-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authfile seems to be ignored Ubuntu 20.04.4 LTS #114
Comments
Hi @jfriesse, thank you for debugging this so quickly. I would love to test the fix but I understand I would need to "make/build" the package from the source files. But when making I'm stuck at the following and I'm unable to resolve, I've read through al the documentation and the yaml file in the project and installed all packages that where described. If you could just point me towards the right package (or maybe linux distro) that would be great. Currently I'm trying to make on Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-120-generic aarch64) Multipass vm on a m1 macbook.
|
@sierky Hi, Debian control file contains following list of required libraries:
which will configure boot with The one you found missing is fulfilled by |
@jfriesse I was able to make from the source files now, however it now triggers the following.
As you'll probably guess, the authfile setting is on line 14, please find my config attached. |
@sierky Hi, it's great to see you are getting closer to successful compilation. I think this time it is about missing Of course after installation of gcrypt it's required to run |
Hi @jfriesse , retried it today with your advice regarding libgcrypt20-dev, all seems to be working and the authfile is being used, when changing the file on 1 of the nodes and restarting that node's booth service, it is no longer able to talk to the others. Thank you very much.
Any insight on when this update version of booth will be available via the normal Ubuntu apt repo's? (or should I not hold my breath and for now just build from source for my production sites?) Kind regards, Sierky |
@sierky Hi, thank you for good news! I'm neither Debian nor Ubuntu maintainer so I have no clue. I would recommend to file Debian/Ubuntu bug (or write directly to maintainer, maybe @vvidic ?), link to this issue and mention it is probably security issue - then it may get into LTS... I can speak about Fedora/RHEL. Fedora should have it fix today, RHEL is much more problematic but we have to also fix it some way. |
This issue got assigned CVE-2022-2553 - and related bug https://bugzilla.redhat.com/show_bug.cgi?id=2111667 so I think it's now going to be pretty easy to get it into Debian (Ubuntu is questionable, but you can try to fill issue with them). I've sent heads-up to debian-ha-maintainers ML. |
@lucaskanashiro Perfect, thanks. Also for fedora I've prepared (non-upstream - it's not upstream material and it is only transitional - for f35/36 but not for rawhide) patch which adds option to enable/disable authfile so upgraded cluster don't stop working when not all nodes are updated - something you and @vvidic may consider to include too for stable versions? Anyway, patch is - https://src.fedoraproject.org/rpms/booth/blob/f36/f/0001-config-Add-enable-authfile-option.patch |
I have created the authkey with booth-keygen and simply have the following line in my booth.conf
authfile=/etc/booth/authkey
I tested this on 5 node cluster (a small vm test setup), on each I created a unique authfile so I would assume they would no longer be able to connect to each other.
But after restarting all the booth services they where all still happily communicating, tickets could be granted and revoked on remote notes.
Tested with Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-121-generic aarch64)
The text was updated successfully, but these errors were encountered: