packages/ceph
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!105 升级master版本为ceph16.2.7

Browse Source 
From: @wangzengliang1 
Reviewed-by: @liuqinfei 
Signed-off-by: @liuzhiqiang26
This commit is contained in:
openeuler-ci-bot 2022-05-19 06:32:54 +00:00 committed by Gitee
commit 070aa3ad0d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
15 changed files with 18611 additions and 1164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
0001-CVE-2020-27781-1.patch
View File

@ -1,48 +0,0 @@
From 5dbc6bf0a67183bff7d7ca48ccd90ebbce492408 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90=E1=BA=B7ng=20Minh=20D=C5=A9ng?= <dungdm93@live.com>
Date: Sun, 10 May 2020 11:37:23 +0700
Subject: [PATCH 1/5] pybind/ceph_volume_client: Fix PEP-8 SyntaxWarning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Đặng Minh Dũng <dungdm93@live.com>
(cherry picked from commit 3ce9a89a5a1a2d7fa3d57c597b781a6aece7cbb5)
---
src/pybind/ceph_volume_client.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/pybind/ceph_volume_client.py b/src/pybind/ceph_volume_client.py
index 7d7e5b49e40..25cd6b91ae2 100644
--- a/src/pybind/ceph_volume_client.py
+++ b/src/pybind/ceph_volume_client.py
@@ -355,7 +355,7 @@ class CephFSVolumeClient(object):
continue
(group_id, volume_id) = volume.split('/')
- group_id = group_id if group_id is not 'None' else None
+ group_id = group_id if group_id != 'None' else None
volume_path = VolumePath(group_id, volume_id)
access_level = volume_data['access_level']
@@ -378,7 +378,7 @@ class CephFSVolumeClient(object):
if vol_meta['auths'][auth_id] == want_auth:
continue
- readonly = True if access_level is 'r' else False
+ readonly = access_level == 'r'
self._authorize_volume(volume_path, auth_id, readonly)
# Recovered from partial auth updates for the auth ID's access
@@ -1120,7 +1120,7 @@ class CephFSVolumeClient(object):
# Construct auth caps that if present might conflict with the desired
# auth caps.
- unwanted_access_level = 'r' if want_access_level is 'rw' else 'rw'
+ unwanted_access_level = 'r' if want_access_level == 'rw' else 'rw'
unwanted_mds_cap = 'allow {0} path={1}'.format(unwanted_access_level, path)
if namespace:
unwanted_osd_cap = 'allow {0} pool={1} namespace={2}'.format(
--
2.23.0

73
0001-cmake-detect-and-use-sigdescr_np-if-available.patch
View File

@ -1,73 +0,0 @@
From 9b34ba1777972808ba2af0073c967dece6c70626 Mon Sep 17 00:00:00 2001
From: David Disseldorp <ddiss@suse.de>
Date: Tue, 1 Sep 2020 13:49:21 +0200
Subject: [PATCH] cmake: detect and use sigdescr_np() if available
sys_siglist is deprecated with glibc 2.32. A new thread-safe and
async-signal safe sigdescr_np() function is provided, so use it if
available.
Fixes: https://tracker.ceph.com/issues/47187
Signed-off-by: David Disseldorp <ddiss@suse.de>
(cherry picked from commit b9b6faf66ae67648626470cb4fc3f0850ac4d842)
Conflicts:
CMakeLists.txt
cmake/modules/CephChecks.cmake
- CephChecks.cmake file does not exist in nautilus; manually cherry-picked the
change in that file to top-level CMakeLists.txt
---
CMakeLists.txt | 1 +
src/global/signal_handler.h | 8 +++++---
src/include/config-h.in.cmake | 3 +++
3 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5b7a67bec60..bdeea6f9c7d 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -105,6 +105,7 @@ CHECK_FUNCTION_EXISTS(strerror_r HAVE_Strerror_R)
CHECK_FUNCTION_EXISTS(name_to_handle_at HAVE_NAME_TO_HANDLE_AT)
CHECK_FUNCTION_EXISTS(pipe2 HAVE_PIPE2)
CHECK_FUNCTION_EXISTS(accept4 HAVE_ACCEPT4)
+CHECK_FUNCTION_EXISTS(sigdescr_np HAVE_SIGDESCR_NP)
include(CMakePushCheckState)
cmake_push_check_state(RESET)
diff --git a/src/global/signal_handler.h b/src/global/signal_handler.h
index 476724201aa..c101b2e2873 100644
--- a/src/global/signal_handler.h
+++ b/src/global/signal_handler.h
@@ -20,10 +20,12 @@
typedef void (*signal_handler_t)(int);
-#ifndef HAVE_REENTRANT_STRSIGNAL
-# define sig_str(signum) sys_siglist[signum]
-#else
+#ifdef HAVE_SIGDESCR_NP
+# define sig_str(signum) sigdescr_np(signum)
+#elif HAVE_REENTRANT_STRSIGNAL
# define sig_str(signum) strsignal(signum)
+#else
+# define sig_str(signum) sys_siglist[signum]
#endif
void install_sighandler(int signum, signal_handler_t handler, int flags);
diff --git a/src/include/config-h.in.cmake b/src/include/config-h.in.cmake
index ccce8fe0017..acced696e36 100644
--- a/src/include/config-h.in.cmake
+++ b/src/include/config-h.in.cmake
@@ -235,6 +235,9 @@
/* Define to 1 if you have sched.h. */
#cmakedefine HAVE_SCHED 1
+/* Define to 1 if you have sigdescr_np. */
+#cmakedefine HAVE_SIGDESCR_NP 1
+
/* Support SSE (Streaming SIMD Extensions) instructions */
#cmakedefine HAVE_SSE
--
2.23.0

