After [1] was merged, a bug was found in which
the getent is printing unnecessary characters on
stdout causing a divided by zero error
Test plan:
PASS - source import-stx
PASS - Bring up a new env with this import-stx
Story: 2010055
Task: 50138
Change-Id: I192199a59c65916c4170f7c6a9f57d3a3b3bb491
Signed-off-by: Romulo Leite <romulo.leite@windriver.com>
The import-stx is unnecessarily listing all users while only
looking for the Jenkins user.This is problematic to users
that use VPN causing a very slow performance.
Test plan:
PASS - source import-stx
PASS - Bring up a new env with this import-stx
Story: 2010055
Task: 50138
Change-Id: Ie252b0893e92075a7016ce3b92cef839c113d8fc
Signed-off-by: Romulo Leite <romulo.leite@windriver.com>
This reverts commit 57d8f1772b.
Reasons for revert:
* Gerrit automerged this change with a CVE fix [1] which updated libc
to a different version than the original commit
* There are other libc-related packages that conflict with this change
* This needs more analysis, reverting for now
[1] https://review.opendev.org/c/starlingx/tools/+/918959
Change-Id: I880c71b7e0852c4caf2ab469bdb9e0d9cacd2d8f
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
We already download the 64-bit versions, this patch adds the matching
32-bit versions, and their dependencies, making the entire set
consistent. We need this to build Intel FlexRAN docker image (not part
of StarlingX).
Story: 2009897
Task: 50060
TESTS
========
* Re-run downloader
* Build base image (stx-debian)
* Install lib32ncurses-dev in the base image
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I06352150828f717a509e86ed97955b230638e045
StarlingX stopped supporting CentOS builds in the after release 7.0.
This update will strip CentOS from our code base. It will also remove
references to the failed OpenSUSE feature as well.
Story: 2011110
Task: 49965
Change-Id: I17943f1b22a57b0ed02f638cb6320855446c0be3
Signed-off-by: Scott Little <scott.little@windriver.com>
StarlingX is moving from Bullseye to Bookworm and intends to
use leading edge opensource redfishtool.
However, at this time, there is no publicly available version of
the latest redfishtool (version 1.1.8) in Bookworm or otherwise.
This update removes the need to download a publicly available
Bullseye version of redfishtool in favor of using the new
in-house package built version after download from
https://github.com/DMTF/Redfishtool.
See Depends-On label below.
Test Plan:
PASS: Verify build of freshly created build environment.
PASS: Verify build of repo sync'ed existing build environment.
Depends-On: https://review.opendev.org/c/starlingx/integ/+/916660
Story: 2010533
Task: 49994
Change-Id: Ib598cd88e729463642b5e49723e0365b1a02df1f
Signed-off-by: Eric MacDonald <eric.macdonald@windriver.com>
Upgrade bsdextrautils to 2.36.1-8+deb11u2
Upgrade bsdutils to 1:2.36.1-8+deb11u2
Upgrade eject to 2.36.1-8+deb11u2
Upgrade fdisk to 2.36.1-8+deb11u2
Upgrade libblkid1 to 2.36.1-8+deb11u2
Upgrade libfdisk1 to 2.36.1-8+deb11u2
Upgrade libmount1 to 2.36.1-8+deb11u2
Upgrade libsmartcols1 to 2.36.1-8+deb11u2
Upgrade libuuid1 to 2.36.1-8+deb11u2
Upgrade mount to 2.36.1-8+deb11u2
Upgrade util-linux to 2.36.1-8+deb11u2
Upgrade uuid-dev to 2.36.1-8+deb11u2
Upgrade uuid-runtime to 2.36.1-8+deb11u2
Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2024-28085https://security-tracker.debian.org/tracker/DSA-5650-1
Test Plan:
Pass: downloader
Pass: build-pkgs --clean --all
Pass: build-image
Pass: boot
Closes-bug: #2059877
Signed-off-by: Wentao Zhang <Wentao.Zhang@windriver.com>
Change-Id: I1ed69814ced58837819ebcb26fb50d97484d9bc8
Now the latest json format result file includes the several items
in the set data["scannedCves"][cve_id]["cveContents"]["nvd"], so
the original usage is not available to filter CVE info anymore.
So it's time to drop the exception which is to raise this condition
that the length is greater than 1. It will be failed to throw the
exception. We are going to use the condition 'source=nvd@nist.gov'
to get the accurate CVE information instead.
