Now the latest json format result file includes the several items
in the set data["scannedCves"][cve_id]["cveContents"]["nvd"], so
the original usage is not available to filter CVE info anymore.
So it's time to drop the exception which is to raise this condition
that the length is greater than 1. It will be failed to throw the
exception. We are going to use the condition 'source=nvd@nist.gov'
to get the accurate CVE information instead.
Another update is to expand the function find_lp_assigned with
adding new condition to find the CVE id in the description section
of the LP page. As the length of title is limited, if one page is
used to track many CVE issues, the length may be not enough to
record all CVE ID items.
Closes-Bug: 2059996
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ia7dfee5db53baaa82a8e6dd9d5dde8a31da5bcc2
Add tabulate module, this is required by [1]
Story: 2010676
Task:49849
[1] https://review.opendev.org/c/starlingx/update/+/914929
Change-Id: Ia388bd2aed6c62a167b05d8e7d6c1d1d6dae948a
Signed-off-by: Bin Qian <bin.qian@windriver.com>
LAT docker file downloads the installer from a hard-coded URL that
points to https://mirror.starlingx.windriver.com . Allow users to
override this location by defining STX_MIRROR_URL in the host
environment. By default, guess mirror location from stx.conf.
TESTS
==========================
* Rebuild LAT container and make sure it uses the mirror URL from
stx.conf
* Set STX_MIRROR_URL prior to calling stx-init-env and make sure it
gets picked up by the docker file
Story: 2010055
Task: 49883
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: Id8ea88407f74003db934337efd574451658633d8
Remove python3-zmq package from base-bullseye.lst. The python3-zmq
package has been patched and is now built from source.
Test Plan:
PASS: Build pyzmq package
PASS: Build ISO
Related-Bug: 2060867
Depends-On: https://review.opendev.org/c/starlingx/integ/+/915443
Change-Id: I1cec7e65ba36ca74145c3555ed75fed0dbd70a3f
Signed-off-by: Alyson Deives Pereira <alyson.deivespereira@windriver.com>
Upgrade openssl related packages from 1.1.1n-0+deb11u5 to
1.1.1w-0+deb11u1 in order to fixing the misleading error message when
loading qatengine.
Refer to:
https://github.com/openssl/openssl/issues/17962
TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: /usr/bin/openssl engine -t -c qatengine
Closes-bug: 2055247
Change-Id: I5dd6b13bd77fa61b6ec560193e6dd93fef6183e6
Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
librte 20.11.6-1~deb11u1 is no longer available at the given url.
This update substitutes a valid url for librte 20.11.6-1~deb11u1.
Closes-Bug: 2056062
Change-Id: I6f13747bed5f3d365ae2e22790b067d899c770b6
Signed-off-by: Scott Little <scott.little@windriver.com>
tzdata expires every 6-12 months.
Update to the latest txdata, valid until Dec 2024
Partial-bug: 2054466
Change-Id: Ie85112c3cd7bfa9fb29f738f88875f82a72e5b15
Signed-off-by: Scott Little <scott.little@windriver.com>
Upgrade package ovmf from 2020.11-2+deb11u1 to 2020.11-2+deb11u2 in
order to fixing the CVE issue CVE-2023-48733.
Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2023-48733https://security-tracker.debian.org/tracker/DSA-5624-1
TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: Jenkins Installation
Closes-Bug: 2054273
Change-Id: I42937791da7c25b59ae4cf2f945bdd4b6d57ade3
Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
Aptly repos are signed with a GPG key embedded in environment
containers. That key expired today (2024-02-23).
Replace key with a new one that does not expire at all.
Partial-Bug: 2054862
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I41a5c7a785a23eb8c9546e99865ecf62faaf506a
Don't use --wait with helm uninstall because it requires helm >= 3.7,
and even in those versions doesn't work correctly.
Story: 2011038
Task: 49549
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I4f3be32bf4ce84e1670e7884fc09c3ddac00b85a
The ndisc6 package has useful diagnostic tools for IPv6 networks. It is
being added to allow for duplicate address and gateway reachability
detection by the scripts from the ifupdown-extra package.
The ifupdown package is being removed from the list because it's being
added via the integ project instead, to allow for patches.
Test Plan
[PASS] downloader
[PASS] build-pkgs --clean --all
[PASS] build-image
[PASS] Run full build, system install, bootstrap and unlock SX system
[PASS] Run command "dpkg --list | grep ndisc6"
[PASS] Run command "ndisc6 --help"
[PASS] Run command "dpkg --list | grep ifupdown"
[PASS] Run command "ifup --help"
Depends-On: https://review.opendev.org/c/starlingx/integ/+/908172
Closes-Bug: #2052534
Change-Id: I9dd38bbd1f89e266e0b55ffde9865f94a641c8ff
Signed-off-by: Lucas Ratusznei Fonseca <lucas.ratuszneifonseca@windriver.com>
Make sure aptly & builder containers catch and handle SIGTERM. Otherwise
"stx stop" sends the signal, 2 out of 6 containers ignore it, then
docker waits for ~15 seconds and SIGKILL's them.
* stx-builder.Dockerfile: change default image command from plain "bash"
to "tini" that starts "sleep infinity". Tini catches and broadcasts
signals to its own children (sleep), enabling graceful shutdown to
work
* aptly: replace call to "supervisord" to "exec supervisord", to make
sure it runs as PID 1 and actually receives signals from docker.
* stx_control.py: slightly reduce loop sleep time in "stx control stop"
TESTS
==================
* Retest "stx control start --wait"
* Make sure builder's entry point executes "finisSetup.sh" script, as
before this change
* Make sure "stx control stop --wait" exits quickly (~4 seconds on my
machine, down from ~15 seconds)
Story: 2011038
Task: 49577
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I984846fc45349be045c069b84186f12179fe36ad
Avoid "minikube profile list" when checking whether the profile exists.
The list command attempts to connect to each profile and is quite slow.
Use "minikube status -p $MINIKUBENAME" instead.
Story: 2011038
Task: 49570
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: If799840d749de00af907de7867ec68fb9908afa3
* stx script:
- New command "stx control is-started" to complement start/stop
- New option "stx control {start,stop} --wait"
* stx-init-env:
- new option --reset: delete chroots + restart pods
- new option --reset-hard: stop pods, delete local workspaces,
chroots, aptly, docker & minikube profile
- rename option "--nuke" to "--delete-minikube-profile"; old spelling
is still accepted with a warning
- renamed & refactored some functions
* import-stx:
- new env var STX_RM_METHOD: may be optionally set to "docker" for
deleting root-owned files via "docker run", rather than "sudo"
TESTS
=========================
* Misc sanity checks using minikube & k8s
* Manually tested blacklist checks in safe_rm()
* rm via "sudo" vs "docker run"
* Using minikube:
- stx-init-env
- stx-init-env --rebuild
- stx start, build all packages, --reset, build all packages
- stx start, build all packages, --reset-hard, stx-init-env,
build all packages
Story: 2011038
Task: 49549
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: Ife4172ae9fa7b58332ac7ad65beb99525bc2a1a3
This commit fixes a security vulnerability found by a NESSUS Scan
in the sshd configuration. The ssh login as root is allowed in
"/etc/ssh/sshd_config" due to "PermitRootLogin" set to "yes".
It should be disallowed, and the setting of "PermitRootLogin"
should be "no". The fix is to remove the section pertaining to
"Allow root ssh login" in "base_bullseye.yaml", which is a leftover
cleanup from the Debian integration.
Test Plan:
PASS: Verify the stx build installs correctly in an AIO-SX system
configuration.
PASS: Verify the "PermitRootLogin" is set to "no" in
"/etc/ssh/sshd_config" file.
PASS: Verify that remote ssh as user root is not successful.
Closes-Bug: 2051473
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: Iee29cf2d5ade6268dcafcb0f3eb12d5f9afefc88
New etcd version 3.4.27 builds using golang version 1.19.10 minimum.
So bumping it up to closest possible available and working version.
Test Plan:
PASS: Downloader succeeds.
PASS: All packages build succeeds.
PASS: Build Image succeeds.
Story: 2010878
Task: 48961
Change-Id: Ia5fe36f0ed2dba6083a1fd8f8f2c3919b70d5abe
Signed-off-by: Kaustubh Dhokte <kaustubh.dhokte@windriver.com>
Package added:
-> inotifytools 3.14-7
-> libinotifytools0 3.14-7
This package will be used by luks-fs-mgr service to detect
file change and creation recursively, so that those files can be rsynced
with the standby controller.