24
0001-fix-error-transform-is-not-a-member-of-std.patch Normal file
View File

@ -0,0 +1,24 @@
From f22ee023ad92b34697c743936451731c0ad4dbb6 Mon Sep 17 00:00:00 2001
From: liuqinfei <18138800392@163.com>
Date: Thu, 30 Dec 2021 09:46:33 +0800
Subject: [PATCH] fix error: 'transform' is not a member of 'std'
---
src/common/Formatter.cc | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/common/Formatter.cc b/src/common/Formatter.cc
index 362deffb5ab..4e9838e3a36 100644
--- a/src/common/Formatter.cc
+++ b/src/common/Formatter.cc
@@ -18,6 +18,7 @@
#include "common/escape.h"
#include "include/buffer.h"
+#include <algorithm>
#include <fmt/format.h>
#include <algorithm>
#include <set>
--
2.30.0

172
0002-CVE-2020-27781-2.patch
View File

@ -1,172 +0,0 @@
From ab18393db0b34506c3fd11346b6d0f1b781b9d99 Mon Sep 17 00:00:00 2001
From: Ramana Raja <rraja@redhat.com>
Date: Wed, 25 Nov 2020 16:44:35 +0530
Subject: [PATCH 2/5] pybind/ceph_volume_client: Disallow authorize auth_id
This patch disallow the ceph_volume_client to authorize the auth_id
which is not created by ceph_volume_client. Those auth_ids could be
created by other means for other use cases which should not be modified
by ceph_volume_client.
Fixes: https://tracker.ceph.com/issues/48555
Signed-off-by: Ramana Raja <rraja@redhat.com>
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 3a85d2d04028a323952a31d18cdbefb710be2e2b)
---
src/pybind/ceph_volume_client.py | 63 ++++++++++++++++++++------------
1 file changed, 39 insertions(+), 24 deletions(-)
diff --git a/src/pybind/ceph_volume_client.py b/src/pybind/ceph_volume_client.py
index 25cd6b91ae2..e2ab64ee226 100644
--- a/src/pybind/ceph_volume_client.py
+++ b/src/pybind/ceph_volume_client.py
@@ -215,6 +215,7 @@ CEPHFSVOLUMECLIENT_VERSION_HISTORY = """
* 2 - Added get_object, put_object, delete_object methods to CephFSVolumeClient
* 3 - Allow volumes to be created without RADOS namespace isolation
* 4 - Added get_object_and_version, put_object_versioned method to CephFSVolumeClient
+ * 5 - Disallow authorize API for users not created by CephFSVolumeClient
"""
@@ -238,7 +239,7 @@ class CephFSVolumeClient(object):
"""
# Current version
- version = 4
+ version = 5
# Where shall we create our volumes?
POOL_PREFIX = "fsvolume_"
@@ -379,7 +380,18 @@ class CephFSVolumeClient(object):
continue
readonly = access_level == 'r'
- self._authorize_volume(volume_path, auth_id, readonly)
+ client_entity = "client.{0}".format(auth_id)
+ try:
+ existing_caps = self._rados_command(
+ 'auth get',
+ {
+ 'entity': client_entity
+ }
+ )
+ # FIXME: rados raising Error instead of ObjectNotFound in auth get failure
+ except rados.Error:
+ existing_caps = None
+ self._authorize_volume(volume_path, auth_id, readonly, existing_caps)
# Recovered from partial auth updates for the auth ID's access
# to a volume.
@@ -975,6 +987,18 @@ class CephFSVolumeClient(object):
"""
with self._auth_lock(auth_id):
+ client_entity = "client.{0}".format(auth_id)
+ try:
+ existing_caps = self._rados_command(
+ 'auth get',
+ {
+ 'entity': client_entity
+ }
+ )
+ # FIXME: rados raising Error instead of ObjectNotFound in auth get failure
+ except rados.Error:
+ existing_caps = None
+
# Existing meta, or None, to be updated
auth_meta = self._auth_metadata_get(auth_id)
@@ -988,7 +1012,14 @@ class CephFSVolumeClient(object):
'dirty': True,
}
}
+
if auth_meta is None:
+ if existing_caps is not None:
+ msg = "auth ID: {0} exists and not created by ceph_volume_client. Not allowed to modify".format(auth_id)
+ log.error(msg)
+ raise CephFSVolumeClientError(msg)
+
+ # non-existent auth IDs
sys.stderr.write("Creating meta for ID {0} with tenant {1}\n".format(
auth_id, tenant_id
))
@@ -998,14 +1029,6 @@ class CephFSVolumeClient(object):
'tenant_id': tenant_id.__str__() if tenant_id else None,
'volumes': volume
}
-
- # Note: this is *not* guaranteeing that the key doesn't already
- # exist in Ceph: we are allowing VolumeClient tenants to
- # 'claim' existing Ceph keys. In order to prevent VolumeClient
- # tenants from reading e.g. client.admin keys, you need to
- # have configured your VolumeClient user (e.g. Manila) to
- # have mon auth caps that prevent it from accessing those keys
- # (e.g. limit it to only access keys with a manila.* prefix)
else:
# Disallow tenants to share auth IDs
if auth_meta['tenant_id'].__str__() != tenant_id.__str__():
@@ -1025,7 +1048,7 @@ class CephFSVolumeClient(object):
self._auth_metadata_set(auth_id, auth_meta)
with self._volume_lock(volume_path):
- key = self._authorize_volume(volume_path, auth_id, readonly)
+ key = self._authorize_volume(volume_path, auth_id, readonly, existing_caps)
auth_meta['dirty'] = False
auth_meta['volumes'][volume_path_str]['dirty'] = False
@@ -1042,7 +1065,7 @@ class CephFSVolumeClient(object):
'auth_key': None
}
- def _authorize_volume(self, volume_path, auth_id, readonly):
+ def _authorize_volume(self, volume_path, auth_id, readonly, existing_caps):
vol_meta = self._volume_metadata_get(volume_path)
access_level = 'r' if readonly else 'rw'
@@ -1061,14 +1084,14 @@ class CephFSVolumeClient(object):
vol_meta['auths'].update(auth)
self._volume_metadata_set(volume_path, vol_meta)
- key = self._authorize_ceph(volume_path, auth_id, readonly)
+ key = self._authorize_ceph(volume_path, auth_id, readonly, existing_caps)
vol_meta['auths'][auth_id]['dirty'] = False
self._volume_metadata_set(volume_path, vol_meta)
return key
- def _authorize_ceph(self, volume_path, auth_id, readonly):
+ def _authorize_ceph(self, volume_path, auth_id, readonly, existing_caps):
path = self._get_path(volume_path)
log.debug("Authorizing Ceph id '{0}' for path '{1}'".format(
auth_id, path
@@ -1096,15 +1119,7 @@ class CephFSVolumeClient(object):
want_osd_cap = 'allow {0} pool={1}'.format(want_access_level,
pool_name)
- try:
- existing = self._rados_command(
- 'auth get',
- {
- 'entity': client_entity
- }
- )
- # FIXME: rados raising Error instead of ObjectNotFound in auth get failure
- except rados.Error:
+ if existing_caps is None:
caps = self._rados_command(
'auth get-or-create',
{
@@ -1116,7 +1131,7 @@ class CephFSVolumeClient(object):
})
else:
# entity exists, update it
- cap = existing[0]
+ cap = existing_caps[0]
# Construct auth caps that if present might conflict with the desired
# auth caps.
--
2.23.0

