September 2023 - Devel - Ovirt List Archives

by stephan.duehr＠bareos.com

Hi, about two years ago, I used OST to setup a oVirt test/dev environment. Now I tried again, following https://github.com/oVirt/ovirt-system-tests/blob/master/README.md but it fails because https://templates.ovirt.org/yum/ is unavailable. Or isn't it meant to be available for public access any more? Regards, Stephan

9 months, 2 weeks

3
2
0 / 0

[VDSM] Started getting virNetTLSContextCheckCertTimes:154 : The server certificate /etc/pki/vdsm/certs/vdsmcert.pem has expired

by Edward Haas

Hi, I have a VM which acts as an oVirt host with VDSM installed. I use it for testing without connecting it to Engine. Recently VDSM fails to come up and I see this error: Sep 26 17:58:18 localhost libvirtd: 2018-09-26 14:58:18.978+0000: 12176: error : virNetTLSContextCheckCertTimes:154 : The server certificate /etc/pki/vdsm/certs/vdsmcert.pem has expired Any hint on how to generate or fetch a new certificate without the help of Engine? Thanks, Edy.

11 months, 3 weeks

3
5
0 / 0

Re: Jackson-databind related changes

by Martin Perina

Hi, oVirt Engine is using JBoss Modules feature to load libraries, so when a library version is mentioned in pom.xml it's unrelated to which version is being using during runtime. Here's the detailed description: 1. jackson-databind 2.12.7 mentioned pom.xml is actually being used only when building the project directly with maven (development purposes) https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/pom.xml.in#L61 https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/client/pom.xml.in 2. When building the project as a part of RPM build, then maven (respectively xmvn) is invoked to use only libraries installed locally as a part of RPM dependencies https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/vdsm-jsonrpc-java.... So on CS8 we can easily find out the jackson-databind package version being used during RPM build # dnf repoquery --whatprovides 'jackson-databind >= 2.10.0' jackson-databind-0:2.10.0-1.module_el8.4.0+595+e59c9af2.noarch jackson-databind-0:2.10.0-1.module_el8.4.0+782+1d1c31a0.noarch 3. On runtime vdsm-jsonrpc-java is being loaded using JBoss Modules as a part of oVirt Engine: https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/depende... which shows that vdsm-jsonrpc-java depends on com.fasterxml.jackson.core.jackson-databind module, which is included in the relevant WildFly release. Currently oVirt Engine is using WildFly 24.0.1, so you can see jackson-databind version using following command: # rpm -ql ovirt-engine-wildfly | grep 'jackson-databind-' /usr/share/ovirt-engine-wildfly/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.12.3.jar So if you want to bump jackson-databind version for oVirt Engine runtime you have two possibilities: 1. You can deliver updated JBoss module as a part of ovirt-engine-wildfly-overlay RPM: https://github.com/oVirt/ovirt-engine-wildfly/overlay 2. You can try to bump WildFly to latest version in ovirt-engine-wildfly RPM: https://github.com/oVirt/ovirt-engine-wildfly/ Please be awate that at the moment it's not possible to use latest WildFly version, because oVirt Engine is using classic security model, which was removed in favor of Elytron in WildFly 25. So to bump WildFly version, you would need to implement changes in oVirt Engine to use Elytron. Regarding verification the best way is to verify functionality by execution of oVirt System Tests: https://github.com/ovirt/ovirt-system-tests Regards, Martin On Thu, Sep 14, 2023 at 11:44 PM Shubha Kulkarni <shubha.kulkarni(a)oracle.com> wrote: > Hi All > > > > I am yet to get any feedback on my query. So I thought I will reach out > again to see if any one has comment on this - > > > > Background: > > I see the commit for CVE-2020-36518 to vdsm-json-rpc to bump jackson > version to 2.12.7 > > > https://github.com/oVirt/vdsm-jsonrpc-java/commit/d1f423809fd491da7b5324b... > > This change in only made in pom.xml is made with "default" scope (i.e > compile). > > > > Queries: > > #1. So at runtime, that means this jar should be explicitly packaged > somewhere else. I am wondering how is this newer jackson jar is picked up? > Does it have anything to do with the change outside pom.xml that I don't > see? > > > > #2. Ideally, I would like to verify that vdsm-jsonrpc-java application is > using jackson-core2.12.7 and jackson-databaind 2.12.7-1 when installed on > engine system. What is the best way to do it? > > > > Thanks > > > > *From:* Shubha Kulkarni > *Sent:* Thursday, September 7, 2023 1:47 PM > *To:* devel(a)ovirt.org > *Subject:* Jackson-databind related changes > > > > Hello! > > > > There have been changes added to ovirt-engine and vdsm-jsonrpc-java repos > to address security vulnerabilities in jackson-databind package. I see that > the change is made to bump up version of jackson-databind package to > 2.12.7.1. > > I am wondering what is the rpm version for ovirt-engine and > vdsm-jsonrpc-java that has these fixes? Also, I am curious what is the best > way to validate these changes? > > > > Thanks, > > Shubha > _______________________________________________ > Devel mailing list -- devel(a)ovirt.org > To unsubscribe send an email to devel-leave(a)ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/devel@ovirt.org/message/UDIWOPJMWDC... > -- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.