Another update is to expand the function find_lp_assigned with
adding new condition to find the CVE id in the description section
of the LP page. As the length of title is limited, if one page is
used to track many CVE issues, the length may be not enough to
record all CVE ID items.
Closes-Bug: 2059996
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: Ia7dfee5db53baaa82a8e6dd9d5dde8a31da5bcc2
Add tabulate module, this is required by [1]
Story: 2010676
Task:49849
[1] https://review.opendev.org/c/starlingx/update/+/914929
Change-Id: Ia388bd2aed6c62a167b05d8e7d6c1d1d6dae948a
Signed-off-by: Bin Qian <bin.qian@windriver.com>
LAT docker file downloads the installer from a hard-coded URL that
points to https://mirror.starlingx.windriver.com . Allow users to
override this location by defining STX_MIRROR_URL in the host
environment. By default, guess mirror location from stx.conf.
TESTS
==========================
* Rebuild LAT container and make sure it uses the mirror URL from
stx.conf
* Set STX_MIRROR_URL prior to calling stx-init-env and make sure it
gets picked up by the docker file
Story: 2010055
Task: 49883
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: Id8ea88407f74003db934337efd574451658633d8
Remove python3-zmq package from base-bullseye.lst. The python3-zmq
package has been patched and is now built from source.
Test Plan:
PASS: Build pyzmq package
PASS: Build ISO
Related-Bug: 2060867
Depends-On: https://review.opendev.org/c/starlingx/integ/+/915443
Change-Id: I1cec7e65ba36ca74145c3555ed75fed0dbd70a3f
Signed-off-by: Alyson Deives Pereira <alyson.deivespereira@windriver.com>
Upgrade openssl related packages from 1.1.1n-0+deb11u5 to
1.1.1w-0+deb11u1 in order to fixing the misleading error message when
loading qatengine.
Refer to:
https://github.com/openssl/openssl/issues/17962
TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: /usr/bin/openssl engine -t -c qatengine
Closes-bug: 2055247
Change-Id: I5dd6b13bd77fa61b6ec560193e6dd93fef6183e6
Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
librte 20.11.6-1~deb11u1 is no longer available at the given url.
This update substitutes a valid url for librte 20.11.6-1~deb11u1.
Closes-Bug: 2056062
Change-Id: I6f13747bed5f3d365ae2e22790b067d899c770b6
Signed-off-by: Scott Little <scott.little@windriver.com>
tzdata expires every 6-12 months.
Update to the latest txdata, valid until Dec 2024
Partial-bug: 2054466
Change-Id: Ie85112c3cd7bfa9fb29f738f88875f82a72e5b15
Signed-off-by: Scott Little <scott.little@windriver.com>
Upgrade package ovmf from 2020.11-2+deb11u1 to 2020.11-2+deb11u2 in
order to fixing the CVE issue CVE-2023-48733.
Refer to:
https://nvd.nist.gov/vuln/detail/CVE-2023-48733https://security-tracker.debian.org/tracker/DSA-5624-1
TestPlan:
PASS: downloader; build-pkgs; build-image
PASS: Jenkins Installation
Closes-Bug: 2054273
Change-Id: I42937791da7c25b59ae4cf2f945bdd4b6d57ade3
Signed-off-by: Peng Zhang <Peng.Zhang2@windriver.com>
Aptly repos are signed with a GPG key embedded in environment
containers. That key expired today (2024-02-23).
Replace key with a new one that does not expire at all.
Partial-Bug: 2054862
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I41a5c7a785a23eb8c9546e99865ecf62faaf506a
Executing "source import-stx" produces error message:
"import-stx:175: = not found"
Found that a few string comparisons in the file were using the bash
exclusive string comparison operator '==' within the 'test'
command, which is represented by the single brackets [1].
Basically, string comparisons in single brackets need to use '='.
The proposed syntax is already used in other places in the code,
so this is better for consistency as well.
[1] https://www.man7.org/linux/man-pages/man1/test.1.html
Test Plan:
pass - source import-stx
Change-Id: I4d6bbbaeb9431b6e640de228d123103dd74e0de5
Signed-off-by: Leonardo Fagundes Luz Serrano <Leonardo.FagundesLuzSerrano@windriver.com>
Don't use --wait with helm uninstall because it requires helm >= 3.7,
and even in those versions doesn't work correctly.
