28 Commits

Author SHA1 Message Date
Jim Somerville
582fc6874f CentOS: tzdata: upversion to 2022a
We need to upversion as the leapseconds files
have expired.  We also pick up any changes to
timezones, such as when DST occurs.

Verification:
- tzdata package builds ok
- check built package to ensure it contains the
  leap-seconds.list file
- build-iso and make sure it contains the new rpm
- boot the iso and ensure nothing weird observed
  regarding the date
- run "export TZ=/usr/share/zoneinfo/EST5EDT" followed
  by the date command and ensure that it displays the
  correct time for that timezone

Partial-Bug: 1981368

Change-Id: Ic12eb4a3a1eb3d545a4ae5d24dc01f83aeed08a0
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
2022-07-12 14:01:21 -04:00
Steven Webster
5d51ff6dd7 Enable puppet-firewall parsing of --random-fully rules
A problem may occur if puppet attempts to inject a firewall rule
while the underlying iptables/ip6tables has existing rules which
use the --random-fully flag in the NAT table.

The issue occurs because puppet-firewall first makes a call to
iptables-save/ip6tables-save to parse the existing rules
(to determine if the rule already exists).  If it finds a rule
with --random-fully, it will immediately bail out.

The current version(s) of puppet-firewall in StarlingX are old
enough that they don't have parsing logic for the --random-fully
flag that was initially supported in iptables version 1.6.2+.

Now that StarlingX uses iptables 1.8.4, we must account for the
possibility that various components (ie. kubernetes) will make
use of --random-fully rules.

This feature has been implemented upstream in the following commits:

https://github.com/puppetlabs/puppetlabs-firewall/commits/

9a4bc6a81cf0cd4a56ba458fadac830a2c4df529
0ea2b74c0b4a451a37bae8c2ff105b72481ab485

The above commits have been ported back to:

CentOS: puppet-firewall-1.8.2
Debian: puppetlabs-firewall-1.12.0

Since StarlingX does not currently build it's own version
of puppet-firewall in either CentOS or Debian, this commit
also contains the infrastructure to do so.

Testing:

Note: Since the issue is intermittent on unlock, the functional
tests were performed with a custom runtime manifest that installed
a dummy iptables/ip6tables rule when an interface was modified.
At this time, it was guaranteed that there were rules with
the --random-fully flag present.

CentOS:

Package build: PASS
Present in iso: PASS
IPv4 functional test (iptables): PASS
IPv6 functional test (ip6tables): PASS

Debian:

Package build: PASS
Present in iso: PASS
IPv4 functional test (iptables): PASS
IPv6 functional test (ip6tables): PASS

Closes-Bug: #1971900

Signed-off-by: Steven Webster <steven.webster@windriver.com>
Change-Id: I7dbb9e1b99d95df0aa5a7db7aa22c3c314253788
2022-05-10 11:17:08 -04:00
Jim Somerville
2b7072eb11 tzdata: upversion to 2021e and start building
We need to install the leap-seconds.list file as
the prebuilts don't.  This file is needed for
later versions of ptp.

Verification:
- tzdata package now builds
- check built package to ensure it contains the
  leap-seconds.list file
- build-iso and make sure it contains the new rpm
- boot the iso and ensure nothing weird observed
  regarding the date
- run "export TZ=/usr/share/zoneinfo/EST5EDT" followed
  by the date command and ensure that it displays the
  correct time for that timezone

Story: 2009130
Task: 44276
Change-Id: I57ce64d49cbf3f6a1de95aa7df462f7ae9daa1ad
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
2022-01-12 17:32:24 -05:00
Kyle MacLeod
e2ab5cc2c8 Patch watch.py in python-kubernetes package
Patch the python2-kubernetes-8.0.0-8.el7.noarch.rpm with recent
bug fix commits required for proper kubernetes watch functionality.

Patches watch.py up to commit 10ae476 in the 'base' repo
(kubernetes-client/python-base).

Commits are taken from the cloned github repo, saved in patch format,
and applied as a patch to the source RPM.

Reference:
https://github.com/kubernetes-client/python-base/commits/master/watch/watch.py

This patch includes commits beginning with d56fdbc, up to and including 10ae476

Testing:
- Built and testing on local distributed cloud system
- Similar testing to this patch but  ased on locally modified package
  has been done on 1000 subcloud system
- Examine/compare contents of installed package vs. expected
- Generating events which trigger the watch conditions
- Monitor watches for proper behaviour on expiry

Story: 2008960
Task: 43053

Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I7ad78957b6ef61e7204c45f482f201d5c281385b
2021-08-25 17:05:03 -04:00
Cole Walker
1f4538df28 Add collection of linuxptp patches
This commit applies several patches to the linuxptp srpm in order to
address an issue syncing multiple interfaces on a ptp node. The srpm
used is linuxptp-2.0-2.el7.src.rpm.

