Dieser Blog Aggregator enthält sowohl die aktuellen Meldungen aus unserem offiziellen Blog als auch meinen persönlichen Blog mit technischen Beiträgen rund um Open Source und Freie Software.

Debian LTS

September marked the seventeenth month I contributed to Debian LTS under the Freexian umbrella. I spent 6 hours (out of 7) working on

  • updating Icedove to 45.3 resulting in DLA-640-1
  • finishing my work on bringing rails into shape security wise resulting in DLA-641-1 for ruby-activesupport-3.2 and DLA-642-1 for ruby-activerecord-3.2.
  • enhancing the autopkgtests for qemu a bit

Other Debian stuff

  • Uploaded libvirt 2.3.0~rc1 to experimental
  • Uploaded whatmaps to 0.0.12 in unstable.
  • Uploaded git-buildpackage 0.8.4 to unstable.

Other Free Software activities

  • Ansible: got the foreman callback plugin needed for foreman_ansible merged upstream.
  • Made several improvements to foreman_ansible_inventory (a ansible dynamic inventory querying Foreman): Fixing an endless loop when Foreman would miscalculate the number of hosts to process, flake8 cleaniness and some work on python3 support
  • ansible-module-foreman:
    • unbreak defining subnets by setting the default boot mode.
    • add support for configuring realms
  • Foreman: add some robustness to the nice rebuild host feature when DNS entries are already there
  • Released whatmaps 0.0.12.
    • Errors related to a single package don't abort the whole program but rather skip over it now.
    • Systemd user sessions are filtered out
    • The codebase is now checked with flake8.
Posted So 09 Okt 2016 16:59:37 CEST

Debian LTS

August marked the sixteenth month I contributed to Debian LTS under the Freexian umbrella. I spent 9 hours (of allocated 8) mostly on Rails related CVEs which resulted in DLA-603-1 and DLA-604-1 fixing 6 CVEs and marking others as not affecting the packages. The hardest part was proper testing since the split packages in Wheezy don't allow to run the upstream test suite as is. There's still CVE-2016-0753 which I need to check if it affects activerecord or activesupport.

Additionally I had one relatively quiet week of LTS frontdesk work triaging 10 CVEs.

Other Debian stuff

  • I uploaded git-buildpackage 0.8.2 to experimental and 0.8.3 to unstable. The later bringing all the enhanements and bugfixes since Debconf 16 to sid and testing.
  • The usual bunch of libvirt related uploads
Posted Di 06 Sep 2016 20:08:51 CEST

Gathering from some recent discussions it seems to be not that well known that Foreman (a lifecycle tool for your virtual machines) does not only integrate well with Puppet but also with ansible. This is a list of tools I find useful in this regard:

  • The ansible-module-foreman ansible module allows you to setup all kinds of resources like images, compute resources, hostgroups, subnets, domains within Foreman itself via ansible using Foreman's REST API. E.g. creating a hostgroup looks like:

    - foreman_hostgroup:
        name: AHostGroup
        architecture: x86_64
        domain: a.domain.example.com
        foreman_host: "{{ foreman_host }}"
        foreman_user: "{{ foreman_user }}"
        foreman_pass: "{{ foreman_pw }}"
  • The foreman_ansible plugin for Foreman allows you to collect reports and facts from ansible provisioned hosts. This requires an additional hook in your ansible config like:

    callback_plugins = path/to/foreman_ansible/extras/

    The hook will report to Foreman back after a playbook finished.

  • There are several options for creating hosts in Foreman via the ansible API. I'm currently using ansible_foreman_module tailored for image based installs. This looks in a playbook like:

