New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1844990: Bump GoLang to 1.15 for improved TLS Security #2303
Bug 1844990: Bump GoLang to 1.15 for improved TLS Security #2303
Conversation
/retest |
6b9c30a
to
87a2ae3
Compare
/retest |
87a2ae3
to
7fa6056
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we have to change here too @sinnykumari :
BuildRequires: %{?go_compiler:compiler(go-compiler)}%{!?go_compiler:golang >= 1.13} |
Admittedly, I'm not super knowledgeable about this go-bump... would probably perfer @runcom to take a look next week if there's time before the merge.
pkg/server/api.go
Outdated
@@ -60,12 +60,23 @@ func NewAPIServer(a *APIHandler, p int, is bool, c, k string) *APIServer { | |||
|
|||
// Serve launches the API Server. | |||
func (a *APIServer) Serve() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can these code changes be broken out into a separate commit from the go upgrade?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I literally just pushed that commit :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the machines-config-daemon.spec
too -- it would be required.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That file is dead btw, the MCD isn't part of RHCOS anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought the spec
file was dead, but wasn't 100% sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I literally just pushed that commit :)
great minds!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah as Colin said we no longer need and build machine-config-daemon rpm package. Even if someone wants to build m-c-d rpm package it will build fine with 1.13 because the current 1.15 requirement is added mainly to MCS.
7fa6056
to
9c60b12
Compare
I spent the better part of an afternoon evaluating whether bumping the GoLang version was the better path to resolving the CVE. I concluded that moving to Go1.15 was better due to:
|
Should also do the equivalent of this: openshift/release#8148 I believe |
openshift/release#14355 filed for the CI change. |
/retest |
1 similar comment
/retest |
The MCD is not longer distributed as an RPM.
9c60b12
to
5aba0a9
Compare
I dropped the TLS config for now. Turns out there is no easy way to have HTTP/2 and provide a list of approved ciphers. However, since we are using TLS and HTTP/2 only approved ciphers are allowed so this will drop the SHA hashing and 3DES ciphers. |
/retest |
@darkmuggle: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Too get this into 4.7, we will need a bug for go 1.15 version bump. |
/retest |
/retest |
/bugzilla refresh |
@darkmuggle: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@darkmuggle: This pull request references Bugzilla bug 1844990, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh |
@darkmuggle: This pull request references Bugzilla bug 1844990, which is valid. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: darkmuggle, sinnykumari, yuqi-zhang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@darkmuggle: All pull requests linked via external trackers have merged: Bugzilla bug 1844990 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This change is needed in order to fix CVE-2016-2183.
With [1] TLS 1.3 is on-by-default which improves the security posture of
the MCO.
[1] golang/go#30055
Signed-off-by: Ben Howard ben.howard@redhat.com