diff options
Diffstat (limited to 'external/meta-virtualization/recipes-extended/ceph/ceph')
14 files changed, 956 insertions, 231 deletions
diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-Correct-the-path-to-find-version.h-in-rocksdb.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-Correct-the-path-to-find-version.h-in-rocksdb.patch deleted file mode 100644 index 788505b2..00000000 --- a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-Correct-the-path-to-find-version.h-in-rocksdb.patch +++ /dev/null @@ -1,40 +0,0 @@ -From a53605694d5301b7bb543464b17f74bbbd35d372 Mon Sep 17 00:00:00 2001 -From: Dengke Du <dengke.du@windriver.com> -Date: Tue, 28 Aug 2018 10:04:40 +0800 -Subject: [PATCH] Correct the path to find version.h in rocksdb - -Signed-off-by: Dengke Du <dengke.du@windriver.com> ---- - cmake/modules/Findrocksdb.cmake | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/cmake/modules/Findrocksdb.cmake b/cmake/modules/Findrocksdb.cmake -index f8369f7..36b67ea 100644 ---- a/cmake/modules/Findrocksdb.cmake -+++ b/cmake/modules/Findrocksdb.cmake -@@ -9,17 +9,17 @@ - # ROCKSDB_VERSION_MINOR - # ROCKSDB_VERSION_PATCH - --find_path(ROCKSDB_INCLUDE_DIR rocksdb/db.h) -+find_path(ROCKSDB_INCLUDE_DIR rocksdb/db.h ${CMAKE_SYSROOT}) - --find_library(ROCKSDB_LIBRARIES rocksdb) -+find_library(ROCKSDB_LIBRARIES rocksdb ${CMAKE_SYSROOT}) - - if(ROCKSDB_INCLUDE_DIR AND EXISTS "${ROCKSDB_INCLUDE_DIR}/rocksdb/version.h") - foreach(ver "MAJOR" "MINOR" "PATCH") -- file(STRINGS "${ROCKSDB_INCLUDE_DIR}/version.h" ROCKSDB_VER_${ver}_LINE -+ file(STRINGS "${ROCKSDB_INCLUDE_DIR}/rocksdb/version.h" ROCKSDB_VER_${ver}_LINE - REGEX "^#define[ \t]+ROCKSDB_${ver}[ \t]+[0-9]+$") - string(REGEX REPLACE "^#define[ \t]+ROCKSDB_${ver}[ \t]+([0-9]+)$" -- "\\1" ROCKSDB_VERSION_${ver} "${ROCKDB_VER_${ver}_LINE}") -- unset(${ROCKDB_VER_${ver}_LINE}) -+ "\\1" ROCKSDB_VERSION_${ver} "${ROCKSDB_VER_${ver}_LINE}") -+ unset(ROCKSDB_VER_${ver}_LINE) - endforeach() - set(ROCKSDB_VERSION_STRING - "${ROCKSDB_VERSION_MAJOR}.${ROCKSDB_VERSION_MINOR}.${ROCKSDB_VERSION_PATCH}") --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-ceph-add-pybind-support-in-OE.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-ceph-add-pybind-support-in-OE.patch deleted file mode 100644 index f9c53406..00000000 --- a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-ceph-add-pybind-support-in-OE.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 00d44940c2e83bf73101a05d2aa8f88c2e2fca58 Mon Sep 17 00:00:00 2001 -From: Dengke Du <dengke.du@windriver.com> -Date: Tue, 23 Oct 2018 15:34:53 +0800 -Subject: [PATCH] ceph: add pybind support in OE - -1. add sysroot to CFLAGS when cross compiling pybind -2. change the pybind's INSTALL path to OE's INSTALL path -3. delete the check for header files, because the check method using - host compiler. - -Signed-off-by: Dengke Du <dengke.du@windriver.com> -Upstream-Status: Inappropriate [oe specific] ---- - cmake/modules/Distutils.cmake | 12 +++--------- - src/pybind/cephfs/setup.py | 8 -------- - src/pybind/rados/setup.py | 8 -------- - src/pybind/rbd/setup.py | 8 -------- - src/pybind/rgw/setup.py | 8 -------- - 5 files changed, 3 insertions(+), 41 deletions(-) - -diff --git a/cmake/modules/Distutils.cmake b/cmake/modules/Distutils.cmake -index d6e9f38..3091d97 100644 ---- a/cmake/modules/Distutils.cmake -+++ b/cmake/modules/Distutils.cmake -@@ -47,7 +47,7 @@ function(distutils_add_cython_module name src) - LDFLAGS=-L${CMAKE_LIBRARY_OUTPUT_DIRECTORY} - CYTHON_BUILD_DIR=${CMAKE_CURRENT_BINARY_DIR} - CEPH_LIBDIR=${CMAKE_LIBRARY_OUTPUT_DIRECTORY} -- CFLAGS=\"-iquote${CMAKE_SOURCE_DIR}/src/include -w\" -+ CFLAGS=\"-iquote${CMAKE_SOURCE_DIR}/src/include -w --sysroot=${CMAKE_SYSROOT}\" - ${PYTHON${PYTHON_VERSION}_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/setup.py - build --verbose --build-base ${CYTHON_MODULE_DIR} - --build-platlib ${CYTHON_MODULE_DIR}/lib.${PYTHON${PYTHON_VERSION}_VERSION_MAJOR} -@@ -69,14 +69,8 @@ function(distutils_install_cython_module name) - set(ENV{CEPH_LIBDIR} \"${CMAKE_LIBRARY_OUTPUT_DIRECTORY}\") - - set(options --prefix=${CMAKE_INSTALL_PREFIX}) -- if(DEFINED ENV{DESTDIR}) -- if(EXISTS /etc/debian_version) -- list(APPEND options --install-layout=deb) -- endif() -- list(APPEND options --root=\$ENV{DESTDIR}) -- else() -- list(APPEND options --root=/) -- endif() -+ list(APPEND options --root=${CMAKE_DESTDIR}) -+ list(APPEND options --install-lib=${PYTHON_SITEPACKAGES_DIR}) - execute_process( - COMMAND - ${PYTHON${PYTHON_VERSION}_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/setup.py -diff --git a/src/pybind/cephfs/setup.py b/src/pybind/cephfs/setup.py -index 6533f41..1ee4a59 100755 ---- a/src/pybind/cephfs/setup.py -+++ b/src/pybind/cephfs/setup.py -@@ -121,14 +121,6 @@ def check_sanity(): - finally: - shutil.rmtree(tmp_dir) - -- --if 'BUILD_DOC' in os.environ.keys(): -- pass --elif check_sanity(): -- pass --else: -- sys.exit(1) -- - cmdclass = {} - try: - from Cython.Build import cythonize -diff --git a/src/pybind/rados/setup.py b/src/pybind/rados/setup.py -index ef7c307..5204017 100755 ---- a/src/pybind/rados/setup.py -+++ b/src/pybind/rados/setup.py -@@ -117,14 +117,6 @@ def check_sanity(): - finally: - shutil.rmtree(tmp_dir) - -- --if 'BUILD_DOC' in os.environ.keys(): -- pass --elif check_sanity(): -- pass --else: -- sys.exit(1) -- - cmdclass = {} - try: - from Cython.Build import cythonize -diff --git a/src/pybind/rbd/setup.py b/src/pybind/rbd/setup.py -index bcf96f2..d4cbbeb 100755 ---- a/src/pybind/rbd/setup.py -+++ b/src/pybind/rbd/setup.py -@@ -120,14 +120,6 @@ def check_sanity(): - finally: - shutil.rmtree(tmp_dir) - -- --if 'BUILD_DOC' in os.environ.keys(): -- pass --elif check_sanity(): -- pass --else: -- sys.exit(1) -- - cmdclass = {} - try: - from Cython.Build import cythonize -diff --git a/src/pybind/rgw/setup.py b/src/pybind/rgw/setup.py -index f14f30c..ee7570b 100755 ---- a/src/pybind/rgw/setup.py -+++ b/src/pybind/rgw/setup.py -@@ -120,14 +120,6 @@ def check_sanity(): - finally: - shutil.rmtree(tmp_dir) - -- --if 'BUILD_DOC' in os.environ.keys(): -- pass --elif check_sanity(): -- pass --else: -- sys.exit(1) -- - cmdclass = {} - try: - from Cython.Build import cythonize --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-ceph-detect-init-correct-the-installation-for-OE.