From 98b9e3dc55e1fb069e67eae4bb062f3f96d611b2 Mon Sep 17 00:00:00 2001 From: Ben Hoyt Date: Wed, 3 Apr 2024 16:49:21 +1300 Subject: [PATCH 1/7] Bump Pebble version to v1.4.2 (require admin access for file pull API) This actually bumps up from v1.4.0 and includes the following fixes: - The important one is https://github.com/canonical/pebble/commit/b8abd1ff0090f3e0749e81eb1fc3ea16ba95f514 to lock down the files "pull" (read) API to requires admin (addresses CVE-2024-3250) - Previous locking fixes from v1.4.1 --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 7b24198e7a7..16afef5d243 100644 --- a/go.mod +++ b/go.mod @@ -23,7 +23,7 @@ require ( github.com/aws/smithy-go v1.17.0 github.com/bmizerany/pat v0.0.0-20160217103242-c068ca2f0aac github.com/canonical/lxd v0.0.0-20230712132802-8d2a42545fd0 - github.com/canonical/pebble v1.4.0 + github.com/canonical/pebble v1.4.2 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e github.com/coreos/go-systemd/v22 v22.3.2 github.com/docker/distribution v2.8.3+incompatible diff --git a/go.sum b/go.sum index 124e732101a..e8148fefd0e 100644 --- a/go.sum +++ b/go.sum @@ -217,8 +217,8 @@ github.com/canonical/go-flags v0.0.0-20230403090104-105d09a091b8 h1:zGaJEJI9qPVy github.com/canonical/go-flags v0.0.0-20230403090104-105d09a091b8/go.mod h1:ZZFeR9K9iGgpwOaLYF9PdT44/+lfSJ9sQz3B+SsGsYU= github.com/canonical/lxd v0.0.0-20230712132802-8d2a42545fd0 h1:1JfA4hOWjPoF18ebpKFWafOWFplCh0jvHhAethmLQFo= github.com/canonical/lxd v0.0.0-20230712132802-8d2a42545fd0/go.mod h1:BAaklWDYuotKE0eQnwO6NArKc6rEwnTheuOPrtlLBYA= -github.com/canonical/pebble v1.4.0 h1:/NsAdS/vm0eChL9TEw8EUZYJnwLd+QHLa+bplUWe5s4= -github.com/canonical/pebble v1.4.0/go.mod h1:Ore8BG+F6AknKKT6EmtI6EUXISstdcKSwjO5NuXjV6Q= +github.com/canonical/pebble v1.4.2 h1:tthnFr5F6pWvQHvT+hv26UY9Fq2H02nrP/NhxOA2WeY= +github.com/canonical/pebble v1.4.2/go.mod h1:Ore8BG+F6AknKKT6EmtI6EUXISstdcKSwjO5NuXjV6Q= github.com/canonical/x-go v0.0.0-20230522092633-7947a7587f5b h1:Da2fardddn+JDlVEYtrzBLTtyzoyU3nIS0Cf0GvjmwU= github.com/canonical/x-go v0.0.0-20230522092633-7947a7587f5b/go.mod h1:upTK9n6rlqITN9rCN69hdreI37dRDFUk2thlGGD5Cg8= github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEet03Pg2g16Swow4= From 4ddc46da83970aa963fe5cb8f33be6de2e81b297 Mon Sep 17 00:00:00 2001 From: Vitaly Antonenko Date: Thu, 21 Mar 2024 19:24:04 +0300 Subject: [PATCH 2/7] Pins to nginx-ingress-integrator revision 83 (stable). --- tests/suites/secrets_k8s/k8s.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/suites/secrets_k8s/k8s.sh b/tests/suites/secrets_k8s/k8s.sh index 88f39874f46..11746edee7c 100644 --- a/tests/suites/secrets_k8s/k8s.sh +++ b/tests/suites/secrets_k8s/k8s.sh @@ -6,7 +6,10 @@ run_secrets() { juju --show-log add-model "model-secrets-k8s" --config secret-backend=auto juju --show-log deploy hello-kubecon hello - juju --show-log deploy nginx-ingress-integrator nginx + # TODO(anvial): remove the revision flag once we update hello-kubecon charm + # (https://discourse.charmhub.io/t/old-ingress-relation-removal/12944) + # or we choose an alternative pair of charms to integrate. + juju --show-log deploy nginx-ingress-integrator nginx --channel=latest/stable --revision=83 juju --show-log integrate nginx hello juju --show-log trust nginx --scope=cluster From 