From 0d6e8e3929c3cf9c00f19b405c9b965b21b272cc Mon Sep 17 00:00:00 2001 From: Pete Zaitcev Date: Jul 11 2014 01:05:27 +0000 Subject: Update to upstream 2.0.0 --- diff --git a/.gitignore b/.gitignore index 46b0175..da891d7 100644 --- a/.gitignore +++ b/.gitignore @@ -9,3 +9,4 @@ /swift-1.12.0.tar.gz /swift-1.13.1.rc2.tar.gz /swift-1.13.1.tar.gz +/swift-2.0.0.tar.gz diff --git a/0001-remove-runtime-requirement-on-pbr.patch b/0001-remove-runtime-requirement-on-pbr.patch index f1099c2..58de7c0 100644 --- a/0001-remove-runtime-requirement-on-pbr.patch +++ b/0001-remove-runtime-requirement-on-pbr.patch @@ -1,4 +1,4 @@ -From 6661a95cc27bc3e66b524cd81aa4b49ca2551a1b Mon Sep 17 00:00:00 2001 +From 313afecd7a7292958d9b4b3935cc2b508d717340 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= Date: Wed, 9 Oct 2013 12:38:40 +0100 Subject: [PATCH] remove runtime requirement on pbr diff --git a/0002-Add-fixes-for-building-the-doc-package.patch b/0002-Add-fixes-for-building-the-doc-package.patch index a216e36..896a142 100644 --- a/0002-Add-fixes-for-building-the-doc-package.patch +++ b/0002-Add-fixes-for-building-the-doc-package.patch @@ -1,4 +1,4 @@ -From c16135a834bbe0551e75824d2c029a0bc9cf447a Mon Sep 17 00:00:00 2001 +From 435c3d3eff4700dae9a5c026c1bcdea7f28dec56 Mon Sep 17 00:00:00 2001 From: Alan Pevec Date: Thu, 5 Jan 2012 00:03:00 +0100 Subject: [PATCH] Add fixes for building the doc package diff --git a/0003-Set-permissions-on-generated-ring-files.patch b/0003-Set-permissions-on-generated-ring-files.patch deleted file mode 100644 index 5c67091..0000000 --- a/0003-Set-permissions-on-generated-ring-files.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 755b27e59818d3d123dfc4300e528d92f8b5d904 Mon Sep 17 00:00:00 2001 -From: James Page -Date: Sat, 5 Apr 2014 09:38:12 +0100 -Subject: [PATCH] Set permissions on generated ring files - -The use of NamedTemporaryFile creates rings with permissions 0600; -however most installs probably generate the rings as root but the -swift-proxy runs as user swift. - -Set the permissions on the generated ring to 0644 prior to rename so -that the swift user can read the rings. - -Change-Id: Ia511931f471c5c9840012c3a75b89c1f35b1b245 -Closes-Bug: #1302700 ---- - swift/common/ring/ring.py | 1 + - test/unit/common/ring/test_ring.py | 10 ++++++++++ - 2 files changed, 11 insertions(+) - -diff --git a/swift/common/ring/ring.py b/swift/common/ring/ring.py -index 5b31528..a1f9024 100644 ---- a/swift/common/ring/ring.py -+++ b/swift/common/ring/ring.py -@@ -120,6 +120,7 @@ class RingData(object): - tempf.flush() - os.fsync(tempf.fileno()) - tempf.close() -+ os.chmod(tempf.name, 0o644) - os.rename(tempf.name, filename) - - def to_dict(self): -diff --git a/test/unit/common/ring/test_ring.py b/test/unit/common/ring/test_ring.py -index 04eb1b7..1892d19 100644 ---- a/test/unit/common/ring/test_ring.py -+++ b/test/unit/common/ring/test_ring.py -@@ -18,6 +18,7 @@ import cPickle as pickle - import os - import sys - import unittest -+import stat - from contextlib import closing - from gzip import GzipFile - from tempfile import mkdtemp -@@ -98,6 +99,15 @@ class TestRingData(unittest.TestCase): - with open(ring_fname2) as ring2: - self.assertEqual(ring1.read(), ring2.read()) - -+ def test_permissions(self): -+ ring_fname = os.path.join(self.testdir, 'stat.ring.gz') -+ rd = ring.RingData( -+ [array.array('H', [0, 1, 0, 1]), array.array('H', [0, 1, 0, 1])], -+ [{'id': 0, 'zone': 0}, {'id': 1, 'zone': 1}], 30) -+ rd.save(ring_fname) -+ self.assertEqual(oct(stat.S_IMODE(os.stat(ring_fname).st_mode)), -+ '0644') -+ - - class TestRing(unittest.TestCase): - diff --git a/0004-properly-quote-www-authenticate-header-value.patch b/0004-properly-quote-www-authenticate-header-value.patch deleted file mode 100644 index 33c8257..0000000 --- a/0004-properly-quote-www-authenticate-header-value.