| 2021-12-09 19:34:23 |
Andreas Hasenack |
description |
Placeholder for new MIR attempt for glusterfs. Old MIR is bug #1274247 |
Old MIR is bug #1274247
(launchpad will definitely wrap these lines and break the formatting: if you want, I can post this content elsewhere, like a git repo)
[Availability]
The package glusterfs is already in Ubuntu universe.
The package glusterfs build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64 arm64 armhf ppc64el riscv64 s390x
Link to package https://launchpad.net/ubuntu/+source/glusterfs
[Rationale]
The package glusterfs is required in Ubuntu main for:
- The package glusterfs will generally be useful for a large part of
our user base
- Additionally new use-cases enabled by this are:
- samba clustering support (we carry a packaging delta to disable it in Ubuntu)
- qemu native glusterfs support (bug #1246924)
[Security]
For the security review, consider the points raised last time this was done, in 2014, when the first MIR was rejected:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1274247/comments/14
cppcheck issues were fixed:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1274247/comments/19
https://bugzilla.redhat.com/show_bug.cgi?id=1086460
There are some strncat warnings during build, like these:
In file included from /usr/include/string.h:519,
from ../../../../libglusterfs/src/glusterfs/glusterfs.h:15,
from trash.h:13,
from trash.c:10:
In function ‘strncat’,
inlined from ‘trash_truncate_mkdir_cbk’ at trash.c:1730:13:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:135:10: warning: ‘__strncat_chk’ output may be truncated copying between 0 and 4095 bytes from a string of length 4095 [-Wstringop-truncation]
135 | return __builtin___strncat_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
136 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
and
In file included from /usr/include/string.h:519,
from ../../../../libglusterfs/src/glusterfs/glusterfs.h:15,
from glusterd-utils.c:23:
In function ‘strncat’,
inlined from ‘glusterd_add_peers_to_auth_list’ at glusterd-utils.c:14997:27:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:135:10: warning: ‘strncat’ specified bound depends on the length of the source argument [-Wstringop-overflow=]
135 | return __builtin___strncat_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
136 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
- http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=glusterfs
Plenty of vulnerabilities, but the most recent affected version is 4.1.4. Bionic ships 3.13.2, and focal has 7.2 already. Jammy is on 10.0 (proposed)
- site:www.openwall.com/lists/oss-security glusterfs
Previously mentioned CVEs
No hits more recent than 2018. One from 2020, but about kube-controller-manager, which can affect storage volume types and glusterfs is in the list.
- https://ubuntu.com/security/cve?q=glusterfs&package=&priority=&version=&status=
Plenty of CVEs, but note that from Focal onwards we are not affected
- https://github.com/gluster/glusterdocs/security
Unclear if this is used. The advisories tab is empty.
In general, it looks like that was a good shift to having a more secure product, when compared to older versions, at least in terms of CVEs and advisories.
- no `suid` or `sgid` binaries
- plenty of executables in `/sbin` and `/usr/sbin`
- Package installs services:
-rw-r--r-- 1 root root 604 Nov 25 13:38 /lib/systemd/system/glusterd.service
-rw-r--r-- 1 root root 416 Nov 25 13:38 /lib/systemd/system/glustereventsd.service
glusterd runs as root and opens port 24007/tcp:
root 650 0.0 0.8 463484 16948 ? SLsl 13:07 0:00 /usr/sbin/glusterd -p /var/run/glusterd.pid --log-level INFO
glusterfsd runs as root, and has port 51886/tcp open in the port list further below, but no dedicated service file for it. It must be spawned on demand:
root 879 0.0 0.9 678344 18976 ? SLsl 13:07 0:00 /usr/sbin/glusterfsd -s j3-gluster --volfile-id gv0.j3-gluster.data-brick1-gv0 -p /var/run/gluster/vols/gv0/j3-gluster-data-brick1-gv0.pid -S /var/run/gluster/151590e8a4cfce4e.socket --brick-name /data/brick1/gv0 -l /var/log/glusterfs/bricks/data-brick1-gv0.log --xlator-option *-posix.glusterd-uuid=039bb0cb-e8ae-4109-80c4-1680c0900046 --process-name brick --brick-port 51886 --xlator-option gv0-server.listen-port=51886
glusterfs runs as root.