Patch descriptions:
base/linuxptp/centos/meta_patches:
0001 updates the srpm spec file to apply the patches during build
0002 updates the package versioning to comply with the STX format

base/linuxptp/centos/patches:
Patches 0001-0005 combine to correct a fault present when a ptp node is
configured with multiple clocks in jbod mode which results in the client
port getting stuck in the UNCALIBRATED state and unable to lock to the
Grandmaster clock. The root of the issue lies in the sanity check where
checking timestamps recieved on multiple ports will result in the
sanity_freq_limit threshold constantly being reached and the servo for
that port is repeatedly reset, preventing it from ever syncing.

The changes in patches 0001-0005 have been written by Miroslav Lichvar
on the linuxptp-devel mailing list. They are currently under review and
testing by the upstream linuxptp maintainers prior to merging. I was
able to apply them as-is to linuxptp v2.0. I have chosen to keep them as
individual patches, as that is how they will appear upstream.

Patch 0006 is my work and serves to address an issue in phc2sys
where the local ptp clocks are not synced together properly if the local
time is far behind the reference time. This issue ocurrs when phc2sys
starts and there is no client port currently synced to a grandmaster. In
the original behaviour, phc2sys selects the first configured port and
proceeds to sync all of the other clocks to it by performing the
first_step operation.

Then ptp4l will evenually lock to the Grandmaster clock, and that
single port will have its time updated to the correct value, but
phc2sys has already performed the first_step operation and will not
step the other clocks again.

My solution is to provide an option to disable the selection of a
default port by phc2sys. When no default port is selected, phc2sys waits
for ptp4l to sync to the Grandmaster before bringing the other clocks
into sync with the first_step operation.

This option is configured via the default_sync
parameter or the -D flag. The default_sync parameter is set to on by
default to in order to keep the behaviour the same as upstream linuxptp
but can be configured by users via
system service-parameter-add ptp global default_sync=0

Closes-Bug: 1930607

Signed-off-by: Cole Walker <cole.walker@windriver.com>
Change-Id: I2f660787c6753dcd4fc4c51da7b08ab9e6f197f4
2021-06-28 14:15:22 -04:00
Li Zhou
4850ab86da systemd: Upgrade to version 219-78.el7_9.3
This fixes the issue of systemd sending tons of useless
PropertiesChanged messages when a mount happens as described in:
https://bugzilla.redhat.com/show_bug.cgi?id=1793527

Depends-On: https://review.opendev.org/c/starlingx/tools/+/786601
Partial-Bug: #1924691
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I3596303d77211a135e8559a05806395328725cde
2021-04-27 02:09:27 +00:00
Li Zhou
9d60767e32 ntp: fix CVE-2020-13817
Update ntp source package to:
ntp-4.2.6p5-29.el7.centos.2.src.rpm
In fact it is version ntp-4.2.6p5-29.el7_8.2.
(Refer to https://git.centos.org/rpms/ntp/c/
e9ba41e9edf8efad8f090aad24845b8f4db0668d?branch=c7)

Story: 2008532
Task: 41691
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: If5db6b15b9c01a20a614bb160bba575c6b578d3e
2021-04-01 02:10:52 -04:00
Zuul
3d8ffbc2e8 Merge "dhcp: fix CVE-2019-6470" 2021-03-12 04:52:27 +00:00
Zhixiong Chi
cb85cff32b dhcp: fix CVE-2019-6470
Upgrade dhcp pkg to dhcp-4.2.5-82.el7.centos.src.rpm

Adjust the context of the patch to match to apply the new version.
At the same time as the new version depends on the bind-export
pacakges, so we also add the dependence package in tools repo.
 bind-export-libs-9.11.4-26.P2.el7.x86_64.rpm
 bind-export-devel-9.11.4-26.P2.el7.x86_64.rpm

In addition, since the patch dhcp-dhclient_ipv6_prefix.patch set the
default prefixlen to 128, which is usually the specifications call
for host address and it doesn't include any on-link information.
By contrast, 64 indicates that's subnet area, and this vaule is used
frequently as usual. So we still use the previous value 64.
As a result we don't need to modify the relevant place where every
application code needed for the compatibility any more.

