Changes in the master branch (and daily build packages) now check the
ALLOWED_HOSTS setting for each master in your instance(s) in
/etc/lava-server/settings.conf
Please check your /etc/lava-server/settings.conf support for
ALLOWED_HOSTS in Django as this will be required to upgrade to the
next release of LAVA Software.
Remember to always restart lava-server-gunicorn after any change to
/etc/lava-server/settings.conf
See also https://master.lavasoftware.org/static/docs/v2/pipeline-debug.html#check-la…
and https://master.lavasoftware.org/static/docs/v2/pipeline-debug.html#displayi…
(new help sections on using and checking LAVA setttings.
Django docs: https://docs.djangoproject.com/en/1.11/ref/settings/#allowed-hosts
"""
This is a security measure to prevent HTTP Host header attacks, which
are possible even under many seemingly-safe web server configurations.
...
Django also allows the fully qualified domain name (FQDN) of any
entries. Some browsers include a trailing dot in the Host header which
Django strips when performing host validation.
...
When DEBUG is True and ALLOWED_HOSTS is empty, the host is validated
against ['localhost', '127.0.0.1', '[::1]'].
"""
If this setting is wrong, updated LAVA packages will fail to serve
HTTP and the /var/log/lava-server/django.log file will record messages
like:
ERROR 2018-11-26 18:12:52,091 exception Invalid HTTP_HOST header:
'lava.codehelp.co.uk'. You may need to add
'lava.codehelp.co.uk' to ALLOWED_HOSTS.
(In this case, that was exactly the correct action)
"ALLOWED_HOSTS": ["lava.codehelp.co.uk"], to
/etc/lava-server/settings.conf and restarting lava-server-gunicorn
fixed lava.codehelp.co.uk
See also https://git.lavasoftware.org/lava/lava/issues/173
When checking this change, it is useful to also set DEBUG to true as
Django will then show you all of the headers and environment
variables. Do remember to turn DEBUG back to false because these
variables are a security risk in themselves.
Another setting which might be useful, depending on your configuration:
"USE_X_FORWARDED_HOST": true,
It is safe to make this change in advance of the upgrade of LAVA but
do test on an instance which is as close as possible to the network
configuration of your production instance(s).
--
Neil Williams
=============
neil.williams(a)linaro.org
http://www.linux.codehelp.co.uk/
Main changes in 2018.11
===================
0eb0d3ed7 Set requirements for requests to avoid CVE - as announced
previously python3-requests needs to be updated to protect against a
CVE in that package.
If installing 2018.11 on a Stretch system, ensure you have updated
python3-requests to the version from stretch-backports.
f7bbf6a8 Visibility of worker status effects on device views-
(improved in subsequent commits in this release). Indicate the status
of the worker when displaying information about the device so that it
is clear why the device is still Idle if there is a problem with the
worker.
ac0097c4 Fix 500 when rendering device dict page - if the device
dictionary is invalid.
0f7a7ec8 Prevent index out of range error and 97132e91 Extend 0f7a7ec8
to other command_output comparisons and 06203dfe Add a run_cmd helper
to Action class - the Action run_command support had become complex
and problematic. A new parsed_command has been added and a simpler
run_cmd. In time, existing use of run_command will be phased out in
preference for one of the two new commands. This should make it easier
to spot why certain dispatcher commands failed. This was triggered by
intermittent problems running simg2img and img2simg for AOSP.
4736b01d How to test and recover bootloaders in LAVA -
https://master.lavasoftware.org/static/docs/v2/bootloaders.html
ff37c802 Add docs on criteria for LAVA on other distributions -
https://master.lavasoftware.org/static/docs/v2/debian.html
Issues closed in 2018.11
===================
https://git.lavasoftware.org/lava/lava/issues?scope=all&utf8=%E2%9C%93&stat…
Full changelog
===========
ff37c802c Add docs on criteria for LAVA on other distributions
4736b01dc How to test and recover bootloaders in LAVA
2cae2b413 Fix lava-master crash when device yaml is invalid
570fb324d Allow sdist to be passed to setup.py
51b3fe6f6 Fix missing part of aarch64 stretch deployment
f9a3671c1 docker: check method
563fac8da Enable aarch64/pkg-debian-9 in the build tasks
7e71a56ea flasher: fix substitution when cmd contain whitespaces
5bb71d4a1 Package the requires.py script
d77c8d28f Add CI package script for stretch on aarch64
24eface95 docker: use the new Action.run_cmd helper
ddd986e8e Extend the base poweroff timeout.