On the server:
root 890 0.0 0.6 597576 13564 ? SLsl 13:07 0:00 /usr/sbin/glusterfs -s localhost --volfile-id shd/gv0 -p /var/run/gluster/shd/gv0/gv0-shd.pid -l /var/log/glusterfs/glustershd.log -S /var/run/gluster/ee6b53133c702918.socket --xlator-option *replicate*.node-uuid=039bb0cb-e8ae-4109-80c4-1680c0900046 --process-name glustershd --client-pid=-6
On a client with a volume mounted:
root 47453 0.0 0.9 649100 18400 ? SLsl 12:58 0:00 /usr/sbin/glusterfs --process-name fuse --volfile-server=j1-gluster --volfile-id=/gv0 /mnt
- Package does not open privileged ports (ports < 1024)
On a server peered with two other servers, and one connected client:
$ sudo netstat -anp|grep gluster|grep -v ^unix
tcp 0 0 0.0.0.0:24007 0.0.0.0:* LISTEN 650/glusterd
tcp 0 0 0.0.0.0:51886 0.0.0.0:* LISTEN 879/glusterfsd
tcp 0 0 192.168.122.32:49150 192.168.122.156:24007 ESTABLISHED 650/glusterd
tcp 0 0 192.168.122.32:51886 192.168.122.157:49147 ESTABLISHED 879/glusterfsd
tcp 0 0 192.168.122.32:49145 192.168.122.156:54119 ESTABLISHED 890/glusterfs
tcp 0 0 192.168.122.32:24007 192.168.122.211:49147 ESTABLISHED 650/glusterd
tcp 0 0 127.0.0.1:24007 127.0.0.1:49148 ESTABLISHED 650/glusterd
tcp 0 0 192.168.122.32:24007 192.168.122.156:49150 ESTABLISHED 650/glusterd
tcp 0 0 127.0.0.1:49148 127.0.0.1:24007 ESTABLISHED 890/glusterfs
tcp 0 0 192.168.122.32:24007 192.168.122.32:49149 ESTABLISHED 650/glusterd
tcp 0 0 192.168.122.32:49148 192.168.122.211:55591 ESTABLISHED 890/glusterfs
tcp 0 0 192.168.122.32:49142 192.168.122.32:51886 ESTABLISHED 890/glusterfs
tcp 0 0 192.168.122.32:51886 192.168.122.32:49142 ESTABLISHED 879/glusterfsd
tcp 0 0 192.168.122.32:49149 192.168.122.32:24007 ESTABLISHED 879/glusterfsd
tcp 0 0 192.168.122.32:51886 192.168.122.156:49145 ESTABLISHED 879/glusterfsd
tcp 0 0 192.168.122.32:51886 192.168.122.211:49145 ESTABLISHED 879/glusterfsd
tcp 0 0 192.168.122.32:49151 192.168.122.211:24007 ESTABLISHED 650/glusterd
There are no listening ports on a client, just the ones opened by the connection(s) established to the server.
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
This is a networked filesystem, I'd say it's security sensitive.
There are integration points with other packages, like samba (https://wiki.samba.org/index.php/GlusterFS) and libvirt (https://libvirt.org/storage.html#StorageBackendGluster), and of course qemu itself.
[Quality assurance - function/usage]
- After installing the package it must be possible to make it working with
a reasonable effort of configuration and documentation reading.
The package needs post install configuration or reading of documentation, there isn't a safe default because you need to configure how you want your storage to be used.
There is an easy quickstart page provided by upstream at https://docs.gluster.org/en/latest/Quick-Start-Guide/Quickstart/ that works very well and is an excellent starting point. The instructions use `yum` to install the package, but it's the same package name in Ubuntu and `apt` can be used interchangeably. Same for the systemd service units.
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open
Ubuntu bugs:
https://bugs.launchpad.net/ubuntu/+source/glusterfs
- memory leak claims on older versions (3.13.x, 2.20)
- remaining bugs against much older versions of both the package and ubuntu
These bugs should be triaged, and the ones against EOL releases should be closed
Debian bugs:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=glusterfs
Just some that we (Canonical) filed recently, I'm a bit surprised.
Upstream issues:
https://github.com/gluster/glusterfs/issues
- very active, and many bugs to improve the code, like replacing of functions or getting rid of warnings
- Many open pull requests: https://github.com/gluster/glusterfs/pulls , many with test failures showing good CI/CD practice
Release cadence:
Good documented release cadence: https://www.gluster.org/release-schedule/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package does not run a test at build time because who knows.
