From db4b7573c3267a8b0b279e143cfa350af3ff81c6 Mon Sep 17 00:00:00 2001 From: Vladimir Khlyunev Date: Tue, 2 Aug 2022 13:57:12 +0400 Subject: [PATCH 1/4] Adjust check for ceph global id reclaim CVE PROD-36942 Change-Id: I318ac7945ddd680eef1fe8b3ab973ad4473517fd --- src/com/mirantis/mcp/UpgradeChecks.groovy | 37 ++++++++++++++++++----- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/src/com/mirantis/mcp/UpgradeChecks.groovy b/src/com/mirantis/mcp/UpgradeChecks.groovy index c9b0192a..009dccdc 100644 --- a/src/com/mirantis/mcp/UpgradeChecks.groovy +++ b/src/com/mirantis/mcp/UpgradeChecks.groovy @@ -138,18 +138,39 @@ For additional information please see https://docs.mirantis.com/mcp/q4-18/mcp-re } def check_36461_2 (salt, venvPepper, String cluster_name, Boolean raise_exc) { - def cephMonPillar = salt.getPillar(venvPepper, 'I@ceph:mon', 'ceph:common:config:mon:auth_allow_insecure_global_id_reclaim').get("return")[0].values()[0] - def cephVersion = salt.getPillar(venvPepper, 'I@ceph:mon', 'ceph:common:version').get("return")[0].values()[0] - def waStatus = [prodId: "PROD-36461_2", isFixed: "", waInfo: ""] - if (cephMonPillar.toString().toLowerCase() != 'false' && cephVersion.toString().toLowerCase() == 'nautilus') { + def saltTarget = salt.getFirstMinion(venvPepper, 'I@ceph:mon') + def cephVersionNum = salt.cmdRun(venvPepper, saltTarget, "ceph version | awk '{print \$3}'").get('return')[0].values()[0].replaceAll('Salt command execution success', '').trim() + List cephVersion = cephVersionNum.tokenize('.') + + def majorVersion = cephVersion[0].toInteger() + def minorVersion = cephVersion[1].toInteger() + def minorSubversion = cephVersion[2].toInteger() + + def waStatus = [prodId: "PROD-36461,PROD-36942", isFixed: "", waInfo: ""] + + def allowInsecureReclaimIdPillar = salt.getPillar(venvPepper, 'I@ceph:mon', 'ceph:common:config:mon:auth_allow_insecure_global_id_reclaim').get("return")[0].values()[0] + allowInsecureReclaimIdPillar = allowInsecureReclaimIdPillar.toString().toLowerCase().trim() + + if (majorVersion >= 14 && minorVersion >= 2 && minorSubversion >= 20) { + if ( allowInsecureReclaimIdPillar == 'false' ){ + waStatus.isFixed = "Installed ceph version is 14.2.20+ and insecure global reclaim_id is disabled. Nothing to do." + return waStatus + } waStatus.isFixed = "Work-around should be applied manually" - waStatus.waInfo = "See https://docs.mirantis.com/mcp/q4-18/mcp-release-notes/single/index.html#i-cve-2021-20288 for more info" + waStatus.waInfo = "Ceph is vulnerable for CVE-2021-20288. See https://docs.mirantis.com/mcp/q4-18/mcp-release-notes/single/index.html#i-cve-2021-20288 for more info" if (raise_exc) { - error('Needed option is not set.\n' + - waStatus.waInfo) + error('Option is not set to required value.\n' + waStatus.waInfo) + } + return waStatus + } + + if ( allowInsecureReclaimIdPillar == 'false' ) { + waStatus.isFixed = "Work-around should be applied manually" + waStatus.waInfo = "To upgrade ceph from version below 14.2.20 you MUST set ceph:common:config:mon:auth_allow_insecure_global_id_reclaim pillar to \"true\"." + if (raise_exc) { + error('Option is not set to required value.\n' + waStatus.waInfo) } return waStatus } - waStatus.isFixed = "Work-around for PROD-36461_2 already applied, nothing todo" return waStatus } From 37b350a96245edde5ecc42c0b217a152824f63ec Mon Sep 17 00:00:00 2001 From: Vladimir Khlyunev Date: Thu, 11 Aug 2022 18:27:48 +0400 Subject: [PATCH 2/4] Add check for redis-server version PROD-36960 Change-Id: I14be3156b1c44041e60331e6e30685fa483101c7 --- src/com/mirantis/mcp/UpgradeChecks.groovy | 26 +++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/src/com/mirantis/mcp/UpgradeChecks.groovy b/src/com/mirantis/mcp/UpgradeChecks.groovy index 009dccdc..c260baf5 100644 --- a/src/com/mirantis/mcp/UpgradeChecks.groovy +++ b/src/com/mirantis/mcp/UpgradeChecks.groovy @@ -174,3 +174,29 @@ def check_36461_2 (salt, venvPepper, String cluster_name, Boolean raise_exc) { } return waStatus } + +def check_36960 (salt, venvPepper, String cluster_name, Boolean raise_exc) { + if (!salt.testTarget(venvPepper, 'I@redis:server')) { + return + } + def redisVersionPillar = salt.getPillar(venvPepper, 'I@redis:server', 'redis:server:version').get("return")[0].values()[0] + + List redisVersion = redisVersionPillar.toString().tokenize('.') + + def majorVersion = redisVersion[0].toInteger() + def minorVersion = redisVersion[1].toInteger() + + def waStatus = [prodId: "PROD-36960", isFixed: "", waInfo: ""] + + if (majorVersion >= 5 && minorVersion >= 0) { + waStatus.isFixed = 'Nothing to do. Redis-server version pillar is set to required version (5.0+).' + return waStatus + } + waStatus.isFixed = "Fix should be applied manually" + waStatus.waInfo = """To apply latest MU to openstack control plane you MUST set correct version for redis-server package. \n +Please set pillar "redis:server:version" to "5.0" to openstack/telemetry.yml and refresh pillars.""" + if (raise_exc) { + error('Option is not set to required value.\n' + waStatus.waInfo) + } + return waStatus +} From f73947e4ebc5fb239d9fc8560722c593fe0ea2c3 Mon Sep 17 00:00:00 2001 From: Vladimir Khlyunev Date: Tue, 16 Aug 2022 14:49:38 +0400 Subject: [PATCH 3/4] Add return value for non-redis clusters PROD-36960 Change-Id: Ief3edbc4f24b82f30b3a25e9291db2dbbcf9b107 --- src/com/mirantis/mcp/UpgradeChecks.groovy | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/com/mirantis/mcp/UpgradeChecks.groovy b/src/com/mirantis/mcp/UpgradeChecks.groovy index c260baf5..54d00f6c 100644 --- a/src/com/mirantis/mcp/UpgradeChecks.groovy +++ b/src/com/mirantis/mcp/UpgradeChecks.groovy @@ -176,9 +176,13 @@ def check_36461_2 (salt, venvPepper, String cluster_name, Boolean raise_exc) { } def check_36960 (salt, venvPepper, String cluster_name, Boolean raise_exc) { + def waStatus = [prodId: "PROD-36960", isFixed: "", waInfo: ""] + if (!salt.testTarget(venvPepper, 'I@redis:server')) { - return + waStatus.isFixed = 'Nothing to do. There are no redis-servers.' + return waStatus } + def redisVersionPillar = salt.getPillar(venvPepper, 'I@redis:server', 'redis:server:version').get("return")[0].values()[0] List redisVersion = redisVersionPillar.toString().tokenize('.') @@ -186,8 +190,6 @@ def check_36960 (salt, venvPepper, String cluster_name, Boolean raise_exc) { def majorVersion = redisVersion[0].toInteger() def minorVersion = redisVersion[1].toInteger() - def waStatus = [prodId: "PROD-36960", isFixed: "", waInfo: ""] - if (majorVersion >= 5 && minorVersion >= 0) { waStatus.isFixed = 'Nothing to do. Redis-server version pillar is set to required version (5.0+).' return waStatus From 450adb489d252cd1df2d2680879349e7e8f871a7 Mon Sep 17 00:00:00 2001 From: Vladimir Khlyunev Date: Tue, 16 Aug 2022 15:33:30 +0400 Subject: [PATCH 4/4] Fix return value for check_36461 Change-Id: I88fdf4643e7326d25bd58a67fded1067c704ffdd --- src/com/mirantis/mcp/UpgradeChecks.groovy | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/com/mirantis/mcp/UpgradeChecks.groovy b/src/com/mirantis/mcp/UpgradeChecks.groovy index 54d00f6c..8b4279b7 100644 --- a/src/com/mirantis/mcp/UpgradeChecks.groovy +++ b/src/com/mirantis/mcp/UpgradeChecks.groovy @@ -80,7 +80,8 @@ def check_36461(salt, venvPepper, String cluster_name, Boolean raise_exc){ def common = new com.mirantis.mk.Common() def waStatus = [prodId: "PROD-36461", isFixed: "", waInfo: ""] if (!salt.testTarget(venvPepper, 'I@ceph:radosgw')) { - return + waStatus.isFixed = 'Nothing to do. Ceph is not enabled.' + return waStatus } def clusterModelPath = "/srv/salt/reclass/classes/cluster/${cluster_name}" def checkFile = "${clusterModelPath}/ceph/rgw.yml"