38b3ad4d0c88cb73a2164100ea0cbd6ef71984d2 Mon Sep 17 00:00:00 2001 From: Vitaly Antonenko Date: Fri, 22 Mar 2024 13:06:12 +0300 Subject: [PATCH 3/7] Adds wait_for logic got checking EC2 security groups output. This commit adds wait_for logic for EC2 SG checks,because sometimes one attempt in 2 seconds is it not enough to see changes in aws cli tool output. --- tests/includes/wait-for.sh | 47 +++++++++++++++++++++++++++++ tests/suites/firewall/expose_app.sh | 43 +++----------------------- 2 files changed, 51 insertions(+), 39 deletions(-) diff --git a/tests/includes/wait-for.sh b/tests/includes/wait-for.sh index 41b0fc4545d..870ab086006 100644 --- a/tests/includes/wait-for.sh +++ b/tests/includes/wait-for.sh @@ -319,3 +319,50 @@ wait_for_storage() { sleep "${SHORT_TIMEOUT}" fi } + +# wait_for_aws_ingress_cidrs_for_port_range blocks until the expected CIDRs +# are present in the AWS security group rules for the specified port range. +wait_for_aws_ingress_cidrs_for_port_range() { + local from_port to_port exp_cidrs cidr_type + + from_port=${1} + to_port=${2} + exp_cidrs=${3} + cidr_type=${4} + + ipV6Suffix="" + if [ "$cidr_type" = "ipv6" ]; then + ipV6Suffix="v6" + fi + + # shellcheck disable=SC2086 + secgrp_list=$(aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=${from_port} Name=ip-permission.to-port,Values=${to_port}) + # print the security group rules + # shellcheck disable=SC2086 + got_cidrs=$(echo ${secgrp_list} | jq -r ".SecurityGroups[0].IpPermissions | .[] | select(.FromPort == ${from_port} and .ToPort == ${to_port}) | .Ip${ipV6Suffix}Ranges | .[] | .CidrIp${ipV6Suffix}" | sort | paste -sd, -) + + attempt=0 + # shellcheck disable=SC2046,SC2143 + while [ "$attempt" -gt "3" ]; do + echo "[+] (attempt ${attempt}) polling security group rules" + # shellcheck disable=SC2086 + secgrp_list=$(aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=${from_port} Name=ip-permission.to-port,Values=${to_port}) + # shellcheck disable=SC2086 + got_cidrs=$(echo ${secgrp_list} | jq -r ".SecurityGroups[0].IpPermissions | .[] | select(.FromPort == ${from_port} and .ToPort == ${to_port}) | .Ip${ipV6Suffix}Ranges | .[] | .CidrIp${ipV6Suffix}" | sort | paste -sd, -) + sleep "${SHORT_TIMEOUT}" + + if [ "$got_cidrs" == "$exp_cidrs" ]; then + break + fi + + attempt=$((attempt + 1)) + done + + if [ "$got_cidrs" != "$exp_cidrs" ]; then + # shellcheck disable=SC2046 + echo $(red "expected generated EC2 ${cidr_type} ingress CIDRs for range [${from_port}, ${to_port}] to be:\n${exp_cidrs}\nGOT:\n${got_cidrs}") + exit 1 + fi + + echo "[+] security group rules for port range [${from_port}, ${to_port}] and CIDRs ${exp_cidrs} updated" +} diff --git a/tests/suites/firewall/expose_app.sh b/tests/suites/firewall/expose_app.sh index 08084aafd30..2be6e9eb248 100644 --- a/tests/suites/firewall/expose_app.sh +++ b/tests/suites/firewall/expose_app.sh @@ -54,50 +54,15 @@ assert_ingress_cidrs_for_exposed_app() { juju expose ubuntu-lite --endpoints ubuntu # expose to the world # overwrite previous command juju expose ubuntu-lite --endpoints ubuntu --to-cidrs 10.42.0.0/16,2002:0:0:1234::/64 - sleep 2 # wait for firewall worker to detect and apply the changes + echo "==> Waiting for the security group rules will be updated" # Range 1337-1339 is opened for all