Story: 2011038
Task: 49549
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I4f3be32bf4ce84e1670e7884fc09c3ddac00b85a
The ndisc6 package has useful diagnostic tools for IPv6 networks. It is
being added to allow for duplicate address and gateway reachability
detection by the scripts from the ifupdown-extra package.
The ifupdown package is being removed from the list because it's being
added via the integ project instead, to allow for patches.
Test Plan
[PASS] downloader
[PASS] build-pkgs --clean --all
[PASS] build-image
[PASS] Run full build, system install, bootstrap and unlock SX system
[PASS] Run command "dpkg --list | grep ndisc6"
[PASS] Run command "ndisc6 --help"
[PASS] Run command "dpkg --list | grep ifupdown"
[PASS] Run command "ifup --help"
Depends-On: https://review.opendev.org/c/starlingx/integ/+/908172
Closes-Bug: #2052534
Change-Id: I9dd38bbd1f89e266e0b55ffde9865f94a641c8ff
Signed-off-by: Lucas Ratusznei Fonseca <lucas.ratuszneifonseca@windriver.com>
Make sure aptly & builder containers catch and handle SIGTERM. Otherwise
"stx stop" sends the signal, 2 out of 6 containers ignore it, then
docker waits for ~15 seconds and SIGKILL's them.
* stx-builder.Dockerfile: change default image command from plain "bash"
to "tini" that starts "sleep infinity". Tini catches and broadcasts
signals to its own children (sleep), enabling graceful shutdown to
work
* aptly: replace call to "supervisord" to "exec supervisord", to make
sure it runs as PID 1 and actually receives signals from docker.
* stx_control.py: slightly reduce loop sleep time in "stx control stop"
TESTS
==================
* Retest "stx control start --wait"
* Make sure builder's entry point executes "finisSetup.sh" script, as
before this change
* Make sure "stx control stop --wait" exits quickly (~4 seconds on my
machine, down from ~15 seconds)
Story: 2011038
Task: 49577
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: I984846fc45349be045c069b84186f12179fe36ad
Avoid "minikube profile list" when checking whether the profile exists.
The list command attempts to connect to each profile and is quite slow.
Use "minikube status -p $MINIKUBENAME" instead.
Story: 2011038
Task: 49570
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: If799840d749de00af907de7867ec68fb9908afa3
* stx script:
- New command "stx control is-started" to complement start/stop
- New option "stx control {start,stop} --wait"
* stx-init-env:
- new option --reset: delete chroots + restart pods
- new option --reset-hard: stop pods, delete local workspaces,
chroots, aptly, docker & minikube profile
- rename option "--nuke" to "--delete-minikube-profile"; old spelling
is still accepted with a warning
- renamed & refactored some functions
* import-stx:
- new env var STX_RM_METHOD: may be optionally set to "docker" for
deleting root-owned files via "docker run", rather than "sudo"
TESTS
=========================
* Misc sanity checks using minikube & k8s
* Manually tested blacklist checks in safe_rm()
* rm via "sudo" vs "docker run"
* Using minikube:
- stx-init-env
- stx-init-env --rebuild
- stx start, build all packages, --reset, build all packages
- stx start, build all packages, --reset-hard, stx-init-env,
build all packages
Story: 2011038
Task: 49549
Signed-off-by: Davlet Panech <davlet.panech@windriver.com>
Change-Id: Ife4172ae9fa7b58332ac7ad65beb99525bc2a1a3
This commit fixes a security vulnerability found by a NESSUS Scan
in the sshd configuration. The ssh login as root is allowed in
"/etc/ssh/sshd_config" due to "PermitRootLogin" set to "yes".
It should be disallowed, and the setting of "PermitRootLogin"
should be "no". The fix is to remove the section pertaining to
"Allow root ssh login" in "base_bullseye.yaml", which is a leftover
cleanup from the Debian integration.
Test Plan:
PASS: Verify the stx build installs correctly in an AIO-SX system
configuration.
PASS: Verify the "PermitRootLogin" is set to "no" in
"/etc/ssh/sshd_config" file.
PASS: Verify that remote ssh as user root is not successful.
Closes-Bug: 2051473
Signed-off-by: Carmen Rata <carmen.rata@windriver.com>
Change-Id: Iee29cf2d5ade6268dcafcb0f3eb12d5f9afefc88