25
0002-enable-install-deps-in-openEuler.patch Normal file
View File

@ -0,0 +1,25 @@
From 73d7c0e9c106d6a6aeda0491a426e8f458e0cb13 Mon Sep 17 00:00:00 2001
From: liuqinfei <18138800392@163.com>
Date: Thu, 30 Dec 2021 11:48:33 +0800
Subject: [PATCH 2/2] enable install deps in openEuler
---
install-deps.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install-deps.sh b/install-deps.sh
index 3ba5e47ff58..b35013607e4 100755
--- a/install-deps.sh
+++ b/install-deps.sh
@@ -337,7 +337,7 @@ else
$SUDO env DEBIAN_FRONTEND=noninteractive apt-get -y remove ceph-build-deps
if [ "$control" != "debian/control" ] ; then rm $control; fi
;;
- centos|fedora|rhel|ol|virtuozzo)
+ centos|fedora|rhel|ol|virtuozzo|openEuler)
builddepcmd="dnf -y builddep --allowerasing"
echo "Using dnf to install dependencies"
case "$ID" in
--
2.30.0

113
0003-CVE-2020-27781-3.patch
View File

@ -1,113 +0,0 @@
From 621fea6fda4f06876295f67d4767914332ff82d3 Mon Sep 17 00:00:00 2001
From: Kotresh HR <khiremat@redhat.com>
Date: Thu, 26 Nov 2020 14:48:16 +0530
Subject: [PATCH 3/5] pybind/ceph_volume_client: Preserve existing caps while
authorize/deauthorize auth-id
Authorize/Deauthorize used to overwrite the caps of auth-id which would
end up deleting existing caps. This patch fixes the same by retaining
the existing caps by appending or deleting the new caps as needed.
Fixes: https://tracker.ceph.com/issues/48555
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 47100e528ef77e7e82dc9877424243dc6a7e7533)
---
src/pybind/ceph_volume_client.py | 43 ++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 13 deletions(-)
diff --git a/src/pybind/ceph_volume_client.py b/src/pybind/ceph_volume_client.py
index e2ab64ee226..ca1f361d03c 100644
--- a/src/pybind/ceph_volume_client.py
+++ b/src/pybind/ceph_volume_client.py
@@ -973,6 +973,26 @@ class CephFSVolumeClient(object):
data['version'] = self.version
return self._metadata_set(self._volume_metadata_path(volume_path), data)
+ def _prepare_updated_caps_list(self, existing_caps, mds_cap_str, osd_cap_str, authorize=True):
+ caps_list = []
+ for k, v in existing_caps['caps'].items():
+ if k == 'mds' or k == 'osd':
+ continue
+ elif k == 'mon':
+ if not authorize and v == 'allow r':
+ continue
+ caps_list.extend((k,v))
+
+ if mds_cap_str:
+ caps_list.extend(('mds', mds_cap_str))
+ if osd_cap_str:
+ caps_list.extend(('osd', osd_cap_str))
+
+ if authorize and 'mon' not in caps_list:
+ caps_list.extend(('mon', 'allow r'))
+
+ return caps_list
+
def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None):
"""
Get-or-create a Ceph auth identity for `auth_id` and grant them access
@@ -1151,8 +1171,8 @@ class CephFSVolumeClient(object):
if not orig_mds_caps:
return want_mds_cap, want_osd_cap
- mds_cap_tokens = orig_mds_caps.split(",")
- osd_cap_tokens = orig_osd_caps.split(",")
+ mds_cap_tokens = [x.strip() for x in orig_mds_caps.split(",")]
+ osd_cap_tokens = [x.strip() for x in orig_osd_caps.split(",")]
if want_mds_cap in mds_cap_tokens:
return orig_mds_caps, orig_osd_caps
@@ -1173,15 +1193,14 @@ class CephFSVolumeClient(object):
orig_mds_caps, orig_osd_caps, want_mds_cap, want_osd_cap,
unwanted_mds_cap, unwanted_osd_cap)
+ caps_list = self._prepare_updated_caps_list(cap, mds_cap_str, osd_cap_str)
caps = self._rados_command(
'auth caps',
{
'entity': client_entity,
- 'caps': [
- 'mds', mds_cap_str,
- 'osd', osd_cap_str,
- 'mon', cap['caps'].get('mon', 'allow r')]
+ 'caps': caps_list
})
+
caps = self._rados_command(
'auth get',
{
@@ -1306,8 +1325,8 @@ class CephFSVolumeClient(object):
)
def cap_remove(orig_mds_caps, orig_osd_caps, want_mds_caps, want_osd_caps):
- mds_cap_tokens = orig_mds_caps.split(",")
- osd_cap_tokens = orig_osd_caps.split(",")
+ mds_cap_tokens = [x.strip() for x in orig_mds_caps.split(",")]
+ osd_cap_tokens = [x.strip() for x in orig_osd_caps.split(",")]
for want_mds_cap, want_osd_cap in zip(want_mds_caps, want_osd_caps):
if want_mds_cap in mds_cap_tokens:
@@ -1323,17 +1342,15 @@ class CephFSVolumeClient(object):
mds_cap_str, osd_cap_str = cap_remove(orig_mds_caps, orig_osd_caps,
want_mds_caps, want_osd_caps)
- if not mds_cap_str:
+ caps_list = self._prepare_updated_caps_list(cap, mds_cap_str, osd_cap_str, authorize=False)
+ if not caps_list:
self._rados_command('auth del', {'entity': client_entity}, decode=False)
else:
self._rados_command(
'auth caps',
{
'entity': client_entity,
- 'caps': [
- 'mds', mds_cap_str,
- 'osd', osd_cap_str,
- 'mon', cap['caps'].get('mon', 'allow r')]
+ 'caps': caps_list
})
# FIXME: rados raising Error instead of ObjectNotFound in auth get failure
--
2.23.0

17749
0003-isa-l-update.patch Normal file
View File

File diff suppressed because it is too large Load Diff

52
0004-CVE-2020-27781-4.patch
View File

@ -1,52 +0,0 @@
From 6410f3dd63890f251414377de93cd51bfc372230 Mon Sep 17 00:00:00 2001
From: Kotresh HR <khiremat@redhat.com>
Date: Sun, 6 Dec 2020 12:40:20 +0530
Subject: [PATCH 4/5] pybind/ceph_volume_client: Optionally authorize existing
auth-ids
Optionally allow authorizing auth-ids not created by ceph_volume_client
via the option 'allow_existing_id'. This can help existing deployers
of manila to disallow/allow authorization of pre-created auth IDs
via a manila driver config that sets 'allow_existing_id' to False/True.
Fixes: https://tracker.ceph.com/issues/48555
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 77b42496e25cbd4af2e80a064ddf26221b53733f)
---
src/pybind/ceph_volume_client.py | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/pybind/ceph_volume_client.py b/src/pybind/ceph_volume_client.py
index ca1f361d03c..feeb495de00 100644
--- a/src/pybind/ceph_volume_client.py
+++ b/src/pybind/ceph_volume_client.py
@@ -993,7 +993,7 @@ class CephFSVolumeClient(object):
return caps_list
- def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None):
+ def authorize(self, volume_path, auth_id, readonly=False, tenant_id=None, allow_existing_id=False):
"""
Get-or-create a Ceph auth identity for `auth_id` and grant them access
to
@@ -1003,6 +1003,8 @@ class CephFSVolumeClient(object):
:param tenant_id: Optionally provide a stringizable object to
restrict any created cephx IDs to other callers
passing the same tenant ID.
+ :allow_existing_id: Optionally authorize existing auth-ids not
+ created by ceph_volume_client
:return:
"""
@@ -1034,7 +1036,7 @@ class CephFSVolumeClient(object):
}
if auth_meta is None:
- if existing_caps is not None:
+ if not allow_existing_id and existing_caps is not None:
msg = "auth ID: {0} exists and not created by ceph_volume_client. Not allowed to modify".format(auth_id)
log.error(msg)
raise CephFSVolumeClientError(msg)
--
2.23.0

