option for ipv6.
By reverting the initscripts patch to run as a daemon, ipv6 dhclient now
runs as one-shot only, and if it fails, ifup-eth script exits without
getting an address, and then the node fails to come up and reboot.
While this may result in the compute node having an extra reboot in a DOR,
that is preferable to the compute coming up incorrectly and requiring a
lock/unlock to recover.
Closes-bug: 1844579
Change-Id: I5b7f6b7c878dc4
Signed-off-by: Joseph Richard <email address hidden>
commit 5afd5f90b29f6e0
Author: Andy Ning <email address hidden>
Date: Tue Nov 5 00:12:26 2019 -0500
update Barbican admin secret's user/project IDs during bootstrap
In a DC system when subcloud is managed, keystone user/project IDs are
synced with Central Cloud, including admin user and project. But the
admin's secrets in Barbian still use the original user/project IDs,
causing docker registry access failure when platform-integ-apps is
reapplied.
This change added a patch to keystone puppet manifest, that updates
keystone admin user/project IDs to be the same as Central Cloud right
after keystone is bootstrapped during subcloud deployment. This way any
referece to admin user/project IDs after bootstrap will be using the
IDs same as Central Cloud, including the ones in Barbican. This will
solve the problem of retrieving central registry credential failure
when platform-integ-apps is reapplied.
Change-Id: I509a06b4b81062
Closes-Bug: 1851247
Signed-off-by: Andy Ning <email address hidden>