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-ceph-detect-init-correct-the-installation-for-OE.patch deleted file mode 100644 index 875501bf..00000000 --- a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-ceph-detect-init-correct-the-installation-for-OE.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 6aaf04036f0affbeddda123bff111990c4d5fd72 Mon Sep 17 00:00:00 2001 -From: Dengke Du <dengke.du@windriver.com> -Date: Fri, 26 Oct 2018 14:31:10 +0800 -Subject: [PATCH] ceph-detect-init: correct the installation for OE - -Signed-off-by: Dengke Du <dengke.du@windriver.com> -Upstream-Status: Inappropriate [oe specific] ---- - cmake/modules/Distutils.cmake | 11 ++--------- - 1 file changed, 2 insertions(+), 9 deletions(-) - -diff --git a/cmake/modules/Distutils.cmake b/cmake/modules/Distutils.cmake -index 3091d97..c50fe77 100644 ---- a/cmake/modules/Distutils.cmake -+++ b/cmake/modules/Distutils.cmake -@@ -16,15 +16,8 @@ function(distutils_install_module name) - cmake_parse_arguments(DU "" INSTALL_SCRIPT "" ${ARGN}) - install(CODE " - set(options --prefix=${CMAKE_INSTALL_PREFIX}) -- if(DEFINED ENV{DESTDIR}) -- if(EXISTS /etc/debian_version) -- list(APPEND options --install-layout=deb) -- endif() -- list(APPEND options --root=\$ENV{DESTDIR}) -- if(NOT \"${DU_INSTALL_SCRIPT}\" STREQUAL \"\") -- list(APPEND options --install-script=${DU_INSTALL_SCRIPT}) -- endif() -- endif() -+ list(APPEND options --root=${CMAKE_DESTDIR}) -+ list(APPEND options --install-lib=${PYTHON_SITEPACKAGES_DIR}) - execute_process( - COMMAND ${PYTHON${PYTHON_VERSION}_EXECUTABLE} - setup.py install \${options} --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-ceph-fix-build-errors-for-cross-compile.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-ceph-fix-build-errors-for-cross-compile.patch new file mode 100644 index 00000000..4d54549f --- /dev/null +++ b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-ceph-fix-build-errors-for-cross-compile.patch @@ -0,0 +1,184 @@ +From 4712fe18405ffea31405308357a8e7fca358bcce Mon Sep 17 00:00:00 2001 +From: Dengke Du <dengke.du@windriver.com> +Date: Mon, 11 Mar 2019 09:14:09 +0800 +Subject: [PATCH] ceph: fix build errors for cross compile + +1. set the cross compile sysroot to find the rocksdb library +2. correct the install path for library in Distutils.cmake + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Dengke Du <dengke.du@windriver.com> + +Adjust context for v14.2.3 + +Signed-off-by: He Zhe <zhe.he@windriver.com> +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + cmake/modules/Distutils.cmake | 25 +++++-------------------- + cmake/modules/FindRocksDB.cmake | 4 ++-- + src/compressor/zstd/CMakeLists.txt | 2 +- + src/pybind/cephfs/setup.py | 8 -------- + src/pybind/rados/setup.py | 8 -------- + src/pybind/rbd/setup.py | 8 -------- + src/pybind/rgw/setup.py | 8 -------- + 7 files changed, 8 insertions(+), 55 deletions(-) + +diff --git a/cmake/modules/Distutils.cmake b/cmake/modules/Distutils.cmake +index 5fe929499d..802eb37e32 100644 +--- a/cmake/modules/Distutils.cmake ++++ b/cmake/modules/Distutils.cmake +@@ -18,17 +18,8 @@ function(distutils_install_module name) + cmake_parse_arguments(DU "" "INSTALL_SCRIPT" "" ${ARGN}) + install(CODE " + set(options --prefix=${CMAKE_INSTALL_PREFIX}) +- if(DEFINED ENV{DESTDIR}) +- if(EXISTS /etc/debian_version) +- list(APPEND options --install-layout=deb) +- endif() +- list(APPEND options +- --root=\$ENV{DESTDIR} +- --single-version-externally-managed) +- if(NOT \"${DU_INSTALL_SCRIPT}\" STREQUAL \"\") +- list(APPEND options --install-script=${DU_INSTALL_SCRIPT}) +- endif() +- endif() ++ list(APPEND options --root=${CMAKE_DESTDIR}) ++ list(APPEND options --install-lib=${PYTHON_SITEPACKAGES_DIR}) + execute_process( + COMMAND ${Python3_EXECUTABLE} + setup.py install \${options} +@@ -50,7 +41,7 @@ function(distutils_add_cython_module target name src) + # Note: no quotes, otherwise distutils will execute "/usr/bin/ccache gcc" + # CMake's implicit conversion between strings and lists is wonderful, isn't it? + string(REPLACE " " ";" cflags ${CMAKE_C_FLAGS}) +- list(APPEND cflags -iquote${CMAKE_SOURCE_DIR}/src/include -w) ++ list(APPEND cflags -iquote${CMAKE_SOURCE_DIR}/src/include -w --sysroot=${CMAKE_SYSROOT}) + # This little bit of magic wipes out __Pyx_check_single_interpreter() + # Note: this is reproduced in distutils_install_cython_module + list(APPEND cflags -D'void0=dead_function\(void\)') +@@ -108,14 +99,8 @@ function(distutils_install_cython_module name) + set(ENV{CEPH_LIBDIR} \"${CMAKE_LIBRARY_OUTPUT_DIRECTORY}\") + + set(options --prefix=${CMAKE_INSTALL_PREFIX}) +- if(DEFINED ENV{DESTDIR}) +- if(EXISTS /etc/debian_version) +- list(APPEND options --install-layout=deb) +- endif() +- list(APPEND options --root=\$ENV{DESTDIR}) +- else() +- list(APPEND options --root=/) +- endif() ++ list(APPEND options --root=${CMAKE_DESTDIR}) ++ list(APPEND options --install-lib=${PYTHON_SITEPACKAGES_DIR}) + execute_process( + COMMAND + ${Python3_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/setup.py +diff --git a/cmake/modules/FindRocksDB.cmake b/cmake/modules/FindRocksDB.cmake +index c5dd3dfaf6..be38597af2 100644 +--- a/cmake/modules/FindRocksDB.cmake ++++ b/cmake/modules/FindRocksDB.cmake +@@ -9,9 +9,9 @@ + # ROCKSDB_VERSION_MINOR + # ROCKSDB_VERSION_PATCH + +-find_path(ROCKSDB_INCLUDE_DIR rocksdb/db.h) ++find_path(ROCKSDB_INCLUDE_DIR rocksdb/db.h ${CMAKE_SYSROOT}) + +-find_library(ROCKSDB_LIBRARIES rocksdb) ++find_library(ROCKSDB_LIBRARIES rocksdb ${CMAKE_SYSROOT}) + + if(ROCKSDB_INCLUDE_DIR AND EXISTS "${ROCKSDB_INCLUDE_DIR}/rocksdb/version.h") + foreach(ver "MAJOR" "MINOR" "PATCH") +diff --git a/src/compressor/zstd/CMakeLists.txt b/src/compressor/zstd/CMakeLists.txt +index a5ebdaf538..a234068150 100644 +--- a/src/compressor/zstd/CMakeLists.txt ++++ b/src/compressor/zstd/CMakeLists.txt +@@ -9,7 +9,7 @@ ExternalProject_Add(zstd_ext + CMAKE_ARGS -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER} + -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER} + -DCMAKE_C_FLAGS=${ZSTD_C_FLAGS} +- -DCMAKE_AR=${CMAKE_AR} ++ -DCMAKE_SYSROOT=${CMAKE_SYSROOT} + -DCMAKE_POSITION_INDEPENDENT_CODE=${ENABLE_SHARED} + -G${CMAKE_GENERATOR} + BINARY_DIR ${CMAKE_CURRENT_BINARY_DIR}/libzstd +diff --git a/src/pybind/cephfs/setup.py b/src/pybind/cephfs/setup.py +index 19ae6c329a..c9a25ccfff 100755 +--- a/src/pybind/cephfs/setup.py ++++ b/src/pybind/cephfs/setup.py +@@ -135,14 +135,6 @@ def check_sanity(): + finally: + shutil.rmtree(tmp_dir) + +- +-if 'BUILD_DOC' in os.environ.keys(): +- pass +-elif check_sanity(): +- pass +-else: +- sys.exit(1) +- + cmdclass = {} + try: + from Cython.Build import cythonize +diff --git a/src/pybind/rados/setup.py b/src/pybind/rados/setup.py +index e2c5696404..4e99d26721 100755 +--- a/src/pybind/rados/setup.py ++++ b/src/pybind/rados/setup.py +@@ -134,14 +134,6 @@ def check_sanity(): + finally: + shutil.rmtree(tmp_dir) + +- +-if 'BUILD_DOC' in os.environ.keys(): +- pass +-elif check_sanity(): +- pass +-else: +- sys.exit(1) +- + cmdclass = {} + try: + from Cython.Build import cythonize +diff --git a/src/pybind/rbd/setup.py b/src/pybind/rbd/setup.py +index 634484f140..f5bbbdab4f 100755 +--- a/src/pybind/rbd/setup.py ++++ b/src/pybind/rbd/setup.py +@@ -133,14 +133,6 @@ def check_sanity(): + finally: + shutil.rmtree(tmp_dir) + +- +-if 'BUILD_DOC' in os.environ.keys(): +- pass +-elif check_sanity(): +- pass +-else: +- sys.exit(1) +- + cmdclass = {} + try: + from Cython.Build import cythonize +diff --git a/src/pybind/rgw/setup.py b/src/pybind/rgw/setup.py +index eb1591a460..b9f2428cf9 100755 +--- a/src/pybind/rgw/setup.py ++++ b/src/pybind/rgw/setup.py +@@ -134,14 +134,6 @@ def check_sanity(): + finally: + shutil.rmtree(tmp_dir) + +- +-if 'BUILD_DOC' in os.environ.keys(): +- pass +-elif check_sanity(): +- pass +-else: +- sys.exit(1) +- + cmdclass = {} + try: + from Cython.Build import cythonize +-- +2.20.1 + diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-fix-host-library-paths-were-used.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-fix-host-library-paths-were-used.patch new file mode 100644 index 00000000..310bfa47 --- /dev/null +++ b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-fix-host-library-paths-were-used.patch @@ -0,0 +1,96 @@ +From bbf1cba8feb0e43492a1f6a6b31d024117cad262 Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu.jia@windriver.com> +Date: Mon, 13 Apr 2020 23:35:41 -0700 +Subject: [PATCH] fix host library paths were used + +Test the existence of recipe-sysrooot, add it back if lost + +Upstream-Status: Inappropriate [oe specific] + +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + src/pybind/cephfs/setup.py | 6 +++++- + src/pybind/rados/setup.py | 6 +++++- + src/pybind/rbd/setup.py | 6 +++++- + src/pybind/rgw/setup.py | 6 +++++- + 4 files changed, 20 insertions(+), 4 deletions(-) + +diff --git a/src/pybind/cephfs/setup.py b/src/pybind/cephfs/setup.py +index c9a25ccf..972f936c 100755 +--- a/src/pybind/cephfs/setup.py ++++ b/src/pybind/cephfs/setup.py +@@ -63,9 +63,13 @@ def get_python_flags(libs): + distutils.sysconfig.get_config_vars('LIBS', 'SYSLIBS')), []) + compiler = new_compiler() + distutils.sysconfig.customize_compiler(compiler) ++ libpl = distutils.sysconfig.get_config_var('LIBPL') ++ sysroot = os.environ.get('STAGING_DIR_HOST') ++ if not libpl.startswith(sysroot): ++ libpl = sysroot + libpl + return dict( + include_dirs=[distutils.sysconfig.get_python_inc()], +- library_dirs=distutils.sysconfig.get_config_vars('LIBDIR', 'LIBPL'), ++ library_dirs=[distutils.sysconfig.get_config_var('LIBDIR'), libpl], + libraries=libs + [lib.replace('-l', '') for lib in py_libs], + extra_compile_args=filter_unsupported_flags( + compiler.compiler[0], +diff --git a/src/pybind/rados/setup.py b/src/pybind/rados/setup.py +index 4e99d267..de24f766 100755 +--- a/src/pybind/rados/setup.py ++++ b/src/pybind/rados/setup.py +@@ -66,9 +66,13 @@ def get_python_flags(libs): + distutils.sysconfig.get_config_vars('LIBS', 'SYSLIBS')), []) + compiler = new_compiler() + distutils.sysconfig.customize_compiler(compiler) ++ libpl = distutils.sysconfig.get_config_var('LIBPL') ++ sysroot = os.environ.get('STAGING_DIR_HOST') ++ if not libpl.startswith(sysroot): ++ libpl = sysroot + libpl + return dict( + include_dirs=[distutils.sysconfig.get_python_inc()], +- library_dirs=distutils.sysconfig.get_config_vars('LIBDIR', 'LIBPL'), ++ library_dirs=[distutils.sysconfig.get_config_var('LIBDIR'), libpl], + libraries=libs + [lib.replace('-l', '') for lib in py_libs], + extra_compile_args=filter_unsupported_flags( + compiler.compiler[0], +diff --git a/src/pybind/rbd/setup.py b/src/pybind/rbd/setup.py +index f5bbbdab..a1f70e1d 100755 +--- a/src/pybind/rbd/setup.py ++++ b/src/pybind/rbd/setup.py +@@ -63,9 +63,13 @@ def get_python_flags(libs): + distutils.sysconfig.get_config_vars('LIBS', 'SYSLIBS')), []) + compiler = new_compiler() + distutils.sysconfig.customize_compiler(compiler) ++ libpl = distutils.sysconfig.get_config_var('LIBPL') ++ sysroot = os.environ.get('STAGING_DIR_HOST') ++ if not libpl.startswith(sysroot): ++ libpl = sysroot + libpl + return dict( + include_dirs=[distutils.sysconfig.get_python_inc()], +- library_dirs=distutils.sysconfig.get_config_vars('LIBDIR', 'LIBPL'), ++ library_dirs=[distutils.sysconfig.get_config_var('LIBDIR'), libpl], + libraries=libs + [lib.replace('-l', '') for lib in py_libs], + extra_compile_args=filter_unsupported_flags( + compiler.compiler[0], +diff --git a/src/pybind/rgw/setup.py b/src/pybind/rgw/setup.py +index b9f2428c..f5119f73 100755 +--- a/src/pybind/rgw/setup.py ++++ b/src/pybind/rgw/setup.py +@@ -64,9 +64,13 @@ def get_python_flags(libs): + distutils.sysconfig.get_config_vars('LIBS', 'SYSLIBS')), []) + compiler = new_compiler() + distutils.sysconfig.customize_compiler(compiler) ++ libpl = distutils.sysconfig.get_config_var('LIBPL') ++ sysroot = os.environ.get('STAGING_DIR_HOST') ++ if not libpl.startswith(sysroot): ++ libpl = sysroot + libpl + return dict( + include_dirs=[distutils.sysconfig.get_python_inc()], +- library_dirs=distutils.sysconfig.get_config_vars('LIBDIR', 'LIBPL'), ++ library_dirs=[distutils.sysconfig.get_config_var('LIBDIR'), libpl], + libraries=libs + [lib.replace('-l', '') for lib in py_libs], + extra_compile_args=filter_unsupported_flags( + compiler.compiler[0], +-- +2.21.0 + diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch new file mode 100644 index 00000000..de191bf8 --- /dev/null +++ b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch @@ -0,0 +1,100 @@ +From de67c1dab5597c91538970421b25f6ec667af492 Mon Sep 17 00:00:00 2001 +From: Josh Durgin <jdurgin@redhat.com> +Date: Mon, 4 May 2020 17:03:35 -0400 +Subject: [PATCH 1/3] mgr: require all caps for pre-octopus tell commands + +This matches the requirements for admin socket commands +sent via tell elsewhere. + +Signed-off-by: Josh Durgin <jdurgin@redhat.com> + +Upstream-status: Backport +[https://github.com/ceph/ceph/commit/347003e13167c428187a5450517850f4d85e09ad] + +Signed-off-by: Liu Haitao <haitao.liu@windriver.com> +--- + src/mgr/DaemonServer.cc | 37 ++++++++++++++++++++++--------------- + 1 file changed, 22 insertions(+), 15 deletions(-) + +diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc +index becd428a..527326e3 100644 +--- a/src/mgr/DaemonServer.cc ++++ b/src/mgr/DaemonServer.cc +@@ -808,20 +808,12 @@ public: + bool DaemonServer::handle_command(const ref_t<MCommand>& m) + { + std::lock_guard l(lock); +- // a blank fsid in MCommand signals a legacy client sending a "mon-mgr" CLI +- // command. +- if (m->fsid != uuid_d()) { +- cct->get_admin_socket()->queue_tell_command(m); ++ auto cmdctx = std::make_shared<CommandContext>(m); ++ try { ++ return _handle_command(cmdctx); ++ } catch (const bad_cmd_get& e) { ++ cmdctx->reply(-EINVAL, e.what()); + return true; +- } else { +- // legacy client; send to CLI processing +- auto cmdctx = std::make_shared<CommandContext>(m); +- try { +- return _handle_command(cmdctx); +- } catch (const bad_cmd_get& e) { +- cmdctx->reply(-EINVAL, e.what()); +- return true; +- } + } + } + +@@ -853,8 +845,12 @@ bool DaemonServer::_handle_command( + std::shared_ptr<CommandContext>& cmdctx) + { + MessageRef m; ++ bool admin_socket_cmd = false; + if (cmdctx->m_tell) { + m = cmdctx->m_tell; ++ // a blank fsid in MCommand signals a legacy client sending a "mon-mgr" CLI ++ // command. ++ admin_socket_cmd = (cmdctx->m_tell->fsid != uuid_d()); + } else { + m = cmdctx->m_mgr; + } +@@ -888,7 +884,10 @@ bool DaemonServer::_handle_command( + + dout(10) << "decoded-size=" << cmdctx->cmdmap.size() << " prefix=" << prefix << dendl; + +- if (prefix == "get_command_descriptions") { ++ // this is just for mgr commands - admin socket commands will fall ++ // through and use the admin socket version of ++ // get_command_descriptions ++ if (prefix == "get_command_descriptions" && !admin_socket_cmd) { + dout(10) << "reading commands from python modules" << dendl; + const auto py_commands = py_modules.get_commands(); + +@@ -925,7 +924,10 @@ bool DaemonServer::_handle_command( + + bool is_allowed = false; + ModuleCommand py_command; +- if (!mgr_cmd) { ++ if (admin_socket_cmd) { ++ // admin socket commands require all capabilities ++ is_allowed = session->caps.is_allow_all(); ++ } else if (!mgr_cmd) { + // Resolve the command to the name of the module that will + // handle it (if the command exists) + auto py_commands = py_modules.get_py_commands(); +@@ -958,6 +960,11 @@ bool DaemonServer::_handle_command( + << "entity='" << session->entity_name << "' " + << "cmd=" << cmdctx->cmd << ": dispatch"; + ++ if (admin_socket_cmd) { ++ cct->get_admin_socket()->queue_tell_command(cmdctx->m_tell); ++ return true; ++ } ++ + // ---------------- + // service map commands + if (prefix == "service dump") { +-- +2.25.1 + diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-msg-async-ProtocolV2-avoid-AES-GCM-nonce-reuse-vulne.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-msg-async-ProtocolV2-avoid-AES-GCM-nonce-reuse-vulne.patch new file mode 100644 index 00000000..54156698 --- /dev/null +++ b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-msg-async-ProtocolV2-avoid-AES-GCM-nonce-reuse-vulne.patch @@ -0,0 +1,256 @@ +From 20b7bb685c5ea74c651ca1ea547ac66b0fee7035 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov <idryomov@gmail.com> +Date: Fri, 6 Mar 2020 20:16:45 +0100 +Subject: [PATCH] msg/async/ProtocolV2: avoid AES-GCM nonce reuse + vulnerabilities + +The secure mode uses AES-128-GCM with 96-bit nonces consisting of a +32-bit counter followed by a 64-bit salt. The counter is incremented +after processing each frame, the salt is fixed for the duration of +the session. Both are initialized from the session key generated +during session negotiation, so the counter starts with essentially +a random value. It