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 3b945a2fcbcc8df63cb9e1987741fa12b8f54a8c Mon Sep 17 00:00:00 2001 -From: John Dickinson -Date: Fri, 6 Jun 2014 11:46:41 -0700 -Subject: [PATCH] properly quote www-authenticate header value - -HTTP header values should be quoted. Since the WWW-Authenticate -header value contains user-supplied strings, it's important to -ensure it's properly quoted to ensure the integrity of the protocol. - -Previous to this patch, the URL was unquoted and then the unquoted -value was returned in the header. This patch re-quotes the value -when it is set on the response. - -This is filed as CVS-2014-3497 - -Fixes bug 1327414 - -Change-Id: If8bd8842f2ce821756e9b4461a18a8ac8d42fb8c -(cherry picked from commit b223322ed1ef44f61490f820240aa01f1047ae2e) ---- - swift/common/swob.py | 2 +- - test/functional/tests.py | 13 +++++++++++++ - test/unit/common/test_swob.py | 22 ++++++++++++++++++++++ - 3 files changed, 36 insertions(+), 1 deletion(-) - -diff --git a/swift/common/swob.py b/swift/common/swob.py -index 638086e..f4f38c7 100644 ---- a/swift/common/swob.py -+++ b/swift/common/swob.py -@@ -1203,7 +1203,7 @@ class Response(object): - realm = 'unknown' - except (AttributeError, ValueError): - realm = 'unknown' -- return 'Swift realm="%s"' % realm -+ return 'Swift realm="%s"' % urllib2.quote(realm) - - @property - def is_success(self): -diff --git a/test/functional/tests.py b/test/functional/tests.py -index ad8c398..7983815 100644 ---- a/test/functional/tests.py -+++ b/test/functional/tests.py -@@ -333,6 +333,19 @@ class TestAccount(Base): - self.assertEqual(sorted(containers, cmp=locale.strcoll), - containers) - -+ def testQuotedWWWAuthenticateHeader(self): -+ conn = Connection(config) -+ conn.authenticate() -+ inserted_html = 'Hello World' -+ hax = 'AUTH_haxx"\nContent-Length: %d\n\n%s' % (len(inserted_html), -+ inserted_html) -+ quoted_hax = urllib.quote(hax) -+ conn.connection.request('GET', '/v1/' + quoted_hax, None, {}) -+ resp = conn.connection.getresponse() -+ resp_headers = resp.getheaders() -+ expected = ('www-authenticate', 'Swift realm="%s"' % quoted_hax) -+ self.assert_(expected in resp_headers) -+ - - class TestAccountUTF8(Base2, TestAccount): - set_up = False -diff --git a/test/unit/common/test_swob.py b/test/unit/common/test_swob.py -index 7cc5439..b0452b9 100644 ---- a/test/unit/common/test_swob.py -+++ b/test/unit/common/test_swob.py -@@ -601,6 +601,28 @@ class TestRequest(unittest.TestCase): - self.assertEquals('Me realm="whatever"', - resp.headers['Www-Authenticate']) - -+ def test_401_www_authenticate_is_quoted(self): -+ -+ def test_app(environ, start_response): -+ start_response('401 Unauthorized', []) -+ return ['hi'] -+ -+ hacker = 'account-name\n\nfoo
