[Openstack] How about updating common packages between Openstack and base OS

Le Will will.le at asianux.com
Wed Feb 8 09:13:59 UTC 2017 

Hi everyone,

Because Openstack has many packages in common with the base system, eg.
mariadb, memcached, but they are differently packaged and differently
versioned, I don't know what the proper way to update them after Openstack
installed. Some packages have larger version number in Openstack but some
have smaller version numbers in Openstack, as compared to the same packages
in base repo of the underlying OS.

Let's compare Openstack Newton with CentOS 7 and Fedora 25:

*memcached*
- Openstack Newton:  1.4.*33-2.el7*
- CentOS 7: 1.4.*15-10.el7_3.1*
- Fedora 25: 1.4.*33-1.fc25*

*mariadb*
- Openstack Newton:  10.1.*18-3.el7*
- CentOS 7: 10.1.*18-3.el7*
- Fedora 25: 10.1.*20-1.fc25*

That means some packages will be updated with OpenStack's versions and some
with the OS destribution's versions if we enable both OpenStack's yum repos
and OS' yum repos. And even worse, when they race each other, one package
from one redistribution can be updated by the package from another
redistribution. So, we cannot simply run "yum update all" any more, but
maybe with an exception list for those common packages.

Why it's "bad" to update package in one redis with package from another
redis? Because different redistributions are not compatible with each other
in both package content and versioning scheme. Let's examine the change
logs of package memcached from OpenStack and from CentOS:

- CentOS 7:  memcached-1.4.*15-10.el7_3.1*

> %changelog
>
> * Mon Nov 07 2016 Miroslav Lichvar <mlichvar at redhat.com> -
>> 0:1.4.15-10.el7_3.1
>
> - fix vulnerabilities allowing remote code execution (CVE-2016-8704,
>> CVE-2016-8705, CVE-2016-8706)
>
>
>> * Tue Mar 08 2016 Miroslav Lichvar <mlichvar at redhat.com> - 0:1.4.15-10
>
> - fix binding to IPv6 address (#1298603)
>
> - enable SASL support (#1263696)
>
> - don't allow authentication with bad SASL credentials (CVE-2013-7239)
>
>
>> * Fri Jan 24 2014 Daniel Mach <dmach at redhat.com> - 01.4.15-9
>
> - Mass rebuild 2014-01-24
>
>
>> * Tue Jan 14 2014 Miroslav Lichvar <mlichvar at redhat.com> - 0:1.4.15-8
>
> - fix unbound key printing (CVE-2013-0179, CVE-2013-7290, CVE-2013-7291)
>
>
>> [...]
>
>
- Openstack Newton:  memcached-1.4.
*33-2.el7*

> %changelog
>
> * Wed Nov  2 2016 Haïkel Guémar <hguemar at fedoraproject.org> - 0:1.4.33-2
>
> - Fix systemd service when setting limits
>
>
>> * Tue Nov 01 2016 Miroslav Lichvar <mlichvar at redhat.com> - 0:1.4.33-1
>
> - update to 1.4.33 (CVE-2016-8704, CVE-2016-8705, CVE-2016-8706)
>
>
>> * Thu Oct 13 2016 Miroslav Lichvar <mlichvar at redhat.com> - 0:1.4.32-1
>
> - update to 1.4.32
>
>
>> * Wed Sep 07 2016 Miroslav Lichvar <mlichvar at redhat.com> - 0:1.4.31-1
>
> - update to 1.4.31
>
> - disable testing for now
>
>
>> * Fri Aug 12 2016 Miroslav Lichvar <mlichvar at redhat.com> - 0:1.4.30-1
>
> - update to 1.4.30
>
>
>> * Thu Jul 14 2016 Miroslav Lichvar <mlichvar at redhat.com> - 0:1.4.29-1
>
> - update to 1.4.29
>
>
>> * Tue Jul 12 2016 Miroslav Lichvar <mlichvar at redhat.com> - 0:1.4.28-1
>
> - update to 1.4.28
>
> - listen only on loopback interface by default (#1182542)
>
> - use upstream unit file (#1350939)
>
> - remove obsolete macros and scriptlet
>
>
>> * Tue Jun 21 2016 Miroslav Lichvar <mlichvar at redhat.com> - 0:1.4.26-1
>
> - update to 1.4.26
>
>
>> * Tue Feb 23 2016 Miroslav Lichvar <mlichvar at redhat.com> - 0:1.4.25-1
>
> - update to 1.4.25
>
> - enable SASL support (#815050)
>
> - remove obsolete macros
>
>
>> * Thu Feb 04 2016 Fedora Release Engineering <releng at fedoraproject.org>
>> - 0:1.4.17-5
>
> - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
>
>
>> * Wed Jun 17 2015 Fedora Release Engineering <
>> rel-eng at lists.fedoraproject.org> - 0:1.4.17-4
>
> - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
>
>
>> * Sun Aug 17 2014 Fedora Release Engineering <
>> rel-eng at lists.fedoraproject.org> - 0:1.4.17-3
>
> - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
>
>
>> * Sat Jun 07 2014 Fedora Release Engineering <
>> rel-eng at lists.fedoraproject.org> - 0:1.4.17-2
>
> - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
>
>
>> * Wed Jan 15 2014 Miroslav Lichvar <mlichvar at redhat.com> - 0:1.4.17-1
>
> - update to 1.4.17
>
> - fix building with -Werror=format-security in CFLAGS
>
>
>> [...]
>
>
We can see the latest security update on Nov 2016 (CVE-2016-8704,
CVE-2016-8705, CVE-2016-8706) appeared in both redistributions, but their
version numbers are quite different: 1.4.*15-10.el7_3.1* vs. 1.4.*33-2.el7*.
And clearly the change conents are quite different from each other.

Anyone has experience with this problem, please share your resolution!

Thank you in advance!

Regards,
Will Le
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170208/33a4cc0c/attachment.html>

More information about the Openstack mailing list