9d49da1d4 Remove build from .gitignore
24022feb4 Fix missing return value in run step
b5c51dfa8 Force Juno to use NFS vers=3 and extend power off timeout
7ddae776c run_cmd: make spaces explicit
87f1e01e1 Capture the simg2img and img2simg output and log it
f40f0f2c5 Ensure apt is updated before trying to install
06203dfe2 Add a run_cmd helper to Action class
97132e916 Extend 0f7a7ec8 to other command_output comparisons
f0ebf8025 Do not send "\n" twice
ac0097c42 Fix 500 when rendering device dict page
57d80c2e2 Add deployment builds to snapshot directories.
9a1a6bfb1 Apply black to more files in lava_scheduler_app
c6bfbd5f8 Apply black to lava_dispatcher unit tests
0b615023d version: allow user to specify the branch to use
f7bbf6a8b Visibility of worker status effects on device views
f2d9b658e Apply black to lava_scheduler_app/api and tests.
7980d84c3 docker tag: move branch name to suffix, not prefix
0f7a7ec8f Prevent index out of range error
984164f68 Fix omission in package deployment script
d4b942b71 CI use pytest-3 instead of py.test-3
d77c7080c Fix regression in fb4a88388
504115553 Update docs on local dev builds
fb4a88388 Standardise on dots in the version string
4a1910049 Use the rollback support in requires.py
cb86cc09b Improve error message after 4c71c2ebd1
15d7a905f Include package artifacts into repositories
4c71c2ebd Provide more information in bootloader errors
abff27c8b CI: skip deploy when lavafed is running latest version
f691bc059 CI fix typo for "only.refs"
024b27694 Fix errors in docker-admin page
a937a29e4 CI: add missing requirement to pytest
08ea617a4 vland: fix crash when finalizing
987280afd Fix errors in docker-admin page
89f96b1d9 CI fix deployment script
c5de132b1 Deploy lavafed-master when scheduled
08eab0bcb Fix issues with unit test calculations
7e8a6f444 CI use the new arch specific images
7d2956e43 Sort the --names output of requires.py
0eb0d3ed7 Set requirements for requests to avoid CVE
8cd80dcb2 Build packages and docker images for AArch64
1ab6aaa9c Allow unit tests to run without /sys/class/misc/kvm
83649d77b Port 0e598e63 to the xmlrcp api
6335f73d8 Prevent crash if environment requested for non-POSIX
14b347c51 lava_results_app: convert Decimal objects to string
storing as YAML
26bf0af63 lava_results_app: add test case for YAML Decimal
object conversion
1744ea74c Change ownership of health checks and device-types
32a2a6051 Ignore gitlab-ci files when creating a release tarball
bd224fcd1 Update publish for changes in pkg/docker
2e5e60c9f Drop obsolete gitreview file
2018.11-1 has been uploaded to Debian unstable. This version should
migrate into buster, at which point an upload to stretch-backports
will be made too.
--
Neil Williams
=============
neil.williams(a)linaro.org
http://www.linux.codehelp.co.uk/
To avoid CVE-2018-18074, LAVA has bumped the dependency on
python3-requests to 2.20.0
https://git.lavasoftware.org/lava/lava/commit/0eb0d3ed7fa122b08c7ada7d27cfa…
If you are running LAVA on Stretch, you should take advantage of the
security fix by installing python3-requests from stretch-backports.
If you are tracking the daily packages for a staging instance, those
packages now depend on 2.20.0. Installing those packages on Stretch
will require installing python3-requests from stretch-backports. This
may cause automatic upgrades to be unable to upgrade the LAVA
packages.
$ sudo apt -t stretch-backports install python3-requests
If you are running on buster, the new version is already available in
buster and will be upgraded automatically.
--
Neil Williams
=============
neil.williams(a)linaro.org
http://www.linux.codehelp.co.uk/