    - name: Build 10 hosts
        name: "{{ item }}"
        hostgroup: "a/host/group"
        compute_resource: "hopefully_not_esx"
        subnet: "webservernet"
        environment: "{{ env|default(omit) }}"
        ipv4addr: {{ from_ipam|default(omit) }}"
        # Additional params to tag on the host
            app: varnish
            tier: web
            color: green
        api_user: "{{ foreman_user }}"
        api_password: "{{ foreman_pw }}"
        api_url: "{{ foreman_url }}"
      with_sequence:  start=1 end=10 format="newhost%02d"
  • The foreman_ansible_inventory is a dynamic inventory script for ansible that fetches all your hosts and groups via the Foreman REST APIs. It automatically groups hosts in ansible from Foreman's hostgroups, environments, organizations and locations and allows you to build additional groups based on any available host parameter (and combinations thereof). So using the above example and this configuration:

    group_patterns = ["{app}-{tier}",

    it would build the additional ansible groups varnish-web, green and put the above hosts into them. This way you can easily select the hosts for e.g. blue green deployments. You don't have to pass the parameters during host creation, if you have parameters on e.g. domains or hostgroups these are available too for grouping via group_patterns.

  • If you're grouping your hosts via the above inventory script and you use lots of parameters than having these displayed in the detail page can be useful. You can use the foreman_params_tab plugin for that.

There's also support for triggering ansible runs from within Foreman itself but I've not used that so far.

Posted Fr 19 Aug 2016 11:16:03 CEST

Debian LTS

July marked the fifteenth month I contributed to Debian LTS under the Freexian umbrella. As usual I spent the 8 hours working on these LTS things:

  • Updated QEMU and QEMU-KVM packages to fix CVE-2016-5403, CVE-2016-4439, CVE-2016-4020, CVE-2016-2857 and CVE-2015-5239 resulting in DLA-573-1 and DLA-574-1
  • Updated icedove to 45.2.0 fixing CVE-2016-2818 resulting in DLA-574-1
  • Reviewed and uploaded xen 4.1.6.lts1-1. The update itself was prepared by Bastian Blank.
  • The little bit of remaining time I spent on further work the ruby-active{model,record}-3.2 and ruby-actionpack-3.2 (aka rails) CVEs. Although I have fixes for most of the CVEs already there are still some left where I'm not yet clear if the packages are affected.
  • Added some trivial autopkgtest for qemu-img (#832982) (on non LTS time)

Other Debian stuff

  • Fixed CVE-2016-5008 by uploading libvirt 2.0.0 to sid and 1.2.9-9+deb8u3 to stable-p-u
  • Uploaded libvirt 2.1.0~rc1 to experimental
  • Uploaded libvirt-python 2.0.0 to sid
  • Uploaded libosinfo 0.3.1 to sid preparing for the upcoming upstream package split
  • Uploaded virt-manager 1.4.0 to sid
  • Uploaded network-manager-iodine 1.2.0 to sid
  • Uploaded cups-pk-helper 0.2.6 to sid
  • Triaged apparmor related bugs in libvirt most notably the one affecting hotplugging of disks (#805002) which turned out to be rooted in the kernel not reloading profiles properly.
  • Uploaded git-buildpackage 0.8.0, 0.8.1 to experimental adding additional tarball support to gbp import-orig among other things
Posted Mi 03 Aug 2016 09:02:49 CEST

Debian LTS

June marked the fourteenth month I contributed to Debian LTS under the Freexian umbrella. I spent the 8 hours working on these LTS things:

  • Reviewed and tested libxml2 2.8.0+dfsg1-7+wheezy6

  • Fixed #825508 in mozilla-devscripts to prepare for the Icedove update resulting in DLA-518-1.

  • Rebased the proposed Wheezy Icedove update against the Jessie version and uploaded resulting in DLA-519-1.

  • Sent out the DLA-521-1 for Iceweasel, the upload was all done by Mike Hommey.

  • Rebuilt enigmail with the fixed mozilla-devscripts so it can still be used in Wheezy, resulting in DLA-523-1.

  • continue to work on updates for CVE-2016-0753 for ruby-active{record,support}-3.2 - not yet finished.

  • Looked into open qemu-kvm and qemu CVEs marking CVE-2015-8666 as no-dsa and fixing CVE-2016-3710 and CVE-2016-3712 via DLA-540-1 and DLA-539-1.

Other Debian stuff

Besides the usual bunch of libvirt* uploads I addressed several bugs in git-buildpackage, upload pending.