' # url injection test -+ quoted_hacker = quote(hacker) -+ req = swift.common.swob.Request.blank('/v1/' + hacker) -+ resp = req.get_response(test_app) -+ self.assertEquals(resp.status_int, 401) -+ self.assert_('Www-Authenticate' in resp.headers) -+ self.assertEquals('Swift realm="%s"' % quoted_hacker, -+ resp.headers['Www-Authenticate']) -+ -+ req = swift.common.swob.Request.blank('/v1/' + quoted_hacker) -+ resp = req.get_response(test_app) -+ self.assertEquals(resp.status_int, 401) -+ self.assert_('Www-Authenticate' in resp.headers) -+ self.assertEquals('Swift realm="%s"' % quoted_hacker, -+ resp.headers['Www-Authenticate']) -+ - def test_not_401(self): - - # Other status codes should not have WWW-Authenticate in response diff --git a/container-reconciler.conf b/container-reconciler.conf new file mode 100644 index 0000000..0a3de02 --- /dev/null +++ b/container-reconciler.conf @@ -0,0 +1,52 @@ +[DEFAULT] +# swift_dir = /etc/swift +# user = swift +# You can specify default log routing here if you want: +# log_name = swift +# log_facility = LOG_LOCAL0 +# log_level = INFO +# log_address = /dev/log +# +# comma separated list of functions to call to setup custom log handlers. +# functions get passed: conf, name, log_to_console, log_route, fmt, logger, +# adapted_logger +# log_custom_handlers = +# +# If set, log_udp_host will override log_address +# log_udp_host = +# log_udp_port = 514 +# +# You can enable StatsD logging here: +# log_statsd_host = localhost +# log_statsd_port = 8125 +# log_statsd_default_sample_rate = 1.0 +# log_statsd_sample_rate_factor = 1.0 +# log_statsd_metric_prefix = + +[container-reconciler] +# The reconciler will re-attempt reconciliation if the source object is not +# available up to reclaim_age seconds before it gives up and deletes the entry +# in the queue. +# reclaim_age = 604800 +# The cycle time of the daemon +# interval = 300 +# Server errors from requests will be retried by default +# request_tries = 3 + +[pipeline:main] +pipeline = catch_errors proxy-logging cache proxy-server + +[app:proxy-server] +use = egg:swift#proxy +# See proxy-server.conf-sample for options + +[filter:cache] +use = egg:swift#memcache +# See proxy-server.conf-sample for options + +[filter:proxy-logging] +use = egg:swift#proxy_logging + +[filter:catch_errors] +use = egg:swift#catch_errors +# See proxy-server.conf-sample for options diff --git a/openstack-swift-container-reconciler.service b/openstack-swift-container-reconciler.service new file mode 100644 index 0000000..f233451 --- /dev/null +++ b/openstack-swift-container-reconciler.service @@ -0,0 +1,11 @@ +[Unit] +Description=OpenStack Object Storage (swift) - Container Reconciler +After=syslog.target network.target + +[Service] +Type=simple +User=swift +ExecStart=/usr/bin/swift-container-reconciler /etc/swift/container-reconciler.conf + +[Install] +WantedBy=multi-user.target diff --git a/openstack-swift.spec b/openstack-swift.spec index 17a1dca..517888c 100644 --- a/openstack-swift.spec +++ b/openstack-swift.spec @@ -6,14 +6,16 @@ %global milestone ... Name: openstack-swift -Version: 1.13.1 -Release: 5%{?dist} +Version: 2.0.0 +Release: 1%{?dist} Summary: OpenStack Object Storage (Swift) Group: Development/Languages License: ASL 2.0 URL: http://launchpad.net/swift -Source0: http://launchpad.net/swift/%{release_name}/%{version}/+download/swift-%{version}.tar.gz +# Terry is sometimes slow updating Launchpad, so we're switching to OpenStack. +#Source0: http://launchpad.net/swift/#{release_name}/#{version}/+download/swift-#{version}.tar.gz +Source0: http://tarballs.openstack.org/swift/swift-%{version}.tar.gz Source2: %{name}-account.service Source21: %{name}-account@.service @@ -43,20 +45,20 @@ Source56: %{name}-object-auditor@.service