endpoints. We expect it to be reachable # by the expose-all CIDR list plus the CIDR for the ubuntu endpoint. - assert_ipv4_ingress_cidrs_for_port_range "1337" "1339" "10.0.0.0/24,10.42.0.0/16,192.168.0.0/24" + wait_for_aws_ingress_cidrs_for_port_range "1337" "1339" "10.0.0.0/24,10.42.0.0/16,192.168.0.0/24" "ipv4" # Port 1234 should only be opened for the CIDR specified for the ubuntu endpoint - assert_ipv4_ingress_cidrs_for_port_range "1234" "1234" "10.42.0.0/16" - assert_ipv6_ingress_cidrs_for_port_range "1234" "1234" "2002:0:0:1234::/64" -} - -# assert_ipv4_ingress_cidrs_for_port_range $from_port, $to_port $exp_cidrs -assert_ipv4_ingress_cidrs_for_port_range() { - assert_ingress_cidrs_for_port_range "$1" "$2" "$3" "ipv4" -} - -# assert_ipv6_ingress_cidrs_for_port_range $from_port, $to_port $exp_cidrs -assert_ipv6_ingress_cidrs_for_port_range() { - assert_ingress_cidrs_for_port_range "$1" "$2" "$3" "ipv6" -} - -assert_ingress_cidrs_for_port_range() { - local from_port to_port exp_cidrs cidr_type - - from_port=${1} - to_port=${2} - exp_cidrs=${3} - cidr_type=${4} - - # shellcheck disable=SC2086 - secgrp_list=$(aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=${from_port} Name=ip-permission.to-port,Values=${to_port}) - if [ "$cidr_type" = "ipv4" ]; then - # shellcheck disable=SC2086 - got_cidrs=$(echo ${secgrp_list} | jq -r ".SecurityGroups[0].IpPermissions | .[] | select(.FromPort == ${from_port} and .ToPort == ${to_port}) | .IpRanges | .[] | .CidrIp" | sort | paste -sd, -) - else - # shellcheck disable=SC2086 - got_cidrs=$(echo ${secgrp_list} | jq -r ".SecurityGroups[0].IpPermissions | .[] | select(.FromPort == ${from_port} and .ToPort == ${to_port}) | .Ipv6Ranges | .[] | .CidrIpv6" | sort | paste -sd, -) - fi - - if [ "$got_cidrs" != "$exp_cidrs" ]; then - # shellcheck disable=SC2046 - echo $(red "expected generated EC2 ${cidr_type} ingress CIDRs for range [${from_port}, ${to_port}] to be:\n${exp_cidrs}\nGOT:\n${got_cidrs}") - exit 1 - fi + wait_for_aws_ingress_cidrs_for_port_range "1234" "1234" "10.42.0.0/16" "ipv4" + wait_for_aws_ingress_cidrs_for_port_range "1234" "1234" "2002:0:0:1234::/64" "ipv6" } assert_export_bundle_output_includes_exposed_endpoints() { From 172634d6a28bdda1b361e07eb7771690f97c3821 Mon Sep 17 00:00:00 2001 From: Vitaly Antonenko Date: Tue, 26 Mar 2024 10:32:10 +0300 Subject: [PATCH 4/7] Update tests/includes/wait-for.sh Co-authored-by: Nicolas <24507367+nvinuesa@users.noreply.github.com> --- tests/includes/wait-for.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/includes/wait-for.sh b/tests/includes/wait-for.sh index 870ab086006..91fbf80051d 100644 --- a/tests/includes/wait-for.sh +++ b/tests/includes/wait-for.sh @@ -343,7 +343,7 @@ wait_for_aws_ingress_cidrs_for_port_range() { attempt=0 # shellcheck disable=SC2046,SC2143 - while [ "$attempt" -gt "3" ]; do + while [ "$attempt" -lt "3" ]; do echo "[+] (attempt ${attempt}) polling security group rules" # shellcheck disable=SC2086 secgrp_list=$(aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=${from_port} Name=ip-permission.to-port,Values=${to_port}) From a4b42b31ff8f560df64b78b0d39b8bb3dd38ada3 Mon Sep 17 00:00:00 2001 From: Harry Pidcock Date: Fri, 5 Apr 2024 07:34:41 +1000 Subject: [PATCH 5/7] Add defaults to jq filters on wait_for_aws_ingress_cidrs_for_port_range --- tests/includes/wait-for.