[Bug 1854362] Re: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb
Seth Arnold
1854362 at bugs.launchpad.net
Tue Jun 9 03:00:37 UTC 2020
I reviewed python-rtslib-fb 2.1.71-0ubuntu1 as checked into focal. This
shouldn't be considered a full audit but rather a quick gauge of
maintainability.
python-rtslib-fb is a programmatic interface to the Linux kernel's LIO
target. Working with Python objects causes writes to the kernel's
/sys/kernel/config/target interface.
It also provides an executable to save the live config to a file on
service shutdown, and load the config into the running kernel on service
start.
- No CVEs in our database; when I reported a low severity problem, a fix
was committed 13 hours later.
- Build-Depends?
- debhelper-compat (= 9),, dh-python, openstack-pkg-tools (>= 99~),
python3-all, python3-setuptools, python3-six
- pre/post inst/rm scripts?
- postrm script improperly removes the alternatives entry against
policy -- it should be called from prerm instead:
https://lintian.debian.org/tags/maintainer-script-should-not-use-update-alternatives-remove.html
- py3compile command isn't guarded with || true; -- is this correct?
- init scripts?
- initscript has multiple shellcheck warnings
- race condition combined with busy-wait "sleep"
- systemd units?
- Creates directory with ExecStart=mkdir -p rather than
ConfigurationDirectory= directive
- No dbus config
- No setuid executables
- new binary targetctl in PATH
- No sudo fragments
- No polkit rules
- No udev rules
- Very small number of tests -- as doctests -- and I can't tell if they
run during the build or not
- No cron jobs
- Lintian warnings and errors reported
- Spawns a subprocess to perform module loading -- the subprocess itself
looks fine, but the module loading feels out of place. There is probably
a better way to do this.
- File IO is used extensively; some small helper functions are written to
make it look easy. The tool works extensively in a virtual filesystem
meant to configure things.
- Very little logging
- No environment variable use
- While this performs privileged operations, it mostly does so via read
and write -- and the "modprobe" Popen.
- No cryptography
- No temp files
- No networking
- No webkit
- No policykit
While reading the code I found a low-severity issue and reported it:
https://github.com/open-iscsi/rtslib-fb/issues/161
Upstream checked in a fix in 13 hours.
The systemd unit file uses an explicit mkdir call rather than using a
declarative setting.
The postrm/prerm scripts needs work.
Security team ACK for promoting python-rtslib-fb to main. I'd like the
security fix and the packaging issues fixed before this package is
promoted.
Thanks
** Bug watch added: github.com/open-iscsi/rtslib-fb/issues #161
https://github.com/open-iscsi/rtslib-fb/issues/161
** Changed in: python-rtslib-fb (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-rtslib-fb in Ubuntu.
https://bugs.launchpad.net/bugs/1854362
Title:
[MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb,
urwid, targetcli-fb
Status in ceph-iscsi package in Ubuntu:
Confirmed
Status in python-configshell-fb package in Ubuntu:
In Progress
Status in python-rtslib-fb package in Ubuntu:
Confirmed
Status in targetcli-fb package in Ubuntu:
Confirmed
Status in tcmu package in Ubuntu:
Confirmed
Status in urwid package in Ubuntu:
In Progress
Bug description:
== ceph-iscsi ==
[Availability]
In universe
[Rationale]
Provides iSCSI gateway to a Ceph cluster, allowing clients which don't understand RBD to use Ceph storage.
[Security]
No security history found.
[Quality assurance]
Package runs tests during package build (submitted back to Debian).
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== tcmu ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
Handles the userspace side of the LIO TCM-User backstore allowing LIO
to use librbd for Ceph backed block devices.
[Security]
Some security history:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcmu
All in older versions.
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== python-configshell-fb ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
[Security]
No security history
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== python-rtslib-fb ==
[Availability]
In universe
[Rationale]
Dependency for ceph-iscsi
[Security]
No security history
[Quality assurance]
No tests in source package for execution during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== urwid ==
[Availability]
In universe
[Rationale]
Dependency for python-configshell-fb
[Security]
No security history
[Quality assurance]
Tests present and executed during package build.
[Dependencies]
All in main or on this MIR
[Standards compliance]
OK
[Maintenance]
ubuntu-openstack
== targetcli-fb ==
[Availability]
In universe
[Rationale]
- Only CLI for iSCSI target feature in Linux Kernel
- Replaces with much better performance tgt iSCSI target
- tgt is being deprecated slowly and poorly updated
- LIO fully supports SCSI 3 reservations (for clustering)
[Security]
No security history
[Quality assurance]
Tests present and executed during package build.
[Dependencies]
- python3-configshell-fb (this MIR)
- python3-gi (main)
- python3-rtslib-fb (this MIR)
- python3-six (main)
[Standards compliance]
OK
[Maintenance]
ubuntu-server
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list