Depends-On: https://review.opendev.org/c/starlingx/tools/+/772241

Story: 2008532
Task: 41638
Change-Id: I0305711790d8e3fb1adfa69e1077468456b65d84
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
2021-03-04 01:46:50 +00:00
Joe Slater
7d7fe3dc61 sudo: fix CVE-2021-3156
Advance to sudo-1.8.23-10.el7_9.1.src.rpm.

Closes-Bug: 1916946
Change-Id: Ibb90439c77d6f5b1badcadb37080ff9e330787d5
Signed-off-by: Joe Slater <joe.slater@windriver.com>
2021-03-01 13:20:16 -05:00
Zuul
ad02943bb5 Merge "grub2: fix CVE-2020-15707" 2021-02-18 17:31:17 +00:00
Zhixiong Chi
7b5b3aeabf Revert "dhcp: fix CVE-2019-6470"
This reverts commit 613fbf258f72042f912a1fde5608168b1068db36.

Since this upversioned package updates the prefixlen to 128, and it
will occur all hosts offline after booting off the controller-0.
At the same time this issue will block the use of recent loads for
both development and test activities. So we revert the patch firstly,
and investigate deeply then send the new review and request of the
upgraded patch with the appropriate offline fix.

Closes-Bug: #1915050

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: I02ecaa1bda463efb38d9c32a47f2221d0de7f99d
2021-02-10 21:18:09 -05:00
Zuul
29b856ad0d Merge "openssh: fix CVE-2018-15473 from source build" 2021-02-04 16:37:24 +00:00
Li Zhou
29dd2fd42a openssh: fix CVE-2018-15473 from source build
Upgrade to openssh-7.4p1-21 for fixing CVE.

Story: 2008532
Task: 41668
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ic3e10b3455587bba16585fe8e235c4c0655f1e3e
2021-01-26 07:50:09 +00:00
Li Zhou
d053c67554 sudo: fix CVE-2019-18634
Upgrade to sudo-1.8.23-10 for fixing CVE.

Story: 2008532
Task: 41689
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I863e66ee887de40d75db7951f4ba408ad022c131
2021-01-26 07:21:41 +00:00
Zhixiong Chi
a0b2acecaa grub2: fix CVE-2020-15707
Avoid to the heap-based buffer overflow.

Upgrade to the below package to fix the CVE issue:
 grub2-2.02-0.86.el7.centos.src.rpm

At the same time adjust the context and drop
0004-grub2-remove-32b-requirements.patch since it already had been
included in the new version.

Story: 2008532
Task: 41664
Change-Id: I7943127323ee28457ffe0a4ece54764633f86d9f
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
2021-01-25 04:15:59 -05:00
Zuul
28e1919265 Merge "dhcp: fix CVE-2019-6470" 2021-01-22 16:58:03 +00:00
Zhixiong Chi
613fbf258f dhcp: fix CVE-2019-6470
Upgrade dhcp pkg to dhcp-4.2.5-82.el7.centos.src.rpm

At the same time since the new version depends on the bind-export
pacakge, so we also add the dependence package in tools repo.

Depends-On: https://review.opendev.org/c/starlingx/tools/+/771744

Story: 2008532
Task: 41638
Change-Id: Ic25b4404475a6f914e5a524db7d60d7e9dcffc85
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
2021-01-21 20:52:27 -05:00
Nicolas Alvarez
d815cfe2f2 Uninstall SNMP RPM Host-Based from STX.
Uninstall SNMP RPM Host-Based from starlingx/integ repo because it
will be containerized.
Also disable snmp from networking/lldpd/centos/lldpd.spec file.

Story: 2008132
Task: 41322
Depends-On: https://review.opendev.org/761792
Signed-off-by: Nicolas Alvarez <nicolas.alvarez@windriver.com>

Change-Id: Ifda06a5eb3bd0ec9683823b643e6d9cc0e7c97e2
2020-12-14 11:45:30 -03:00
Ran An
fc125a7a24 Revert "Add python3-daemon required by logmgmt"
This reverts commit 97cd7ea5c1037dd22488793ea9271462fedc4c7a.

Change-Id: I3f09054c1546252493f8eb29dc70806829324a52
2020-05-14 11:41:50 +00:00
SidneyAn
97cd7ea5c1 Add python3-daemon required by logmgmt
pkg logmgmt upgraded to python3 requires python3 model "daemon",
and no pkgs in Centos7 offical repo provide it.

this patch refer to the python3-daemon pkg build by rdo
for CentOS 8: python-daemon-2.2.3-7.el8.src.rpm

disable the rpm check part which is not required in stx to
reduce python3 dependencies that not supported by CentOS 7

Depends-on: https://review.opendev.org/#/c/727657/
Depends-on: https://review.opendev.org/#/c/727662/
Change-Id: Ie08ea9c7adf830ad4e8e924fa69352fb2a923a6f
Story: 2007106
Task: 39291
Signed-off-by: SidneyAn <ran1.an@intel.com>
2020-05-13 21:14:03 +08:00
Scott Little
838bdd44b6 fix mellanox lst file entries
Build broken by commit 5056c8458696acb429279a3c07f12971f0b386df
which changed the version of the libibverbs and rdms-core packages
without a matching change to the lst files.