57
0004-cmake-add-support-python-3.10.patch Normal file
View File

@ -0,0 +1,57 @@
From a13d33c47c0e713429f7cfbd6106a497838f6396 Mon Sep 17 00:00:00 2001
From: wangzengliang <wangzengliang1@huawei.com>
Date: Fri, 8 Apr 2022 11:35:38 +0800
Subject: [PATCH] cmake: add support python 3.10
---
cmake/modules/BuildBoost.cmake | 2 +-
cmake/modules/FindPython/Support.cmake | 2 +-
src/boost/libs/python/src/exec.cpp | 4 ++--
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/cmake/modules/BuildBoost.cmake b/cmake/modules/BuildBoost.cmake
index 468ae419c..320c2dcd5 100644
--- a/cmake/modules/BuildBoost.cmake
+++ b/cmake/modules/BuildBoost.cmake
@@ -70,7 +70,7 @@ function(do_build_boost version)
if(c MATCHES "^python([0-9])\$")
set(with_python_version "${CMAKE_MATCH_1}")
list(APPEND boost_with_libs "python")
- elseif(c MATCHES "^python([0-9])\\.?([0-9])\$")
+ elseif(c MATCHES "^python([0-9])\\.?([0-9]+)\$")
set(with_python_version "${CMAKE_MATCH_1}.${CMAKE_MATCH_2}")
list(APPEND boost_with_libs "python")
else()
diff --git a/cmake/modules/FindPython/Support.cmake b/cmake/modules/FindPython/Support.cmake
index c05bbe330..fb362bfe2 100644
--- a/cmake/modules/FindPython/Support.cmake
+++ b/cmake/modules/FindPython/Support.cmake
@@ -17,7 +17,7 @@ if (NOT DEFINED _${_PYTHON_PREFIX}_REQUIRED_VERSION_MAJOR)
message (FATAL_ERROR "FindPython: INTERNAL ERROR")
endif()
if (_${_PYTHON_PREFIX}_REQUIRED_VERSION_MAJOR EQUAL 3)
- set(_${_PYTHON_PREFIX}_VERSIONS 3.9 3.8 3.7 3.6 3.5 3.4 3.3 3.2 3.1 3.0)
+ set(_${_PYTHON_PREFIX}_VERSIONS 3.10 3.9 3.8 3.7 3.6 3.5 3.4 3.3 3.2 3.1 3.0)
elseif (_${_PYTHON_PREFIX}_REQUIRED_VERSION_MAJOR EQUAL 2)
set(_${_PYTHON_PREFIX}_VERSIONS 2.7 2.6 2.5 2.4 2.3 2.2 2.1 2.0)
else()
diff --git a/src/boost/libs/python/src/exec.cpp b/src/boost/libs/python/src/exec.cpp
index 171c6f418..caa7d0864 100644
--- a/src/boost/libs/python/src/exec.cpp
+++ b/src/boost/libs/python/src/exec.cpp
@@ -106,10 +106,10 @@ object BOOST_PYTHON_DECL exec_file(char const *filename, object global, object l
char *f = const_cast<char *>(filename);
// Let python open the file to avoid potential binary incompatibilities.
#if PY_VERSION_HEX >= 0x03040000
- FILE *fs = _Py_fopen(f, "r");
+ FILE *fs = fopen(f, "r");
#elif PY_VERSION_HEX >= 0x03000000
PyObject *fo = Py_BuildValue("s", f);
- FILE *fs = _Py_fopen(fo, "r");
+ FILE *fs = fopen(fo, "r");
Py_DECREF(fo);
#else
PyObject *pyfile = PyFile_FromString(f, const_cast<char*>("r"));
--
2.30.0

