ichavero pushed to openstack-puppet-modules (f22). "Updated patches from f22-patches"
notifications at fedoraproject.org
notifications at fedoraproject.org
Sat Mar 28 21:58:05 UTC 2015
>From 07f30981d2147201078fa92d30de6e9db168f744 Mon Sep 17 00:00:00 2001
From: Ivan Chavero <ichavero at redhat.com>
Date: Sat, 28 Mar 2015 14:46:23 -0700
Subject: Updated patches from f22-patches
diff --git a/0019-move-setting-of-novncproxy_base_url-into-nova-class.patch b/0019-move-setting-of-novncproxy_base_url-into-nova-class.patch
new file mode 100644
index 0000000..b3ade3a
--- /dev/null
+++ b/0019-move-setting-of-novncproxy_base_url-into-nova-class.patch
@@ -0,0 +1,179 @@
+From 4338537f87872db50d44e9b4cf82d8a4d0bcfeeb Mon Sep 17 00:00:00 2001
+From: Lars Kellogg-Stedman <lars at redhat.com>
+Date: Fri, 27 Mar 2015 22:44:57 -0400
+Subject: [PATCH] move setting of novncproxy_base_url into nova class
+
+The fixes introduced in order to resolve
+https://bugs.launchpad.net/nova/+bug/1409142 (CVE-2015-0259) make
+novncproxy_base_url relevant on hosts running the nova-novncproxy
+service, whereas previously it was only used by nova-compute to
+construct VNC console urls.
+
+This change moves the setting of the novncproxy_base_url option out of
+compute.pp and into init.pp so that it can be set correctly on any hosts
+running nova services.
+
+This change has been validated in both single- and multi-node packstack
+installs (using https://review.openstack.org/#/c/168547/).
+
+Resolves: rhbz#1204482
+Closes-bug: 1436969
+Change-Id: I7af4cf8257f2bdbc7d3cc57930fd6371571db531
+
+Conflicts:
+ nova/manifests/compute.pp
+ nova/manifests/init.pp
+---
+ nova/manifests/compute.pp | 66 ++++++++++++++---------------------------------
+ nova/manifests/init.pp | 33 ++++++++++++++++++++++++
+ 2 files changed, 53 insertions(+), 46 deletions(-)
+
+diff --git a/nova/manifests/compute.pp b/nova/manifests/compute.pp
+index d4eb0f6..1084f09 100644
+--- a/nova/manifests/compute.pp
++++ b/nova/manifests/compute.pp
+@@ -24,22 +24,6 @@
+ # (optional) The IP address of the server running the VNC proxy client
+ # Defaults to '127.0.0.1'
+ #
+-# [*vncproxy_host*]
+-# (optional) The host of the VNC proxy server
+-# Defaults to false
+-#
+-# [*vncproxy_protocol*]
+-# (optional) The protocol to communicate with the VNC proxy server
+-# Defaults to 'http'
+-#
+-# [*vncproxy_port*]
+-# (optional) The port to communicate with the VNC proxy server
+-# Defaults to '6080'
+-#
+-# [*vncproxy_path*]
+-# (optional) The path at the end of the uri for communication with the VNC proxy server
+-# Defaults to './vnc_auto.html'
+-#
+ # [*vnc_keymap*]
+ # (optional) The keymap to use with VNC (ls -alh /usr/share/qemu/keymaps to list available keymaps)
+ # Defaults to 'en-us'
+@@ -91,26 +75,26 @@
+ # { 'vendor_id':'4321','product_id':'8765','physical_network':'default' } ] "
+ #
+ class nova::compute (
+- $enabled = false,
+- $manage_service = true,
+- $ensure_package = 'present',
+- $vnc_enabled = true,
+- $vncserver_proxyclient_address = '127.0.0.1',
+- $vncproxy_host = false,
+- $vncproxy_protocol = 'http',
+- $vncproxy_port = '6080',
+- $vncproxy_path = '/vnc_auto.html',
+- $vnc_keymap = 'en-us',
+- $force_config_drive = false,
+- $virtio_nic = false,
+- $neutron_enabled = true,
+- $network_device_mtu = undef,
+- $instance_usage_audit = false,
+- $instance_usage_audit_period = 'month',
+- $force_raw_images = true,
+- $reserved_host_memory = '512',
+- $compute_manager = 'nova.compute.manager.ComputeManager',
+- $pci_passthrough = undef,
++ $enabled = false,
++ $manage_service = true,
++ $ensure_package = 'present',
++ $vnc_enabled = true,
++ $vncserver_proxyclient_address = '127.0.0.1',
++ $vnc_keymap = 'en-us',
++ $force_config_drive = false,
++ $virtio_nic = false,
++ $neutron_enabled = true,
++ $network_device_mtu = undef,
++ $instance_usage_audit = false,
