StarlingX

Unable to access aws ecr through proxy

Bug #1853024 reported by Angie Wang
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Angie Wang

Bug Description

Brief Description
-----------------
If the system OAM network is behind a proxy, aws client must to be configured with the same proxy in order to request the aws ecr credentials.

Severity
--------
Medium

The proxy used to initialize aws client should be the same as the one configured during bootstrap
by specifying:
docker_http_proxy
docker_https_proxy

System Configuration
--------------------
Any system with aws ecr and proxy configured

See original description
Angie Wang (angiewang)
Changed in starlingx:
assignee: nobody → Angie Wang (angiewang)
description: updated
Angie Wang (angiewang)
Changed in starlingx:
status: New → In Progress
Revision history for this message
Ghada Khalil (gkhalil) wrote :

stx.3.0 / medium priority - related to the authenticated registry support which was added in stx.3.0

tags: added: stx.3.0 stx.containers
Changed in starlingx:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/695062

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/695063

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/695064

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/695063
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=084f86fe063d0c880df6ac2ca4f1f399c10a4088
Submitter: Zuul
Branch: master

commit 084f86fe063d0c880df6ac2ca4f1f399c10a4088
Author: Angie Wang <email address hidden>
Date: Mon Nov 18 16:01:33 2019 -0500

    Initialize aws client with proxies

    For the system configured with aws ecr, if its OAM network is
    behind a proxy, aws client should be configured with the same
    proxy in order to request the registry credentials.

    Change-Id: I49158a476c94c2b44561432d433b283ac76a423d
    Partial-Bug: 1853024
    Signed-off-by: Angie Wang <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/695062
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=e47f347e9fd9be6707ed35b812f45f2138bb622b
Submitter: Zuul
Branch: master

commit e47f347e9fd9be6707ed35b812f45f2138bb622b
Author: Angie Wang <email address hidden>
Date: Tue Nov 19 13:46:43 2019 -0500

    Upgrade botocore package

    Upgrade botocore package from 1.6.0 to 1.12.75.
    The new version fixed the ipv6 proxy management issue.

    Change-Id: Ib82df18ed9ea72fcff9f029289dac2491fe80e81
    Partial-Bug: 1853024
    Signed-off-by: Angie Wang <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/695064
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=e2cba0a431ed1790582e970be9abc56acd1c8fc9
Submitter: Zuul
Branch: master

commit e2cba0a431ed1790582e970be9abc56acd1c8fc9
Author: Angie Wang <email address hidden>
Date: Mon Nov 18 16:53:18 2019 -0500

    Initialize aws client with proxies

    For the system configured with aws ecr, if its OAM network is
    behind a proxy, aws client should be configured with the same
    proxy in order to request the registry credentials.

    Change-Id: I91d2e7e5a69c594cbcdbcaf286686eb081fa0496
    Depends-On: https://review.opendev.org/#/c/695062/
    Closes-Bug: 1853024
    Signed-off-by: Angie Wang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/698553

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (f/centos8)
Download full text (8.7 KiB)

Reviewed: https://review.opendev.org/698553
Committed: https://git.openstack.org/cgit/starlingx/tools/commit/?id=202776a187184e536adce99b3b0f0ce1ce04fdee
Submitter: Zuul
Branch: f/centos8

commit 063e29fe2e12a306be51755e994d8eb10b2d3614
Author: VictorRodriguez <email address hidden>
Date: Wed Nov 27 17:39:51 2019 -0600

    Add feature to check if a CVE has an open launchpad

    This change enables the capability to track if a CVE to be fixed already
    has an open launchpad in starlingx: https://bugs.launchpad.net/starlingx/

    This will help the security team to focus on the CVEs that do not
    have a launchpad already open, reducing the overhead of analysis of CVEs
    already presented to the development team.

    Story:2006971

    Change-Id: I494f0221cb52a4bf7ace20d75e067b17c719d749
    Signed-off-by: VictorRodriguez <email address hidden>

commit 1d33f5ae60201a6d1baba026a6503ea43843b3ab
Author: Robin Lu <email address hidden>
Date: Mon Nov 11 16:47:49 2019 +0800

    Update OVMF rpm, due to CVE bug.

    CVE bug: CVE-2019-0160
    The updated rpm is selected from the below link.
    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006035.html

    Tests:
    simplex, duplex, multi-node

    Closes-Bug: 1849205

    Change-Id: Ifdbbd82de912488af201f028a65c679acc204ed9
    Signed-off-by: Robin Lu <email address hidden>

commit d964e258beb0c75b5a23ec7db1b523f263db7c9f
Author: Jim Somerville <email address hidden>
Date: Mon Nov 25 15:51:29 2019 -0500

    Uprev ntp to version 4.2.6p5-29.el7

    This solves:
    ntp: Stack-based buffer overflow in ntpq and ntpdc allows
    denial of service or code execution (CVE-2018-12327)

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006016.html

    for more details.

    Change-Id: Ic92fd6af30bf05c6f40cb6a6c60e0bc3811ff22a
    Partial-Bug: 1849197
    Signed-off-by: Jim Somerville <email address hidden>

commit c75164899fb0d242022338d67144c06be7c5b32f
Author: Robin Lu <email address hidden>
Date: Fri Nov 22 16:08:13 2019 +0800

    Update sudo srpm for CVE bug

    To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
    https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

    CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

    Closes-Bug: 1852825

    Change-Id: Iaafc053fe6e3b58468b5fa7c47dbc0f61a2d3c44
    Signed-off-by: Robin Lu <email address hidden>

commit ea25ae6f265f6a9531dd72a8576462a71c3074dc
Author: Jim Somerville <email address hidden>
Date: Fri Nov 22 16:35:45 2019 -0500

    Uprev ruby and associated gems to subminor ver 36

    All affected packages are moved forward to their -36 version.

    This solves:
    ruby: Unintentional directory traversal by poisoned NULL byte
    in Dir (CVE-2018-8780)
    rubygems: Improper verification of signatures in tarball
    allows to install mis-signed gem (CVE-2018-1000076)

    along with numerous other issues.

    See the announcement link:

    https://lists.centos.org/pipermail/centos-cr-announce/2019-Augu...

Read more...

tags: added: in-f-centos8
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.