275
0005-CVE-2020-27781-5.patch
View File

@ -1,275 +0,0 @@
From a18b92d39f5d4714e9a79c3c4a55049daec65290 Mon Sep 17 00:00:00 2001
From: Kotresh HR <khiremat@redhat.com>
Date: Tue, 1 Dec 2020 16:14:17 +0530
Subject: [PATCH 5/5] tasks/cephfs/test_volume_client: Add tests for
authorize/deauthorize
1. Add testcase for authorizing auth_id which is not added by
ceph_volume_client
2. Add testcase to test 'allow_existing_id' option
3. Add testcase for deauthorizing auth_id which has got it's caps
updated out of band
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit aa4beb3d993649a696af95cf27150cc460baaf70)
Conflicts:
qa/tasks/cephfs/test_volume_client.py
---
qa/tasks/cephfs/test_volume_client.py | 213 +++++++++++++++++++++++++-
1 file changed, 209 insertions(+), 4 deletions(-)
diff --git a/qa/tasks/cephfs/test_volume_client.py b/qa/tasks/cephfs/test_volume_client.py
index 0f205ecec6e..1c37b37a0b0 100644
--- a/qa/tasks/cephfs/test_volume_client.py
+++ b/qa/tasks/cephfs/test_volume_client.py
@@ -58,7 +58,7 @@ vc.disconnect()
def _configure_guest_auth(self, volumeclient_mount, guest_mount,
guest_entity, mount_path,
namespace_prefix=None, readonly=False,
- tenant_id=None):
+ tenant_id=None, allow_existing_id=False):
"""
Set up auth credentials for the guest client to mount a volume.
@@ -83,14 +83,16 @@ vc.disconnect()
key = self._volume_client_python(volumeclient_mount, dedent("""
vp = VolumePath("{group_id}", "{volume_id}")
auth_result = vc.authorize(vp, "{guest_entity}", readonly={readonly},
- tenant_id="{tenant_id}")
+ tenant_id="{tenant_id}",
+ allow_existing_id="{allow_existing_id}")
print(auth_result['auth_key'])
""".format(
group_id=group_id,
volume_id=volume_id,
guest_entity=guest_entity,
readonly=readonly,
- tenant_id=tenant_id)), volume_prefix, namespace_prefix
+ tenant_id=tenant_id,
+ allow_existing_id=allow_existing_id)), volume_prefix, namespace_prefix
)
# CephFSVolumeClient's authorize() does not return the secret
@@ -858,6 +860,209 @@ vc.disconnect()
)))
self.assertNotIn(vol_metadata_filename, self.mounts[0].ls("volumes"))
+ def test_authorize_auth_id_not_created_by_ceph_volume_client(self):
+ """
+ If the auth_id already exists and is not created by
+ ceph_volume_client, it's not allowed to authorize
+ the auth-id by default.
+ """
+ volumeclient_mount = self.mounts[1]
+ volumeclient_mount.umount_wait()
+
+ # Configure volumeclient_mount as the handle for driving volumeclient.
+ self._configure_vc_auth(volumeclient_mount, "manila")
+
+ group_id = "groupid"
+ volume_id = "volumeid"
+
+ # Create auth_id
+ out = self.fs.mon_manager.raw_cluster_cmd(
+ "auth", "get-or-create", "client.guest1",
+ "mds", "allow *",
+ "osd", "allow rw",
+ "mon", "allow *"
+ )
+
+ auth_id = "guest1"
+ guestclient_1 = {
+ "auth_id": auth_id,
+ "tenant_id": "tenant1",
+ }
+
+ # Create a volume.
+ self._volume_client_python(volumeclient_mount, dedent("""
+ vp = VolumePath("{group_id}", "{volume_id}")
+ vc.create_volume(vp, 1024*1024*10)
+ """.format(
+ group_id=group_id,
+ volume_id=volume_id,
+ )))
+
+ # Cannot authorize 'guestclient_1' to access the volume.
+ # It uses auth ID 'guest1', which already exists and not
+ # created by ceph_volume_client
+ with self.assertRaises(CommandFailedError):
+ self._volume_client_python(volumeclient_mount, dedent("""
+ vp = VolumePath("{group_id}", "{volume_id}")
+ vc.authorize(vp, "{auth_id}", tenant_id="{tenant_id}")
+ """.format(
+ group_id=group_id,
+ volume_id=volume_id,
+ auth_id=guestclient_1["auth_id"],
+ tenant_id=guestclient_1["tenant_id"]
+ )))
+
+ # Delete volume
+ self._volume_client_python(volumeclient_mount, dedent("""
+ vp = VolumePath("{group_id}", "{volume_id}")
+ vc.delete_volume(vp)
+ """.format(
+ group_id=group_id,
+ volume_id=volume_id,
+ )))
+
+ def test_authorize_allow_existing_id_option(self):
+ """
+ If the auth_id already exists and is not created by
+ ceph_volume_client, it's not allowed to authorize
+ the auth-id by default but is allowed with option
+ allow_existing_id.
+ """
+ volumeclient_mount = self.mounts[1]
+ volumeclient_mount.umount_wait()
+
+ # Configure volumeclient_mount as the handle for driving volumeclient.
+ self._configure_vc_auth(volumeclient_mount, "manila")
+
+ group_id = "groupid"
+ volume_id = "volumeid"
+
+ # Create auth_id
+ out = self.fs.mon_manager.raw_cluster_cmd(
+ "auth", "get-or-create", "client.guest1",
+ "mds", "allow *",
+ "osd", "allow rw",
+ "mon", "allow *"
+ )
+
+ auth_id = "guest1"
+ guestclient_1 = {
+ "auth_id": auth_id,
+ "tenant_id": "tenant1",
+ }
+
+ # Create a volume.
+ self._volume_client_python(volumeclient_mount, dedent("""
+ vp = VolumePath("{group_id}", "{volume_id}")
+ vc.create_volume(vp, 1024*1024*10)
+ """.format(
+ group_id=group_id,
+ volume_id=volume_id,
+ )))
+
+ # Cannot authorize 'guestclient_1' to access the volume
+ # by default, which already exists and not created by
+ # ceph_volume_client but is allowed with option 'allow_existing_id'.
+ self._volume_client_python(volumeclient_mount, dedent("""
+ vp = VolumePath("{group_id}", "{volume_id}")
+ vc.authorize(vp, "{auth_id}", tenant_id="{tenant_id}",
+ allow_existing_id="{allow_existing_id}")
+ """.format(
+ group_id=group_id,
+ volume_id=volume_id,
+ auth_id=guestclient_1["auth_id"],
+ tenant_id=guestclient_1["tenant_id"],
+ allow_existing_id=True
+ )))
+
+ # Delete volume
+ self._volume_client_python(volumeclient_mount, dedent("""
+ vp = VolumePath("{group_id}", "{volume_id}")
+ vc.delete_volume(vp)
+ """.format(
+ group_id=group_id,
+ volume_id=volume_id,
+ )))
+
+ def test_deauthorize_auth_id_after_out_of_band_update(self):
+ """
+ If the auth_id authorized by ceph_volume_client is updated
+ out of band, the auth_id should not be deleted after a
+ deauthorize. It should only remove caps associated it.
+ """
+ volumeclient_mount = self.mounts[1]
+ volumeclient_mount.umount_wait()
+
+ # Configure volumeclient_mount as the handle for driving volumeclient.
+ self._configure_vc_auth(volumeclient_mount, "manila")
+
+ group_id = "groupid"
+ volume_id = "volumeid"
+
+
+ auth_id = "guest1"
+ guestclient_1 = {
+ "auth_id": auth_id,
+ "tenant_id": "tenant1",
+ }
+
+ # Create a volume.
+ self._volume_client_python(volumeclient_mount, dedent("""
+ vp = VolumePath("{group_id}", "{volume_id}")
+ vc.create_volume(vp, 1024*1024*10)
+ """.format(
+ group_id=group_id,
+ volume_id=volume_id,
+ )))
+
+ # Authorize 'guestclient_1' to access the volume.
+ self._volume_client_python(volumeclient_mount, dedent("""
+ vp = VolumePath("{group_id}", "{volume_id}")
+ vc.authorize(vp, "{auth_id}", tenant_id="{tenant_id}")
+ """.format(
+ group_id=group_id,
+ volume_id=volume_id,
+ auth_id=guestclient_1["auth_id"],
+ tenant_id=guestclient_1["tenant_id"]
+ )))
+
+ # Update caps for guestclient_1 out of band
+ out = self.fs.mon_manager.raw_cluster_cmd(
+ "auth", "caps", "client.guest1",
+ "mds", "allow rw path=/volumes/groupid, allow rw path=/volumes/groupid/volumeid",
+ "osd", "allow rw pool=cephfs_data namespace=fsvolumens_volumeid",
+ "mon", "allow r",
+ "mgr", "allow *"
+ )
+
+ # Deauthorize guestclient_1
+ self._volume_client_python(volumeclient_mount, dedent("""
+ vp = VolumePath("{group_id}", "{volume_id}")
+ vc.deauthorize(vp, "{guest_entity}")
+ """.format(
+ group_id=group_id,
+ volume_id=volume_id,
+ guest_entity=guestclient_1["auth_id"]
+ )))
+
+ # Validate the caps of guestclient_1 after deauthorize. It should not have deleted
+ # guestclient_1. The mgr and mds caps should be present which was updated out of band.
+ out = json.loads(self.fs.mon_manager.raw_cluster_cmd("auth", "get", "client.guest1", "--format=json-pretty"))
+
+ self.assertEqual("client.guest1", out[0]["entity"])
+ self.assertEqual("allow rw path=/volumes/groupid", out[0]["caps"]["mds"])
+ self.assertEqual("allow *", out[0]["caps"]["mgr"])
+ self.assertNotIn("osd", out[0]["caps"])
+
+ # Delete volume
+ self._volume_client_python(volumeclient_mount, dedent("""
+ vp = VolumePath("{group_id}", "{volume_id}")
+ vc.delete_volume(vp)
+ """.format(
+ group_id=group_id,
+ volume_id=volume_id,
+ )))
+
def test_recover_metadata(self):
"""
That volume client can recover from partial auth updates using
@@ -1078,7 +1283,7 @@ vc.disconnect()
guest_mount.umount_wait()
# Set auth caps for the auth ID using the volumeclient
- self._configure_guest_auth(vc_mount, guest_mount, guest_id, mount_path)
+ self._configure_guest_auth(vc_mount, guest_mount, guest_id, mount_path, allow_existing_id=True)
# Mount the volume in the guest using the auth ID to assert that the
# auth caps are valid
--
2.23.0