Test Plan:
PASSED: downloader && build-image successful
PASSED: Deployed image successfully on AIO-DX
Both controllers in available and online state
inotifytools package successfully installed on controllers
Able to execute inotifywait command
Story: 2010873
Task: 49371
Change-Id: Ib3fec16671b22107db5b1e8e33a772a765018962
Signed-off-by: Harshad sonde <harshad.sonde@windriver.com>
Upgrade subpackages libbluetooth3 and libbluetooth-dev to
5.55-3.1+deb11u1 to fix the CVE issue CVE-2023-45866.
Add libbluetooth-dev since it's the dependency of python3.9.
Refer to:
https://www.debian.org/security/2023/dsa-5584https://security-tracker.debian.org/tracker/CVE-2023-45866
TestPlan:
PASS: downloader; build-pkgs -c; build-image
PASS: Jenkins Installation
Closes-Bug: 2047185
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Id4175c0ef5791dbc02fa546a6b0a21a64cfec711
This commit is to copy all USM deployment scripts to ISO
/upgrades/software-deploy/ directory. These scripts will later be
deployed to /usr/sbin/software-deploy/ during 'software upload'
Test Plan:
PASS: ISO built and scripts are in the ISO directory
Task: 48956
Story: 2010676
Change-Id: Ib18c09d66058ae861f3a30e3d41106f3bebd9d92
Signed-off-by: junfeng-li <junfeng.li@windriver.com>
This commit increases the UEFI watchdog timeout utilized by GRUB in
StarlingX from 3 minutes to 20 minutes to prevent undesirable and
arguably premature UEFI watchdog timeout-triggered reboots during the
installation of StarlingX ISO images via BMC/iLO/iDRAC/platform-provided
virtual media redirection features in conjunction with ISO images hosted
on web servers.
In more detail, a user reported that a StarlingX-based distribution's
ISO image would not successfully install with platform-provided ISO
image redirection when the ISO image in question was hosted on a web
server, despite the bandwidth and latency between the platform network
interface and the web server being acceptable. The same user reported
that removing the "efi-watchdog enable ..." line from the GRUB
configuration resolved the issue.
The same issue was later reproduced locally with an HPE DL360g10 server,
where the OAM network interface was able to download an ISO image from a
local server on a different subnet at a rate of about 76 MiB/s. (While
the OAM and the iLO network interfaces are likely not the same, we do
not envision the network conditions to be vastly different when the two
network paths are compared.) In our reproduction of the issue, the
downloading of the kernel and the initramfs images takes approximately
nine minutes and ten seconds, after which the "Linux version" banner is
printed out by the kernel on the serial console, regardless of whether
the "Enhanced Download Performance" setting is enabled in the iLO
settings or not.
Based on these experimental results, this commit changes the UEFI
watchdog timeout from 3 minutes to a duration that is approximately two
times the initial kernel/initramfs load time of 9 minutes and 10 seconds
encountered in our experiments: 20 minutes.
Note that this commit does not affect the GRUB configuration files that
are used after installation. The timeout remains 3 minutes in
"/boot/efi/EFI/BOOT/grub.cfg" on installed systems after this commit,
which is appropriate as the GRUB configuration file in question is
utilized for booting up from local storage (i.e., SSD or HDD).
Verification:
* The reported issue was confirmed by placing a StarlingX-based
distribution's nightly build ISO image on a web server, and the iLO
(out-of-band platform management firmware) of the HPE DL360g10 server
under test was configured to boot up from the ISO image on the web
server via virtual media redirection using an HTTP URL. The 3 minute
UEFI watchdog timeout set by GRUB was observed to be insufficient and
the server was seen to autonomously reboot in the middle of the
loading of the kernel and/or initramfs images.
* A custom ISO image was built with this commit.
* The built ISO image was uploaded to the same web server and the iLO
configuration was modified to boot up from the custom-built ISO image
instead, also via an HTTP URL. The server was observed to load the
kernel/initramfs and transfer the control to the Linux kernel in about
9 minutes and 10 seconds, regardless of the "Enhanced Download
Performance" setting in the iLO.
* The installation was allowed to continue. Without the "Enhanced
Download Performance" setting, the installation finished in ~36 hours,
whereas with the setting in question enabled, the installation
finished in ~2 hours. We also observed that this setting did not
affect the initial loading of the kernel and initramfs images by GRUB.
Closes-Bug: 2046182
Change-Id: Iaadf304fcc1969350e399fcd89a06ce1102df223
Signed-off-by: M. Vefa Bicakci <vefa.bicakci@windriver.com>