[MIR][FFE] glusterfs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
glusterfs (Ubuntu) |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Old MIR is bug #1274247
(launchpad will definitely wrap these lines and break the formatting: if you want, I can post this content elsewhere, like a git repo)
[Availability]
The package glusterfs is already in Ubuntu universe.
The package glusterfs build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64 arm64 armhf ppc64el riscv64 s390x
Link to package https:/
[Rationale]
The package glusterfs is required in Ubuntu main for:
- The package glusterfs will generally be useful for a large part of
our user base
- Additionally new use-cases enabled by this are:
- samba clustering support (we carry a packaging delta to disable it in Ubuntu)
- qemu native glusterfs support (bug #1246924)
[Security]
For the security review, consider the points raised last time this was done, in 2014, when the first MIR was rejected:
https:/
cppcheck issues were fixed:
https:/
https:/
There are some strncat warnings during build, like these:
In file included from /usr/include/
In function ‘strncat’,
inlined from ‘trash_
/usr/include/
135 | return __builtin_
| ^~~~~~~
136 | __glibc_objsize (__dest));
| ~~~~~~~
and
In file included from /usr/include/
In function ‘strncat’,
inlined from ‘glusterd_
/usr/include/
135 | return __builtin_
| ^~~~~~~
136 | __glibc_objsize (__dest));
| ~~~~~~~
- http://
Plenty of vulnerabilities, but the most recent affected version is 4.1.4. Bionic ships 3.13.2, and focal has 7.2 already. Jammy is on 10.0 (proposed)
- site:www.
Previously mentioned CVEs
No hits more recent than 2018. One from 2020, but about kube-controller
- https:/
Plenty of CVEs, but note that from Focal onwards we are not affected
- https:/
Unclear if this is used. The advisories tab is empty.
In general, it looks like that was a good shift to having a more secure product, when compared to older versions, at least in terms of CVEs and advisories.
- no `suid` or `sgid` binaries
- plenty of executables in `/sbin` and `/usr/sbin`
- Package installs services:
-rw-r--r-- 1 root root 604 Nov 25 13:38 /lib/systemd/
-rw-r--r-- 1 root root 416 Nov 25 13:38 /lib/systemd/
glusterd runs as root and opens port 24007/tcp:
root 650 0.0 0.8 463484 16948 ? SLsl 13:07 0:00 /usr/sbin/glusterd -p /var/run/
glusterfsd runs as root, and has port 51886/tcp open in the port list further below, but no dedicated service file for it. It must be spawned on demand:
root 879 0.0 0.9 678344 18976 ? SLsl 13:07 0:00 /usr/sbin/
glusterfs runs as root.
On the server:
root 890 0.0 0.6 597576 13564 ? SLsl 13:07 0:00 /usr/sbin/glusterfs -s localhost --volfile-id shd/gv0 -p /var/run/
On a client with a volume mounted:
root 47453 0.0 0.9 649100 18400 ? SLsl 12:58 0:00 /usr/sbin/glusterfs --process-name fuse --volfile-
- Package does not open privileged ports (ports < 1024)
On a server peered with two other servers, and one connected client:
$ sudo netstat -anp|grep gluster|grep -v ^unix
tcp 0 0 0.0.0.0:24007 0.0.0.0:* LISTEN 650/glusterd
tcp 0 0 0.0.0.0:51886 0.0.0.0:* LISTEN 879/glusterfsd
tcp 0 0 192.168.
tcp 0 0 192.168.
tcp 0 0 192.168.
tcp 0 0 192.168.
tcp 0 0 127.0.0.1:24007 127.0.0.1:49148 ESTABLISHED 650/glusterd
tcp 0 0 192.168.
tcp 0 0 127.0.0.1:49148 127.0.0.1:24007 ESTABLISHED 890/glusterfs
tcp 0 0 192.168.
tcp 0 0 192.168.
tcp 0 0 192.168.
tcp 0 0 192.168.
tcp 0 0 192.168.
tcp 0 0 192.168.
tcp 0 0 192.168.
tcp 0 0 192.168.
There are no listening ports on a client, just the ones opened by the connection(s) established to the server.
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
This is a networked filesystem, I'd say it's security sensitive.
There are integration points with other packages, like samba (https:/
[Quality assurance - function/usage]
- After installing the package it must be possible to make it working with
a reasonable effort of configuration and documentation reading.
The package needs post install configuration or reading of documentation, there isn't a safe default because you need to configure how you want your storage to be used.