36
0006-CVE-2021-3524-1.patch
View File

@ -1,36 +0,0 @@
From 763aebb94678018f89427137ffbc0c5205b1edc1 Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 4 May 2021 08:32:58 -0400
Subject: [PATCH] rgw: sanitize \r in s3 CORSConfiguration's ExposeHeader
follows up on 1524d3c0c5cb11775313ea1e2bb36a93257947f2 to escape \r as
well
Fixes: CVE-2021-3524
Reported-by: Sergey Bobrov <Sergey.Bobrov@kaspersky.com>
Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 87806f48e7a1b8891eb90711f1cedd26f1119aac)
---
src/rgw/rgw_cors.cc | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/rgw/rgw_cors.cc b/src/rgw/rgw_cors.cc
index 0b3e4f39455..bfe83d6420e 100644
--- a/src/rgw/rgw_cors.cc
+++ b/src/rgw/rgw_cors.cc
@@ -148,8 +148,9 @@ void RGWCORSRule::format_exp_headers(string& s) {
if (s.length() > 0)
s.append(",");
// these values are sent to clients in a 'Access-Control-Expose-Headers'
- // response header, so we escape '\n' to avoid header injection
- boost::replace_all_copy(std::back_inserter(s), header, "\n", "\\n");
+ // response header, so we escape '\n' and '\r' to avoid header injection
+ std::string tmp = boost::replace_all_copy(header, "\n", "\\n");
+ boost::replace_all_copy(std::back_inserter(s), tmp, "\r", "\\r");
}
}
--
2.23.0