1 year, 3 months

2
1
0 / 0

Re: Jackson-databind related changes

by Sandro Bonazzola

@Martin Perina <mperina(a)redhat.com> can you help here? Il giorno gio 14 set 2023 alle ore 23:44 Shubha Kulkarni < shubha.kulkarni(a)oracle.com> ha scritto: > Hi All > > > > I am yet to get any feedback on my query. So I thought I will reach out > again to see if any one has comment on this - > > > > Background: > > I see the commit for CVE-2020-36518 to vdsm-json-rpc to bump jackson > version to 2.12.7 > > > https://github.com/oVirt/vdsm-jsonrpc-java/commit/d1f423809fd491da7b5324b... > > This change in only made in pom.xml is made with "default" scope (i.e > compile). > > > > Queries: > > #1. So at runtime, that means this jar should be explicitly packaged > somewhere else. I am wondering how is this newer jackson jar is picked up? > Does it have anything to do with the change outside pom.xml that I don't > see? > > > > #2. Ideally, I would like to verify that vdsm-jsonrpc-java application is > using jackson-core2.12.7 and jackson-databaind 2.12.7-1 when installed on > engine system. What is the best way to do it? > > > > Thanks > > > > *From:* Shubha Kulkarni > *Sent:* Thursday, September 7, 2023 1:47 PM > *To:* devel(a)ovirt.org > *Subject:* Jackson-databind related changes > > > > Hello! > > > > There have been changes added to ovirt-engine and vdsm-jsonrpc-java repos > to address security vulnerabilities in jackson-databind package. I see that > the change is made to bump up version of jackson-databind package to > 2.12.7.1. > > I am wondering what is the rpm version for ovirt-engine and > vdsm-jsonrpc-java that has these fixes? Also, I am curious what is the best > way to validate these changes? > > > > Thanks, > > Shubha > _______________________________________________ > Devel mailing list -- devel(a)ovirt.org > To unsubscribe send an email to devel-leave(a)ovirt.org > Privacy Statement: https://www.ovirt.org/privacy-policy.html > oVirt Code of Conduct: > https://www.ovirt.org/community/about/community-guidelines/ > List Archives: > https://lists.ovirt.org/archives/list/devel@ovirt.org/message/UDIWOPJMWDC... > -- Sandro Bonazzola MANAGER, SOFTWARE ENGINEERING Red Hat In-Vehicle Operating System Red Hat EMEA <https://www.redhat.com/> <https://www.redhat.com/> *Red Hat respects your work life balance. Therefore there is no need to answer this email out of your office hours.*

1 year, 3 months

1
0
0 / 0

Re: Jackson-databind related changes

by Shubha Kulkarni

Hi All I am yet to get any feedback on my query. So I thought I will reach out again to see if any one has comment on this - Background: I see the commit for CVE-2020-36518 to vdsm-json-rpc to bump jackson version to 2.12.7 https://github.com/oVirt/vdsm-jsonrpc-java/commit/d1f423809fd491da7b5324b... This change in only made in pom.xml is made with "default" scope (i.e compile). Queries: #1. So at runtime, that means this jar should be explicitly packaged somewhere else. I am wondering how is this newer jackson jar is picked up? Does it have anything to do with the change outside pom.xml that I don't see? #2. Ideally, I would like to verify that vdsm-jsonrpc-java application is using jackson-core2.12.7 and jackson-databaind 2.12.7-1 when installed on engine system. What is the best way to do it? Thanks From: Shubha Kulkarni Sent: Thursday, September 7, 2023 1:47 PM To: devel(a)ovirt.org Subject: Jackson-databind related changes Hello! There have been changes added to ovirt-engine and vdsm-jsonrpc-java repos to address security vulnerabilities in jackson-databind package. I see that the change is made to bump up version of jackson-databind package to 2.12.7.1. I am wondering what is the rpm version for ovirt-engine and vdsm-jsonrpc-java that has these fixes? Also, I am curious what is the best way to validate these changes? Thanks, Shubha

1 year, 3 months

1
0
0 / 0

Jackson-databind related changes

by Shubha Kulkarni

Hello! There have been changes added to ovirt-engine and vdsm-jsonrpc-java repos to address security vulnerabilities in jackson-databind package. I see that the change is made to bump up version of jackson-databind package to 2.12.7.1. I am wondering what is the rpm version for ovirt-engine and vdsm-jsonrpc-java that has these fixes? Also, I am curious what is the best way to validate these changes? Thanks, Shubha

1 year, 3 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Devel September 2023