This update brings the lst file into line with the new version.

Story: 2007308
Task: 38805
Task: 38806
Change-Id: I0a305804e0a4cf7c1dd06c3a6ec1af5724dcdfc5
Signed-off-by: Scott Little <scott.little@windriver.com>
2020-05-04 15:03:54 -04:00
Davlet Panech
bceb6c148c Subdirectory kernel relocated to new repo starlingx/kernel
* Moved subdirectories from kernel/ into a new repo
* Removed references to kernel from this repo's file lists

Change-Id: I386418f51169dd9b8c977bae328060077ac44b93
Depends on: I4b171accd8b489c92f6d2c69cb7aa5c63e75f336
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
2020-04-11 13:08:18 -04:00
Robin Lu
38c184f1b4 Update kernel-std patches for kernel upgrade to version 1062.1.2
This upgrade fixes the CVEs listed below. We refresh the patches
against the new kernel source.
The patch 15 is now included in new version, so I drop it
in the new patch.

CVE bug: CVE-2019-11810:kernel: a NULL pointer dereference in
drivers/scsi/megaraid/megaraid_sas_base.c leading to DoS
CVE bug: CVE-2019-11811: kernel: use-after-free in IPMI Edit
CVE bug: CVE-2019-14835: kernel: vhost-net: guest to host kernel
escape during migration

Closes-Bug: 1849206
Closes-Bug: 1849209
Closes-Bug: 1847817

Change-Id: I217cf8684e31dacea627c33462e5e4b6e089c38f
Depends-On: https://review.opendev.org/#/c/695355/
Signed-off-by: Robin Lu <bin1.lu@intel.com>
2020-01-02 06:27:12 +00:00
Bart Wensley
bcfade61de Remove obsolete patches for eventlet and requests
We are currently carrying patches for python-eventlet and
python-requests that are over three years old and were
created to "fix" a nova issue. Now that nova is in a
container, it no longer uses our eventlet or requests so
these patches do not have any effect.

The patches need to be removed to allow eventlet to be
upversioned, which is being done in another commit.

Change-Id: I730ba86d8f6ec8b88b060ada324cfd268af24b35
Story: 2006781
Task: 37583
Depends-On: https://review.opendev.org/#/c/700071/
Depends-On: https://review.opendev.org/#/c/700054/
Signed-off-by: Bart Wensley <barton.wensley@windriver.com>
2019-12-20 10:25:33 -06:00
Martin, Chen
4aa661ce56 Build layering
Rebase tarball for i40e Driver
Rebase srpm for systemd 219-67.el7
Rebase srpm for sudo
Rebase srpm for ntp

Depends-On: https://review.opendev.org/#/c/695061/
Depends-On: https://review.opendev.org/#/c/695560/
Depends-On: https://review.opendev.org/#/c/695637/
Depends-On: https://review.opendev.org/#/c/695983/

Story: 2006166
Task: 37570

Change-Id: I7f33e0fb1319df3421318c4927d2a5675a490273
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
2019-11-29 14:14:13 +08:00
Robin Lu
f30cb74fef Update sudo srpm patch for CVE bug
To fix below CVE, we will use sudo-1.8.23-4.el7_7.1.src.rpm
And we have to update some patches according to new srpm.
https://lists.centos.org/pipermail/centos-announce/2019-October/023499.html

CVE bug: CVE-2019-14287: sudo: can bypass certain policy blacklists

Closes-Bug: 1852825
Depends-On: https://review.opendev.org/#/c/695637/
Change-Id: Ifc0a3423464fafce06cd504d9b427fc3433fb756
Signed-off-by: Robin Lu <bin1.lu@intel.com>
2019-11-25 09:43:16 +08:00
Scott Little
9a02692850 Build layering, add layer build config file and srpm and tarball lst
Story: 2006166
Task: 37113

Change-Id: I11b2a3f635d7a1f50d0d21c4b4bad88de96d5292
Signed-off-by: Scott Little <scott.little@windriver.com>
2019-10-21 09:24:22 +08:00