There is an easy quickstart page provided by upstream at https:/
[Quality assurance - maintenance]
The package is maintained well in Debian/Ubuntu and has not too many and long term critical bugs open
Ubuntu bugs:
https:/
- memory leak claims on older versions (3.13.x, 2.20)
- remaining bugs against much older versions of both the package and ubuntu
These bugs should be triaged, and the ones against EOL releases should be closed
Debian bugs:
https:/
Just some that we (Canonical) filed recently, I'm a bit surprised.
Upstream issues:
https:/
- very active, and many bugs to improve the code, like replacing of functions or getting rid of warnings
- Many open pull requests: https:/
Release cadence:
Good documented release cadence: https:/
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
The package does not run a test at build time because who knows.
I found remnants of unit test infrastructure, and there is a makefile target "make check-TESTS", but there are zero tests to run.
I asked about this in the upstream slack channel: https:/
"""
hi everyone, quick (I hope) question, I'm going over requirements to bring the gluster package into ubuntu main (it's in universe), and one of the questions that I have to answer is if there are build-time tests. I've seen the "make check" target, and it prints some output, but always with a zero test count. It's like the test infrastructure is there, but there are no tests. Is that accurate?
1 reply
Amar Tumballi (kadalu.io) 1 day ago
We don't run any tests when making the build (ie, no make test or make check like infra). All tests are run as part of PR review part, and nightly.
"""
They have a collection of jeknins jobs defined here: https:/
They have system tests, but I didn't get them to run out of the box yet. Maybe once working, these could be used as DEP8 tests, if they prove to be reliable enough.
Other than that, without upstream's help, I don't think we can add build-time tests.
Upstream does have tests that run on each branch before it's merged:
https:/
The package does not run an autopkgtest.
It shouldn't be hard to add some simple yet good enough DEP8 tests, as the server and client portions can be on the same machine. Maybe even a container, since it's a FUSE filesystem (TBD).
[Quality assurance - packaging]
debian/watch is present and works
This package does not yield massive lintian Warnings, Errors
$ lintian --pedantic -I 2>&1 | tee ../lintian.log
E: glusterfs changes: bad-distributio
W: glusterfs source: newer-standards
I: glusterfs source: unused-override very-long-
I: glusterfs source: unused-override very-long-
I: glusterfs source: unused-override very-long-
I: glusterfs source: unused-override very-long-
I: glusterfs-common: unused-override library-
N: 15 hints overridden (1 warning, 14 info); 5 unused overrides
Debian report: https:/
Lintian overrides are present. Notable ones are:
- executable-
- no-symbols-
This package does not rely on obsolete or about to be demoted packages.
This package has no python2 or GTK2 dependencies
The package will not be installed by default
Packaging and build is easy, link to d/rules: https:/
[UI standards]
The server itself is not necessarily end-user facing, but client tools are. That being said, administrators would use them, and not really an end-user, if I understand this point correctly.
In cany case, there are no translations for this package.
[Dependencies]
No further depends or recommends dependencies that are not yet in main
Note that firewalld (universe) is a build-dep, and enabled in ./configure, but all that does is install a firewalld xml file defining the glusterfs services. It does NOT pull in firewalld.
[Standards compliance]
This package correctly follows FHS and Debian Policy.
Maybe the biggest violation is executables in usr/lib, instead of /usr/libexec, but even that is flagged as "pedantic" by lintian.
The security team might want to know why this one was overriden:
O: glusterfs-common: hardening-
d/changelog has this entry about it, from 2016:
* Adjust false positive lintian overrides for hardening-
[Maintenance/Owner]
Owning Team will be ubuntu-server
Team is not yet subscribed, but will subscribe to the package before promotion
This does not use static builds
[Background information]
The Package description explains the package well
Upstream Name is glusterfs
Link to upstream project https:/
Related branches
- Utkarsh Gupta: Approve
- Ubuntu Release Team: Pending requested
- Canonical Server: Pending requested
-
Diff: 9 lines (+1/-0)1 file modifiedsupported-hardware-server (+1/-0)
description: | updated |
Changed in glusterfs (Ubuntu): | |
status: | Triaged → New |
assignee: | Andreas Hasenack (ahasenack) → nobody |
Changed in glusterfs (Ubuntu): | |
assignee: | nobody → Lukas Märdian (slyon) |
Changed in glusterfs (Ubuntu): | |
milestone: | ubuntu-22.02 → ubuntu-22.04-feature-freeze |
Changed in glusterfs (Ubuntu): | |
assignee: | Ubuntu Security Team (ubuntu-security) → Steve Beattie (sbeattie) |
Changed in glusterfs (Ubuntu): | |
assignee: | Steve Beattie (sbeattie) → nobody |
information type: | Public → Public Security |
information type: | Public Security → Public |
I'm adding a DEP8 test to glusterfs here: https:/ /bugs.launchpad .net/ubuntu/ +source/ glusterfs/ +bug/1954452