++ $instance_usage_audit_period = 'month',
++ $force_raw_images = true,
++ $reserved_host_memory = '512',
++ $compute_manager = 'nova.compute.manager.ComputeManager',
++ $default_availability_zone = 'nova',
++ $default_schedule_zone = undef,
++ $internal_service_availability_zone = 'internal',
++ $heal_instance_info_cache_interval = '60',
++ $pci_passthrough = undef,
+ ) {
+
+ include nova::params
+@@ -120,16 +104,6 @@ class nova::compute (
+ 'DEFAULT/compute_manager': value => $compute_manager;
+ }
+
+- if ($vnc_enabled) {
+- if ($vncproxy_host) {
+- $vncproxy_base_url = "${vncproxy_protocol}://${vncproxy_host}:${vncproxy_port}${vncproxy_path}"
+- # config for vnc proxy
+- nova_config {
+- 'DEFAULT/novncproxy_base_url': value => $vncproxy_base_url;
+- }
+- }
+- }
+-
+ nova_config {
+ 'DEFAULT/vnc_enabled': value => $vnc_enabled;
+ 'DEFAULT/vncserver_proxyclient_address': value => $vncserver_proxyclient_address;
+diff --git a/nova/manifests/init.pp b/nova/manifests/init.pp
+index 40c8c79..f9c31b4 100644
+--- a/nova/manifests/init.pp
++++ b/nova/manifests/init.pp
+@@ -265,6 +265,23 @@
+ # and you have multiple endpoints, you will get AmbiguousEndpoint
+ # exceptions in the nova API service.
+ # Defaults to undef
++#
++# [*vncproxy_host*]
++# (optional) The host of the VNC proxy server
++# Defaults to false
++#
++# [*vncproxy_protocol*]
++# (optional) The protocol to communicate with the VNC proxy server
++# Defaults to 'http'
++#
++# [*vncproxy_port*]
++# (optional) The port to communicate with the VNC proxy server
++# Defaults to '6080'
++#
++# [*vncproxy_path*]
++# (optional) The path at the end of the uri for communication with the VNC proxy server
++# Defaults to './vnc_auto.html'
++#
+ class nova(
+ $ensure_package = 'present',
+ $database_connection = false,
+@@ -326,6 +343,10 @@ class nova(
+ $notification_topics = 'notifications',
+ $notify_api_faults = false,
+ $notify_on_state_change = undef,
++ $vncproxy_host = false,
++ $vncproxy_protocol = 'http',
++ $vncproxy_port = '6080',
++ $vncproxy_path = '/vnc_auto.html',
+ # DEPRECATED PARAMETERS
+ $mysql_module = undef,
+ # this is how to query all resources from our clutser
+@@ -708,6 +729,18 @@ class nova(
+ }
+ }
+
++ # This is here rather than in compute.pp because of the fixes introduced
++ # for https://bugs.launchpad.net/nova/+bug/1409142, which require
++ # novncproxy_base_url to be set on hosts run nova-novncproxy as well as
++ # hosts running nova-compute.
++ if ($vncproxy_host) {
++ $vncproxy_base_url = "${vncproxy_protocol}://${vncproxy_host}:${vncproxy_port}${vncproxy_path}"
++ # config for vnc proxy
++ nova_config {
++ 'DEFAULT/novncproxy_base_url': value => $vncproxy_base_url;
++ }
++ }
++
+ exec { 'post-nova_config':
+ command => '/bin/echo "Nova config has changed"',
+ refreshonly => true,
diff --git a/openstack-puppet-modules.spec b/openstack-puppet-modules.spec
index 91795f0..cc5fe61 100644
--- a/openstack-puppet-modules.spec
+++ b/openstack-puppet-modules.spec
@@ -27,6 +27,7 @@ Patch0015: 0015-Adding-portdb-and-fastpath_flood-to-n1kv.conf.patch
Patch0016: 0016-Changing-the-default-value-of-fastpath_flood-to-enab.patch
Patch0017: 0017-Make-cisco-plugin-symlink-coherent.patch
Patch0018: 0018-Add-serialproxy-configuration.patch
+Patch0019: 0019-move-setting-of-novncproxy_base_url-into-nova-class.patch
BuildArch: noarch
Requires: rubygem-json
@@ -57,6 +58,7 @@ OpenStack via installers using Puppet configuration tool.
%patch0016 -p1
%patch0017 -p1
%patch0018 -p1
+%patch0019 -p1
find %{_builddir}/%{name}-%{version}/ -type f -name ".*" -exec rm {} +
find %{_builddir}/%{name}-%{version}/ -size 0 -exec rm {} +
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/openstack-puppet-modules.git/commit/?h=f22&id=07f30981d2147201078fa92d30de6e9db168f744
More information about the scm-commits
mailing list