is allowed to wrap, and, after 2**32 frames, it +repeats, resulting in nonce reuse (the actual sequence numbers that +the messenger works with are 64-bit, so the session continues on). + +Because of how GCM works, this completely breaks both confidentiality +and integrity aspects of the secure mode. A single nonce reuse reveals +the XOR of two plaintexts and almost completely reveals the subkey +used for producing authentication tags. After a few nonces get used +twice, all confidentiality and integrity goes out the window and the +attacker can potentially encrypt-authenticate plaintext of their +choice. + +We can't easily change the nonce format to extend the counter to +64 bits (and possibly XOR it with a longer salt). Instead, just +remember the initial nonce and cut the session before it repeats, +forcing renegotiation. + +Signed-off-by: Ilya Dryomov <idryomov@gmail.com> +Reviewed-by: Radoslaw Zarzynski <rzarzyns@redhat.com> +Reviewed-by: Sage Weil <sage@redhat.com> + +Conflicts: + src/msg/async/ProtocolV2.h [ context: commit ed3ec4c01d17 + ("msg: Build target 'common' without using namespace in + headers") not in octopus ] + +CVE: CVE-2020-1759 +Upstream Status: Backport [20b7bb685c5ea74c651ca1ea547ac66b0fee7035] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/msg/async/ProtocolV2.cc | 62 ++++++++++++++++++++++++---------- + src/msg/async/ProtocolV2.h | 5 +-- + src/msg/async/crypto_onwire.cc | 17 ++++++++-- + src/msg/async/crypto_onwire.h | 5 +++ + 4 files changed, 67 insertions(+), 22 deletions(-) + +diff --git a/src/msg/async/ProtocolV2.cc b/src/msg/async/ProtocolV2.cc +index 8fc02db6e5..c69f2ccf79 100644 +--- a/src/msg/async/ProtocolV2.cc ++++ b/src/msg/async/ProtocolV2.cc +@@ -533,7 +533,10 @@ ssize_t ProtocolV2::write_message(Message *m, bool more) { + m->get_payload(), + m->get_middle(), + m->get_data()); +- connection->outgoing_bl.append(message.get_buffer(session_stream_handlers)); ++ if (!append_frame(message)) { ++ m->put(); ++ return -EILSEQ; ++ } + + ldout(cct, 5) << __func__ << " sending message m=" << m + << " seq=" << m->get_seq() << " " << *m << dendl; +@@ -566,15 +569,17 @@ ssize_t ProtocolV2::write_message(Message *m, bool more) { + return rc; + } + +-void ProtocolV2::append_keepalive() { +- ldout(cct, 10) << __func__ << dendl; +- auto keepalive_frame = KeepAliveFrame::Encode(); +- connection->outgoing_bl.append(keepalive_frame.get_buffer(session_stream_handlers)); +-} +- +-void ProtocolV2::append_keepalive_ack(utime_t ×tamp) { +- auto keepalive_ack_frame = KeepAliveFrameAck::Encode(timestamp); +- connection->outgoing_bl.append(keepalive_ack_frame.get_buffer(session_stream_handlers)); ++template <class F> ++bool ProtocolV2::append_frame(F& frame) { ++ ceph::bufferlist bl; ++ try { ++ bl = frame.get_buffer(session_stream_handlers); ++ } catch (ceph::crypto::onwire::TxHandlerError &e) { ++ ldout(cct, 1) << __func__ << " " << e.what() << dendl; ++ return false; ++ } ++ connection->outgoing_bl.append(bl); ++ return true; + } + + void ProtocolV2::handle_message_ack(uint64_t seq) { +@@ -612,7 +617,15 @@ void ProtocolV2::write_event() { + connection->write_lock.lock(); + if (can_write) { + if (keepalive) { +- append_keepalive(); ++ ldout(cct, 10) << __func__ << " appending keepalive" << dendl; ++ auto keepalive_frame = KeepAliveFrame::Encode(); ++ if (!append_frame(keepalive_frame)) { ++ connection->write_lock.unlock(); ++ connection->lock.lock(); ++ fault(); ++ connection->lock.unlock(); ++ return; ++ } + keepalive = false; + } + +@@ -663,13 +676,16 @@ void ProtocolV2::write_event() { + if (r == 0) { + uint64_t left = ack_left; + if (left) { +- auto ack = AckFrame::Encode(in_seq); +- connection->outgoing_bl.append(ack.get_buffer(session_stream_handlers)); + ldout(cct, 10) << __func__ << " try send msg ack, acked " << left + << " messages" << dendl; +- ack_left -= left; +- left = ack_left; +- r = connection->_try_send(left); ++ auto ack_frame = AckFrame::Encode(in_seq); ++ if (append_frame(ack_frame)) { ++ ack_left -= left; ++ left = ack_left; ++ r = connection->_try_send(left); ++ } else { ++ r = -EILSEQ; ++ } + } else if (is_queued()) { + r = connection->_try_send(); + } +@@ -769,7 +785,13 @@ template <class F> + CtPtr ProtocolV2::write(const std::string &desc, + CONTINUATION_TYPE<ProtocolV2> &next, + F &frame) { +- ceph::bufferlist bl = frame.get_buffer(session_stream_handlers); ++ ceph::bufferlist bl; ++ try { ++ bl = frame.get_buffer(session_stream_handlers); ++ } catch (ceph::crypto::onwire::TxHandlerError &e) { ++ ldout(cct, 1) << __func__ << " " << e.what() << dendl; ++ return _fault(); ++ } + return write(desc, next, bl); + } + +@@ -1672,7 +1694,11 @@ CtPtr ProtocolV2::handle_keepalive2(ceph::bufferlist &payload) + ldout(cct, 30) << __func__ << " got KEEPALIVE2 tag ..." << dendl; + + connection->write_lock.lock(); +- append_keepalive_ack(keepalive_frame.timestamp()); ++ auto keepalive_ack_frame = KeepAliveFrameAck::Encode(keepalive_frame.timestamp()); ++ if (!append_frame(keepalive_ack_frame)) { ++ connection->write_lock.unlock(); ++ return _fault(); ++ } + connection->write_lock.unlock(); + + ldout(cct, 20) << __func__ << " got KEEPALIVE2 " +diff --git a/src/msg/async/ProtocolV2.h b/src/msg/async/ProtocolV2.h +index 2dbe647ae5..9897d18cf2 100644 +--- a/src/msg/async/ProtocolV2.h ++++ b/src/msg/async/ProtocolV2.h +@@ -129,6 +129,9 @@ private: + CONTINUATION_TYPE<ProtocolV2> &next, + bufferlist &buffer); + ++ template <class F> ++ bool append_frame(F& frame); ++ + void requeue_sent(); + uint64_t discard_requeued_up_to(uint64_t out_seq, uint64_t seq); + void reset_recv_state(); +@@ -140,8 +143,6 @@ private: + void prepare_send_message(uint64_t features, Message *m); + out_queue_entry_t _get_next_outgoing(); + ssize_t write_message(Message *m, bool more); +- void