Posted Sa 02 Jul 2016 21:23:44 CEST

Debian LTS

May marked the thirteenth month I contributed to Debian LTS under the Freexian umbrella. I spent the 17.25 hours working on these LTS things:

  • Fixed CVE-2014-7210 in pdns resulting in DLA-492-1
  • Fixed the build failure of Icedove on armhf resulting in DLA 472-2
  • Forward ported our nss, nspr enhancements to to the current versions in testing to continue the discussion on the same nss and nspr versions in all suites including some ABI compliance research (thanks abi-compliance-tester!), resulting in 824872.
  • Backported Icedve 45 and Enigmail to wheezy to check if we can continue to support it - we can with a minor tweaks. Upload will happen in June.
  • While at that added some autpkgtests for Icedove 45 resulting in 809723 (already applied).
  • Released DLA-498-1 for ruby-active-model-3.2 to address CVE-2016-0753.
  • Reviewed the Updates of ruby-active-record-3.2 for CVE-2015-7577 and eglibc.

Other Debian stuff

  • Uploaded libvirt 1.3.4 to sid, 1.3.5~rc1 to experimental
  • Uploaded libosinfo 0.3.0 to sid
  • Uploaded git-buildpackage 0.7.4 to sid including experimental multiple tarball support for gbp buildpackage
Posted Fr 10 Jun 2016 19:38:06 CEST

Debian LTS

April marked the twelfth month I contributed to Debian LTS under the Freexian umbrella. I only spent 2 hours (instead of expected 11,25) working on LTS things:

  • Uploaded gtk+3.0 to wheezy-proposed-updates to fix CVE-2013-7447 (#818090).
  • Further work on figuring out how to support Xen and QEMU in Wheezy LTS including writing up a summary and a interview with one prospective company
  • Prepared a patch for Jessie's nss to fix CVE-2016-1950, CVE-2016-1979, CVE-2016-1978, CVE-2016-1938 based on Antiones work for Wheezy. This is currently pending review by the security team.
  • Started to look into CVE-2014-7210 in pdns

The missing hours will be caught up during May - hopefully also by working on a QEMU/libvirt update in Wheezy should there be any interest - so I've you're relying on QEMU/KVM in wheezy now would be a good time to comment on it.

Other Debian things

  • Attended the 9th Debian Groupware Meeting in the LinuxHotel in Essen resulting in a new upload of calypso to unstable.
  • Uploded libvirt and python-libvirt 1.3.3, virt-sandbox 0.5.1+git20151113-3 and virt-manager 1.3.2-3 to unstable and libvirt 1.3.4~rc1 to experimental
Posted So 08 Mai 2016 12:27:04 CEST

Debian LTS

March was the eleventh month I contributed to Debian LTS under the Freexian umbrella. In total I spent 13 hours (of allocated 11.00 + 5.25h from last month) working on preparing for wheezy-lts:

  • Uploaded aptdaemon to {old-,}stable-proposed-updates (#818006, #818007)
  • Fix CVE-2012-6700, CVE-2012-6769 CVE-2012-6768, in Wheezy's dhcpcd resulting in DSA-3534
  • Reach out to Debian's Xen and KVM maintainers, Xen's community manager and several company to asses LTS maintainability
  • Research and propose a possible way forward for QEMU and libvirt
  • Upload a backport of libvirt to wheezy-backports for that
  • Prepare a fix for Wheezy's gtk+3.0 for CVE-2013-7447 (#818090) and propose it for oldstable-p-u (#819362)
  • Looked into Wheezy's lxc and CVE-2015-1335 specifically and marking it as no-dsa after discussion with the security-team.
  • Make bin/support-ended.py support EOL dates
  • Review Antiones nss work for Wheezy and work on the corresponding update for Jessie in order (to be finished this month).