I found remnants of unit test infrastructure, and there is a makefile target "make check-TESTS", but there are zero tests to run.
I asked about this in the upstream slack channel: https://gluster.slack.com/archives/CHVRH5D50/p1638906018050000
"""
hi everyone, quick (I hope) question, I'm going over requirements to bring the gluster package into ubuntu main (it's in universe), and one of the questions that I have to answer is if there are build-time tests. I've seen the "make check" target, and it prints some output, but always with a zero test count. It's like the test infrastructure is there, but there are no tests. Is that accurate?
1 reply
Amar Tumballi (kadalu.io) 1 day ago
We don't run any tests when making the build (ie, no make test or make check like infra). All tests are run as part of PR review part, and nightly.
"""
They have a collection of jeknins jobs defined here: https://github.com/gluster/build-jobs
They have system tests, but I didn't get them to run out of the box yet. Maybe once working, these could be used as DEP8 tests, if they prove to be reliable enough.
Other than that, without upstream's help, I don't think we can add build-time tests.
Upstream does have tests that run on each branch before it's merged:
https://github.com/gluster/glusterfs/pulls
The package does not run an autopkgtest.
It shouldn't be hard to add some simple yet good enough DEP8 tests, as the server and client portions can be on the same machine. Maybe even a container, since it's a FUSE filesystem (TBD).
[Quality assurance - packaging]
debian/watch is present and works
This package does not yield massive lintian Warnings, Errors
$ lintian --pedantic -I 2>&1 | tee ../lintian.log
E: glusterfs changes: bad-distribution-in-changes-file jammy
W: glusterfs source: newer-standards-version 4.6.0 (current is 4.5.1)
I: glusterfs source: unused-override very-long-line-length-in-source-file configure *
I: glusterfs source: unused-override very-long-line-length-in-source-file doc/gluster.8 *
I: glusterfs source: unused-override very-long-line-length-in-source-file extras/glusterfs-mode.el *
I: glusterfs source: unused-override very-long-line-length-in-source-file xlators/features/changelog/lib/src/Makefile.in *
I: glusterfs-common: unused-override library-not-linked-against-libc usr/lib/*/glusterfs/*/xlator/mount/api.so
N: 15 hints overridden (1 warning, 14 info); 5 unused overrides
Debian report: https://lintian.debian.org/sources/glusterfs
Lintian overrides are present. Notable ones are:
- executable-in-usr-lib (https://lintian.debian.org/tags/executable-in-usr-lib?version=2.113.26) for lots of scripts and other executables. The override file has no explanation. d/changelog is full of the generic expression "adjust lintian overrides" in many uploads.
- no-symbols-control-file (https://lintian.debian.org/tags/no-symbols-control-file). My guess is these shared libraries are not used externally, and just by glusterfs itself. That being said, there is no symbol file at all in this package, and we do have external packages using gluster. I checked the rdeps of libglusterd0 and libglusterfs0, and found one external package linking to libglusterfs0: nfs-ganesha-gluster (in Ubuntu: debian might have more).
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies
The package will not be installed by default
Packaging and build is easy, link to d/rules: https://git.launchpad.net/ubuntu/+source/glusterfs/tree/debian/rules
[UI standards]
The server itself is not necessarily end-user facing, but client tools are. That being said, administrators would use them, and not really an end-user, if I understand this point correctly.
In cany case, there are no translations for this package.
[Dependencies]
No further depends or recommends dependencies that are not yet in main
Note that firewalld (universe) is a build-dep, and enabled in ./configure, but all that does is install a firewalld xml file defining the glusterfs services. It does NOT pull in firewalld.
[Standards compliance]
This package correctly follows FHS and Debian Policy.
Maybe the biggest violation is executables in usr/lib, instead of /usr/libexec, but even that is flagged as "pedantic" by lintian.
The security team might want to know why this one was overriden:
O: glusterfs-common: hardening-no-fortify-functions usr/lib/x86_64-linux-gnu/glusterfs/10.0/xlator/features/cloudsync.so
d/changelog has this entry about it, from 2016:
* Adjust false positive lintian overrides for hardening-no-fortify-functions.
[Maintenance/Owner]
Owning Team will be ubuntu-server
Team is not yet subscribed, but will subscribe to the package before promotion
This does not use static builds
[Background information]
The Package description explains the package well
Upstream Name is glusterfs
Link to upstream project https://www.gluster.org/ and https://github.com/gluster/glusterfs |
|