append_keepalive(); +- void append_keepalive_ack(utime_t ×tamp); + void handle_message_ack(uint64_t seq); + + CONTINUATION_DECL(ProtocolV2, _wait_for_peer_banner); +diff --git a/src/msg/async/crypto_onwire.cc b/src/msg/async/crypto_onwire.cc +index acf3f66689..07e7fe6553 100644 +--- a/src/msg/async/crypto_onwire.cc ++++ b/src/msg/async/crypto_onwire.cc +@@ -22,6 +22,10 @@ static constexpr const std::size_t AESGCM_BLOCK_LEN{16}; + struct nonce_t { + std::uint32_t random_seq; + std::uint64_t random_rest; ++ ++ bool operator==(const nonce_t& rhs) const { ++ return !memcmp(this, &rhs, sizeof(*this)); ++ } + } __attribute__((packed)); + static_assert(sizeof(nonce_t) == AESGCM_IV_LEN); + +@@ -35,7 +39,8 @@ class AES128GCM_OnWireTxHandler : public ceph::crypto::onwire::TxHandler { + CephContext* const cct; + std::unique_ptr<EVP_CIPHER_CTX, decltype(&::EVP_CIPHER_CTX_free)> ectx; + ceph::bufferlist buffer; +- nonce_t nonce; ++ nonce_t nonce, initial_nonce; ++ bool used_initial_nonce; + static_assert(sizeof(nonce) == AESGCM_IV_LEN); + + public: +@@ -44,7 +49,7 @@ public: + const nonce_t& nonce) + : cct(cct), + ectx(EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free), +- nonce(nonce) { ++ nonce(nonce), initial_nonce(nonce), used_initial_nonce(false) { + ceph_assert_always(ectx); + ceph_assert_always(key.size() * CHAR_BIT == 128); + +@@ -61,6 +66,7 @@ public: + + ~AES128GCM_OnWireTxHandler() override { + ::ceph::crypto::zeroize_for_security(&nonce, sizeof(nonce)); ++ ::ceph::crypto::zeroize_for_security(&initial_nonce, sizeof(initial_nonce)); + } + + std::uint32_t calculate_segment_size(std::uint32_t size) override +@@ -78,6 +84,13 @@ public: + void AES128GCM_OnWireTxHandler::reset_tx_handler( + std::initializer_list<std::uint32_t> update_size_sequence) + { ++ if (nonce == initial_nonce) { ++ if (used_initial_nonce) { ++ throw ceph::crypto::onwire::TxHandlerError("out of nonces"); ++ } ++ used_initial_nonce = true; ++ } ++ + if(1 != EVP_EncryptInit_ex(ectx.get(), nullptr, nullptr, nullptr, + reinterpret_cast<const unsigned char*>(&nonce))) { + throw std::runtime_error("EVP_EncryptInit_ex failed"); +diff --git a/src/msg/async/crypto_onwire.h b/src/msg/async/crypto_onwire.h +index bd682e8c71..0c544f205a 100644 +--- a/src/msg/async/crypto_onwire.h ++++ b/src/msg/async/crypto_onwire.h +@@ -45,6 +45,11 @@ struct MsgAuthError : public std::runtime_error { + } + }; + ++struct TxHandlerError : public std::runtime_error { ++ TxHandlerError(const char* what) ++ : std::runtime_error(std::string("tx handler error: ") + what) {} ++}; ++ + struct TxHandler { + virtual ~TxHandler() = default; + +-- +2.20.1 + diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-msg-async-crypto_onwire-fix-endianness-of-nonce_t.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-msg-async-crypto_onwire-fix-endianness-of-nonce_t.patch new file mode 100644 index 00000000..ad8a2055 --- /dev/null +++ b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-msg-async-crypto_onwire-fix-endianness-of-nonce_t.patch @@ -0,0 +1,61 @@ +From dfd1d81cec62e21e21696dc87d4db5f920e51a67 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov <idryomov@gmail.com> +Date: Fri, 6 Mar 2020 20:16:45 +0100 +Subject: [PATCH] msg/async/crypto_onwire: fix endianness of nonce_t + +As a AES-GCM IV, nonce_t is implicitly shared between server and +client. Currently, if their endianness doesn't match, they are unable +to communicate in secure mode because each gets its own idea of what +the next nonce should be after the counter is incremented. + +Several RFCs state that the nonce counter should be BE, but since we +use LE for everything on-disk and on-wire, make it LE. + +Signed-off-by: Ilya Dryomov <idryomov@gmail.com> +Reviewed-by: Radoslaw Zarzynski <rzarzyns@redhat.com> +Reviewed-by: Sage Weil <sage@redhat.com> + +CVE: CVE-2020-1759 +Upstream Status: Backport [dfd1d81cec62e21e21696dc87d4db5f920e51a67] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/msg/async/crypto_onwire.cc | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/msg/async/crypto_onwire.cc b/src/msg/async/crypto_onwire.cc +index 07e7fe6553..c39632cbd6 100644 +--- a/src/msg/async/crypto_onwire.cc ++++ b/src/msg/async/crypto_onwire.cc +@@ -20,8 +20,8 @@ static constexpr const std::size_t AESGCM_TAG_LEN{16}; + static constexpr const std::size_t AESGCM_BLOCK_LEN{16}; + + struct nonce_t { +- std::uint32_t random_seq; +- std::uint64_t random_rest; ++ ceph_le32 random_seq; ++ ceph_le64 random_rest; + + bool operator==(const nonce_t& rhs) const { + return !memcmp(this, &rhs, sizeof(*this)); +@@ -99,7 +99,7 @@ void AES128GCM_OnWireTxHandler::reset_tx_handler( + buffer.reserve(std::accumulate(std::begin(update_size_sequence), + std::end(update_size_sequence), AESGCM_TAG_LEN)); + +- ++nonce.random_seq; ++ nonce.random_seq = nonce.random_seq + 1; + } + + void AES128GCM_OnWireTxHandler::authenticated_encrypt_update( +@@ -204,7 +204,7 @@ void AES128GCM_OnWireRxHandler::reset_rx_handler() + reinterpret_cast<const unsigned char*>(&nonce))) { + throw std::runtime_error("EVP_DecryptInit_ex failed"); + } +- ++nonce.random_seq; ++ nonce.random_seq = nonce.random_seq + 1; + } + + ceph::bufferlist AES128GCM_OnWireRxHandler::authenticated_decrypt_update( +-- +2.20.1 + diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-rgw-EPERM-to-ERR_INVALID_REQUEST.