Source57: %{name}-object-updater.service Source58: %{name}-object-updater@.service Source59: %{name}-object-expirer.service -# Is it possible to supply an instance-style expirer unit for single-node? +Source63: %{name}-container-reconciler.service Source6: %{name}-proxy.service Source61: proxy-server.conf Source62: object-expirer.conf +Source64: container-reconciler.conf Source20: %{name}.tmpfs Source7: swift.conf +## Based at https://github.com/redhat-openstack/swift/ # -# patches_base=1.13.1 +# patches_base=2.0.0 # Patch0001: 0001-remove-runtime-requirement-on-pbr.patch Patch0002: 0002-Add-fixes-for-building-the-doc-package.patch -Patch0003: 0003-Set-permissions-on-generated-ring-files.patch -Patch0004: 0004-properly-quote-www-authenticate-header-value.patch BuildArch: noarch BuildRequires: python-devel @@ -165,8 +167,6 @@ This package contains documentation files for %{name}. %patch0001 -p1 %patch0002 -p1 -%patch0003 -p1 -%patch0004 -p1 #sed -i 's/%{version}.%{milestone}/%{version}/' PKG-INFO @@ -225,6 +225,7 @@ install -p -D -m 755 %{SOURCE56} %{buildroot}%{_unitdir}/%{name}-object-auditor@ install -p -D -m 755 %{SOURCE57} %{buildroot}%{_unitdir}/%{name}-object-updater.service install -p -D -m 755 %{SOURCE58} %{buildroot}%{_unitdir}/%{name}-object-updater@.service install -p -D -m 755 %{SOURCE59} %{buildroot}%{_unitdir}/%{name}-object-expirer.service +install -p -D -m 755 %{SOURCE63} %{buildroot}%{_unitdir}/%{name}-container-reconciler.service install -p -D -m 755 %{SOURCE6} %{buildroot}%{_unitdir}/%{name}-proxy.service # Remove tests rm -fr %{buildroot}/%{python_sitelib}/test @@ -240,6 +241,7 @@ install -p -D -m 660 %{SOURCE42} %{buildroot}%{_sysconfdir}/swift/container-serv install -p -D -m 660 %{SOURCE52} %{buildroot}%{_sysconfdir}/swift/object-server.conf install -p -D -m 660 %{SOURCE61} %{buildroot}%{_sysconfdir}/swift/proxy-server.conf install -p -D -m 660 %{SOURCE62} %{buildroot}%{_sysconfdir}/swift/object-expirer.conf +install -p -D -m 660 %{SOURCE64} %{buildroot}%{_sysconfdir}/swift/container-reconciler.conf install -p -D -m 660 %{SOURCE7} %{buildroot}%{_sysconfdir}/swift/swift.conf # Install pid directory install -d -m 755 %{buildroot}%{_localstatedir}/run/swift @@ -454,12 +456,15 @@ exit 0 %{_mandir}/man5/proxy-server.conf.5* %{_mandir}/man1/swift-object-expirer.1* %{_mandir}/man1/swift-proxy-server.1* +%{_unitdir}/%{name}-container-reconciler.service %{_unitdir}/%{name}-object-expirer.service %{_unitdir}/%{name}-proxy.service %dir %{_sysconfdir}/swift/proxy-server +%config(noreplace) %attr(640, root, swift) %{_sysconfdir}/swift/container-reconciler.conf %config(noreplace) %attr(640, root, swift) %{_sysconfdir}/swift/proxy-server.conf %config(noreplace) %attr(640, root, swift) %{_sysconfdir}/swift/object-expirer.conf %dir %attr(0755, swift, root) %{_localstatedir}/run/swift/proxy-server +%{_bindir}/swift-container-reconciler %{_bindir}/swift-object-expirer %{_bindir}/swift-proxy-server %{python_sitelib}/swift/proxy @@ -469,6 +474,9 @@ exit 0 %doc LICENSE doc/build/html %changelog +* Thu Jul 10 2014 Pete Zaitcev - 2.0.0-1 +- Update to upstream 2.0.0, re-apply our patches + * Fri Jun 27 2014 Pete Zaitcev - 1.13.1-5 - Fix CVE-2014-3497, unquoted realm in WWW-Authenticate diff --git a/sources b/sources index 6900b2d..81f30c5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -a91eb8795dc0ae7eba5f2b13bde637d3 swift-1.13.1.tar.gz +b8cebbec5a3cb5a4260d4769edc2034b swift-2.0.0.tar.gz