29
0007-fix-build-error-PTHREAD_STACK_MIN.patch
View File

@ -1,29 +0,0 @@
From 4655a4fad848d2d844c19e375d34e0bf3a6228dc Mon Sep 17 00:00:00 2001
From: markeryang <yanglongkang@huawei.com>
Date: Fri, 13 Aug 2021 18:33:22 +0800
Subject: [PATCH] fix error PTHREAD_STACK_MIN
Signed-off-by: markeryang <yanglongkang@huawei.com>
Signed-off-by: lxk <lixiaokeng@huawei.com>
---
src/boost/boost/thread/pthread/thread_data.hpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/boost/boost/thread/pthread/thread_data.hpp b/src/boost/boost/thread/pthread/thread_data.hpp
index aefbeb43..9e459b1f 100644
--- a/src/boost/boost/thread/pthread/thread_data.hpp
+++ b/src/boost/boost/thread/pthread/thread_data.hpp
@@ -57,8 +57,9 @@ namespace boost
#else
std::size_t page_size = ::sysconf( _SC_PAGESIZE);
#endif
-#if PTHREAD_STACK_MIN > 0
- if (size<PTHREAD_STACK_MIN) size=PTHREAD_STACK_MIN;
+#ifdef PTHREAD_STACK_MIN
+ if (PTHREAD_STACK_MIN > 0 && size < (std::size_t)PTHREAD_STACK_MIN)
+ size = (std::size_t)PTHREAD_STACK_MIN;
#endif
size = ((size+page_size-1)/page_size)*page_size;
int res = pthread_attr_setstacksize(&val_, size);
--
2.23.0

62
0008-common-crc32c_aarch64-fix-crc32c-unittest-failed-on-.patch
View File

@ -1,62 +0,0 @@
From 06ca2eba72fa5c23602f45dfeb770c62d1f20a76 Mon Sep 17 00:00:00 2001
From: luo rixin <luorixin@huawei.com>
Date: Wed, 19 May 2021 10:27:18 +0800
Subject: [PATCH] common/crc32c_aarch64: fix crc32c unittest failed on aarch64
On centos 8.2 for aarch64 with gcc 8.3, the complier will use
register v0 conflicting with the register v0 be usded in inline
asm code. Adding the related registers into clobber list to inform
complier avoiding the confict.
Fixes: https://tracker.ceph.com/issues/50835
Signed-off-by: luo rixin <luorixin@huawei.com>
---
src/common/crc32c_aarch64.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/common/crc32c_aarch64.c b/src/common/crc32c_aarch64.c
index d15736a0cd..99e5883994 100644
--- a/src/common/crc32c_aarch64.c
+++ b/src/common/crc32c_aarch64.c
@@ -147,7 +147,7 @@ uint32_t ceph_crc32c_aarch64(uint32_t crc, unsigned char const *buffer, unsigned
"mov x16, #0x8014 \n\t"
"movk x16, #0x8f15, lsl 16 \n\t"
"mov v0.2d[0], x16 \n\t"
- :::"x16");
+ :::"x16","v0","v1");
while ((length -= 1024) >= 0) {
PREF1KL2(1024*3);
@@ -178,7 +178,8 @@ uint32_t ceph_crc32c_aarch64(uint32_t crc, unsigned char const *buffer, unsigned
"crc32cx %w[c0], wzr, %x[c0] \n\t"
"eor %w[c], %w[c], %w[c0] \n\t"
:[c1]"+r"(crc1), [c0]"+r"(crc0), [c2]"+r"(crc2), [c]"+r"(crc)
- :[v]"r"(*((const uint64_t *)buffer)));
+ :[v]"r"(*((const uint64_t *)buffer))
+ :"v0","v1","v2","v3");
buffer += sizeof(uint64_t);
}
#endif /* HAVE_ARMV8_CRC_CRYPTO_INTRINSICS */
@@ -229,7 +230,7 @@ uint32_t ceph_crc32c_aarch64(uint32_t crc, unsigned char const *buffer, unsigned
__asm__("mov x16, #0xf38a \n\t"
"movk x16, #0xe417, lsl 16 \n\t"
"mov v1.2d[0], x16 \n\t"
- :::"x16");
+ :::"x16","v1");
while ((length -= 1024) >= 0) {
__asm__("crc32cx %w[c0], %w[c], xzr\n\t"
@@ -247,7 +248,8 @@ uint32_t ceph_crc32c_aarch64(uint32_t crc, unsigned char const *buffer, unsigned
"mov %x[c0], v3.2d[0] \n\t"
"crc32cx %w[c], wzr, %x[c0] \n\t"
:[c]"=r"(crc)
- :[c0]"r"(crc0));
+ :[c0]"r"(crc0)
+ :"v1","v3");
}
#endif /* HAVE_ARMV8_CRC_CRYPTO_INTRINSICS */
--
2.24.4

BIN
ceph-14.2.15.tar.gz → ceph-16.2.7.tar.gz
View File

Binary file not shown.

1060
ceph.spec
View File

File diff suppressed because it is too large Load Diff