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-rgw-EPERM-to-ERR_INVALID_REQUEST.patch new file mode 100644 index 00000000..30906d7c --- /dev/null +++ b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-rgw-EPERM-to-ERR_INVALID_REQUEST.patch @@ -0,0 +1,33 @@ +From 92da834cababc4dddd5dbbab5837310478d1e6d4 Mon Sep 17 00:00:00 2001 +From: Abhishek Lekshmanan <abhishek@suse.com> +Date: Fri, 27 Mar 2020 19:29:01 +0100 +Subject: [PATCH] rgw: EPERM to ERR_INVALID_REQUEST + +As per Robin's comments and S3 spec + +Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com> + +CVE: CVE-2020-1760 +Upstream Status: Backport [92da834cababc4dddd5dbbab5837310478d1e6d4] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/rgw/rgw_rest_s3.cc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc +index 1bfc8312de..f13ae23dd6 100644 +--- a/src/rgw/rgw_rest_s3.cc ++++ b/src/rgw/rgw_rest_s3.cc +@@ -301,7 +301,7 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, + /* reject unauthenticated response header manipulation, see + * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */ + if (s->auth.identity->is_anonymous()) { +- return -EPERM; ++ return -ERR_INVALID_REQUEST; + } + if (strcmp(p->param, "response-content-type") != 0) { + response_attrs[p->http_attr] = val; +-- +2.20.1 + diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-rgw-reject-control-characters-in-response-header-act.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-rgw-reject-control-characters-in-response-header-act.patch new file mode 100644 index 00000000..af0fc79a --- /dev/null +++ b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-rgw-reject-control-characters-in-response-header-act.patch @@ -0,0 +1,64 @@ +From be7679007c3dfab3e19c22c38c36ccac91828e3b Mon Sep 17 00:00:00 2001 +From: "Robin H. Johnson" <rjohnson@digitalocean.com> +Date: Fri, 27 Mar 2020 20:48:13 +0100 +Subject: [PATCH] rgw: reject control characters in response-header actions + +S3 GetObject permits overriding response header values, but those inputs +need to be validated to insure only characters that are valid in an HTTP +header value are present. + +Credit: Initial vulnerability discovery by William Bowling (@wcbowling) +Credit: Further vulnerability discovery by Robin H. Johnson <rjohnson@digitalocean.com> +Signed-off-by: Robin H. Johnson <rjohnson@digitalocean.com> + +CVE: CVE-2020-1760 +Upstream Status: Backport [be7679007c3dfab3e19c22c38c36ccac91828e3b] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/rgw/rgw_rest_s3.cc | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc +index f13ae23dd6..0de040968c 100644 +--- a/src/rgw/rgw_rest_s3.cc ++++ b/src/rgw/rgw_rest_s3.cc +@@ -189,6 +189,15 @@ int decode_attr_bl_single_value(map<string, bufferlist>& attrs, const char *attr + return 0; + } + ++inline bool str_has_cntrl(const std::string s) { ++ return std::any_of(s.begin(), s.end(), ::iscntrl); ++} ++ ++inline bool str_has_cntrl(const char* s) { ++ std::string _s(s); ++ return str_has_cntrl(_s); ++} ++ + int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, + off_t bl_len) + { +@@ -303,6 +312,19 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, + if (s->auth.identity->is_anonymous()) { + return -ERR_INVALID_REQUEST; + } ++ /* HTTP specification says no control characters should be present in ++ * header values: https://tools.ietf.org/html/rfc7230#section-3.2 ++ * field-vchar = VCHAR / obs-text ++ * ++ * Failure to validate this permits a CRLF injection in HTTP headers, ++ * whereas S3 GetObject only permits specific headers. ++ */ ++ if(str_has_cntrl(val)) { ++ /* TODO: return a more distinct error in future; ++ * stating what the problem is */ ++ return -ERR_INVALID_REQUEST; ++ } ++ + if (strcmp(p->param, "response-content-type") != 0) { + response_attrs[p->http_attr] = val; + } else { +-- +2.20.1 + diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-rgw-reject-unauthenticated-response-header-actions.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-rgw-reject-unauthenticated-response-header-actions.patch new file mode 100644 index 00000000..ae241473 --- /dev/null +++ b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-rgw-reject-unauthenticated-response-header-actions.patch @@ -0,0 +1,36 @@ +From 8f90658c731499722d5f4393c8ad70b971d05f77 Mon Sep 17 00:00:00 2001 +From: Matt Benjamin <mbenjamin@redhat.com> +Date: Fri, 27 Mar 2020 18:13:48 +0100 +Subject: [PATCH] rgw: reject unauthenticated response-header actions + +Signed-off-by: Matt Benjamin <mbenjamin@redhat.com> +Reviewed-by: Casey Bodley <cbodley@redhat.com> +(cherry picked from commit d8dd5e513c0c62bbd7d3044d7e2eddcd897bd400) + +CVE: CVE-2020-1760 +Upstream Status: Backport [8f90658c731499722d5f4393c8ad70b971d05f77] + +Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> +--- + src/rgw/rgw_rest_s3.cc | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc +index 532d738b58..1bfc8312de 100644 +--- a/src/rgw/rgw_rest_s3.cc ++++ b/src/rgw/rgw_rest_s3.cc +@@ -298,6 +298,11 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, + bool exists; + string val = s->info.args.get(p->param, &exists); + if (exists) { ++ /* reject unauthenticated response header manipulation, see ++ * https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html */ ++ if (s->auth.identity->is_anonymous()) { ++ return -EPERM; ++ } + if (strcmp(p->param, "response-content-type") != 0) { + response_attrs[p->http_attr] = val; + } else { +-- +2.20.1 + diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-zstd-fix-error-for-cross-compile.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0001-zstd-fix-error-for-cross-compile.patch deleted file mode 100644 index 66b5f0a5..00000000 --- a/external/meta-virtualization/recipes-extended/ceph/ceph/0001-zstd-fix-error-for-cross-compile.