Other Debian things

Posted Sa 09 Apr 2016 22:00:05 CEST

More sandboxing

When working on untrusted code or data it's impossible to predict what happens when one does a:

bundle install --path=vendor


npm install

Does this phone out your private SSH and GPG keys? Does a

evince Downloads/justdownloaded.pdf

try to exploit the PDF viewer? While you can run stuff in separate virtual machines this can get cumbersome. libvirt-sandbox to the rescue! It allows to sandbox applications using libvirt's virtualization drivers. It took us a couple of years (The ITP is from 2012) but we finally have it in Debian's NEW queue. When libvirt-sandbox creates a sandbox it uses your root filesystem mounted read only by default so you have access to all installed programs (this can be changed with the --root option though). It can use either libvirt's QEMU or LXC drivers. We're using the later in the examples below:

So in order to make sure the above bundler call has no access to your $HOME you can use:

sudo virt-sandbox \
   -m ram:/tmp=10M \
   -m ram:$HOME=10M \
   -m ram:/var/run/screen=1M \
   -m host-bind:/path/to/your/ruby-stuff=/path/to/your/ruby-stuff \
   -c lxc:/// \
   -S $USER \
   -n rubydev-sandbox \
   -N dhcp,source=default \

This will make your $HOME unaccessible by mounting a tmpfs over it and using separate network, ipc, mount, pid and utc namespaces allowing you to invoke bundler with less worries. /path/to/your/ruby-stuff is bind mounted read-write into the sandbox so you can change files there. Bundler can fetch new gems using libvirt's default network connection.

And for the PDF case:

sudo virt-sandbox \
  -m ram:$HOME=10M \
  -m ram:/dev/shm=10M \
  -m host-bind:$HOME/Downloads=$HOME/Downloads \
  -c lxc:/// \
  -S $USER \
  -n evince-sandbox \
  --env="DISPLAY=:0" \
  /usr/bin/evince Downloads/justdownloaded.pdf

Note that the above example shares /tmp with the sandbox in order to give it access to the X11 socket. A better isolation can probably be achieved using xpra or xvnc but I haven't looked into this yet.

Besides the command line program virt-sandbox there's also the library libvirt-sandbox which makes it simpler to build new sandboxing applications. We're not yet shipping virt-sandbox-service (a tool to provision sandboxed system services) in the Debian packages since it's RPM distro specific. Help on porting this to Debian is greatly appreciated.

Posted Fr 25 M�r 2016 13:15:20 CET

As a follow up to calendar synchronisation with calypso, syncevolution and the N900 running maemo I finally added contacts to the mix:

on the phone

When you have the calendar sync already running it's as simple as:

First start ssh on the n900 to ease typing:

apt-get install dropbear
echo /bin/sh >> /etc/shells
cd /etc/dropbear && ./run

SSH into the phone and configure contacts synchronization:

cat <<EOF > ~/.config/syncevolution/webdav/sources/addressbook/config.ini
backend = CardDAV
database = https://carddav.example.com/contacts/username

And perform the initial sync:

syncevolution --sync slow webdav addressbook

From there on you can sync contacts and calendars in one go with:

syncevoluton webdav

Looking at the calypso logs on the server it seems that syncevoluton does not always generate an FN entry and so the card gets skipped. This doesn't harm the overall sync, but I need to have a look how to fix this.

on the laptop

In order to use the contacts im mutt there's pycarddav packaged in Debian. This is basically following upstreams documentation.

sudo apt-get install pycarddav
mkdir -p ~/.config/pycard
cp /usr/share/doc/pycarddav/examples/pycard.conf.sample ~/.config/pycard/pycard.conf
# Edit file as needed

cat ~/.config/pycard/pycard.conf
[Account username]
user: username
resource: https://carddav.example.com/
write_support = YesPleaseIDoHaveABackupOfMyData

where: vcard


debug: False

To use the entries in mutt add the just extend your .muttrc:

cat <<EOF >>~/.muttrc
set query_command="pc_query -m %s"
macro index,pager B "<pipe-message>pycard-import<enter>" "add sender address to pycardsyncer"

This allows you to query contacts using Q and add new conatcs with CTRL-B in mutt's index and pager.

Calypso Changes

We recently moved calypso's git repository to alioth and started to merge several out of tree patches. More will happen during this years Debian Groupware Meeting including a new upload to Debian.

Posted Mi 09 M�r 2016 08:38:13 CET