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 3e86b6d9db2682b123839e38e9bf45060e2bb2ab Mon Sep 17 00:00:00 2001 -From: Dengke Du <dengke.du@windriver.com> -Date: Wed, 29 Aug 2018 16:57:52 +0800 -Subject: [PATCH] zstd: fix error for cross compile - -Signed-off-by: Dengke Du <dengke.du@windriver.com> ---- - src/compressor/zstd/CMakeLists.txt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/compressor/zstd/CMakeLists.txt b/src/compressor/zstd/CMakeLists.txt -index e30cb89..b298a3d 100644 ---- a/src/compressor/zstd/CMakeLists.txt -+++ b/src/compressor/zstd/CMakeLists.txt -@@ -9,7 +9,7 @@ ExternalProject_Add(zstd_ext - CMAKE_ARGS -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER} - -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER} - -DCMAKE_C_FLAGS=${ZSTD_C_FLAGS} -- -DCMAKE_AR=${CMAKE_AR} -+ -DCMAKE_SYSROOT=${CMAKE_SYSROOT} - BINARY_DIR ${CMAKE_CURRENT_BINARY_DIR}/libzstd - BUILD_COMMAND $(MAKE) libzstd_static - INSTALL_COMMAND "true") --- -2.7.4 - diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch new file mode 100644 index 00000000..79f2174b --- /dev/null +++ b/external/meta-virtualization/recipes-extended/ceph/ceph/0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch @@ -0,0 +1,95 @@ +From ddbac9b2779172876ebd2d26b68b04b02350a125 Mon Sep 17 00:00:00 2001 +From: Josh Durgin <jdurgin@redhat.com> +Date: Thu, 23 Apr 2020 00:22:10 -0400 +Subject: [PATCH 2/3] mon: enforce caps for pre-octopus client tell commands + +This affects only the commands whitelisted here - in particular +injectargs requires write access to the monitors. + +Signed-off-by: Josh Durgin <jdurgin@redhat.com> + +Upstream-status: Backport +[https://github.com/ceph/ceph/commit/fc5e56b75a97c4652c87e9959aad1c4dec45010d] + +Signed-off-by: Liu Haitao <haitao.liu@windriver.com> +--- + src/mon/Monitor.cc | 56 +++++++++++++++++++++++----------------------- + 1 file changed, 28 insertions(+), 28 deletions(-) + +diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc +index b7cb3eae..eecd2f68 100644 +--- a/src/mon/Monitor.cc ++++ b/src/mon/Monitor.cc +@@ -3226,34 +3226,6 @@ void Monitor::handle_command(MonOpRequestRef op) + return; + } + +- // compat kludge for legacy clients trying to tell commands that are +- // new. see bottom of MonCommands.h. we need to handle both (1) +- // pre-octopus clients and (2) octopus clients with a mix of pre-octopus +- // and octopus mons. +- if ((!HAVE_FEATURE(m->get_connection()->get_features(), SERVER_OCTOPUS) || +- monmap->min_mon_release < ceph_release_t::octopus) && +- (prefix == "injectargs" || +- prefix == "smart" || +- prefix == "mon_status" || +- prefix == "heap")) { +- if (m->get_connection()->get_messenger() == 0) { +- // Prior to octopus, monitors might forward these messages +- // around. that was broken at baseline, and if we try to process +- // this message now, it will assert out when we try to send a +- // message in reply from the asok/tell worker (see +- // AnonConnection). Just reply with an error. +- dout(5) << __func__ << " failing forwarded command from a (presumably) " +- << "pre-octopus peer" << dendl; +- reply_command( +- op, -EBUSY, +- "failing forwarded tell command in mixed-version mon cluster", 0); +- return; +- } +- dout(5) << __func__ << " passing command to tell/asok" << dendl; +- cct->get_admin_socket()->queue_tell_command(m); +- return; +- } +- + string module; + string err; + +@@ -3368,6 +3340,34 @@ void Monitor::handle_command(MonOpRequestRef op) + << "entity='" << session->entity_name << "' " + << "cmd=" << m->cmd << ": dispatch"; + ++ // compat kludge for legacy clients trying to tell commands that are ++ // new. see bottom of MonCommands.h. we need to handle both (1) ++ // pre-octopus clients and (2) octopus clients with a mix of pre-octopus ++ // and octopus mons. ++ if ((!HAVE_FEATURE(m->get_connection()->get_features(), SERVER_OCTOPUS) || ++ monmap->min_mon_release < ceph_release_t::octopus) && ++ (prefix == "injectargs" || ++ prefix == "smart" || ++ prefix == "mon_status" || ++ prefix == "heap")) { ++ if (m->get_connection()->get_messenger() == 0) { ++ // Prior to octopus, monitors might forward these messages ++ // around. that was broken at baseline, and if we try to process ++ // this message now, it will assert out when we try to send a ++ // message in reply from the asok/tell worker (see ++ // AnonConnection). Just reply with an error. ++ dout(5) << __func__ << " failing forwarded command from a (presumably) " ++ << "pre-octopus peer" << dendl; ++ reply_command( ++ op, -EBUSY, ++ "failing forwarded tell command in mixed-version mon cluster", 0); ++ return; ++ } ++ dout(5) << __func__ << " passing command to tell/asok" << dendl; ++ cct->get_admin_socket()->queue_tell_command(m); ++ return; ++ } ++ + if (mon_cmd->is_mgr()) { + const auto& hdr = m->get_header(); + uint64_t size = hdr.front_len + hdr.middle_len + hdr.data_len; +-- +2.25.1 + diff --git a/external/meta-virtualization/recipes-extended/ceph/ceph/0003-PendingReleaseNotes-note-about-security-fix.patch b/external/meta-virtualization/recipes-extended/ceph/ceph/0003-PendingReleaseNotes-note-about-security-fix.patch new file mode 100644 index 00000000..ed2a63e7 --- /dev/null +++ b/external/meta-virtualization/recipes-extended/ceph/ceph/0003-PendingReleaseNotes-note-about-security-fix.patch @@ -0,0 +1,31 @@ +From 56800925651857821034ac9c8ec82d45635cc3b8 Mon Sep 17 00:00:00 2001 +From: Josh Durgin <jdurgin@redhat.com> +Date: Wed, 13 May 2020 21:34:56 -0700 +Subject: [PATCH 3/3] PendingReleaseNotes: note about security fix + +Signed-off-by: Josh Durgin <jdurgin@redhat.com> + +Upstream-status: Backport +[https://github.com/ceph/ceph/commit/06f239fc35f35865d2cf92dda1ac8f4d5fe82bde] + +Signed-off-by: Liu Haitao <haitao.liu@windriver.com> +--- + PendingReleaseNotes | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/PendingReleaseNotes b/PendingReleaseNotes +index c9fd4c79..6e07ce6d 100644 +--- a/PendingReleaseNotes ++++ b/PendingReleaseNotes +@@ -1,6 +1,8 @@ + >=15.0.0 + -------- + ++* CVE-2020-10736: Fixes an authorization bypass in monitor and manager daemons ++ + * The RGW "num_rados_handles" has been removed. + * If you were using a value of "num_rados_handles" greater than 1 + multiply your current "objecter_inflight_ops" and +-- +2.25.1 + |