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/includes/wait-for.sh b/tests/includes/wait-for.sh index 91fbf80051d..b4c972611ac 100644 --- a/tests/includes/wait-for.sh +++ b/tests/includes/wait-for.sh @@ -339,7 +339,7 @@ wait_for_aws_ingress_cidrs_for_port_range() { secgrp_list=$(aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=${from_port} Name=ip-permission.to-port,Values=${to_port}) # print the security group rules # shellcheck disable=SC2086 - got_cidrs=$(echo ${secgrp_list} | jq -r ".SecurityGroups[0].IpPermissions | .[] | select(.FromPort == ${from_port} and .ToPort == ${to_port}) | .Ip${ipV6Suffix}Ranges | .[] | .CidrIp${ipV6Suffix}" | sort | paste -sd, -) + got_cidrs=$(echo ${secgrp_list} | jq -r ".SecurityGroups[0].IpPermissions // [] | .[] | select(.FromPort == ${from_port} and .ToPort == ${to_port}) | .Ip${ipV6Suffix}Ranges // [] | .[] | .CidrIp${ipV6Suffix}" | sort | paste -sd, -) attempt=0 # shellcheck disable=SC2046,SC2143 @@ -348,7 +348,7 @@ wait_for_aws_ingress_cidrs_for_port_range() { # shellcheck disable=SC2086 secgrp_list=$(aws ec2 describe-security-groups --filters Name=ip-permission.from-port,Values=${from_port} Name=ip-permission.to-port,Values=${to_port}) # shellcheck disable=SC2086 - got_cidrs=$(echo ${secgrp_list} | jq -r ".SecurityGroups[0].IpPermissions | .[] | select(.FromPort == ${from_port} and .ToPort == ${to_port}) | .Ip${ipV6Suffix}Ranges | .[] | .CidrIp${ipV6Suffix}" | sort | paste -sd, -) + got_cidrs=$(echo ${secgrp_list} | jq -r ".SecurityGroups[0].IpPermissions // [] | .[] | select(.FromPort == ${from_port} and .ToPort == ${to_port}) | .Ip${ipV6Suffix}Ranges // [] | .[] | .CidrIp${ipV6Suffix}" | sort | paste -sd, -) sleep "${SHORT_TIMEOUT}" if [ "$got_cidrs" == "$exp_cidrs" ]; then From 05a19fb89b699fe7e3503af1c4758183be59bdba Mon Sep 17 00:00:00 2001 From: jujubot Date: Tue, 9 Apr 2024 06:00:29 +0000 Subject: [PATCH 6/7] Increment juju to 3.1.9 --- scripts/win-installer/setup.iss | 2 +- snap/snapcraft.yaml | 2 +- version/version.go | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/win-installer/setup.iss b/scripts/win-installer/setup.iss index 8c12e71cd98..2e277bfffe2 100644 --- a/scripts/win-installer/setup.iss +++ b/scripts/win-installer/setup.iss @@ -4,7 +4,7 @@ #if GetEnv('JUJU_VERSION') != "" #define MyAppVersion=GetEnv('JUJU_VERSION') #else -#define MyAppVersion="3.1.8" +#define MyAppVersion="3.1.9" #endif #define MyAppName "Juju" diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index b3d86bf0296..c53c80db408 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -1,5 +1,5 @@ name: juju -version: 3.1.8 +version: 3.1.9 summary: Juju - a model-driven operator lifecycle manager for K8s and machines license: AGPL-3.0 description: | diff --git a/version/version.go b/version/version.go index d8fd339e7be..e8456292778 100644 --- a/version/version.go +++ b/version/version.go @@ -18,7 +18,7 @@ import ( // The presence and format of this constant is very important. // The debian/rules build recipe uses this value for the version // number of the release package. -const version = "3.1.8" +const version = "3.1.9" // UserAgentVersion defines a user agent version used for communication for // outside resources. From d2c0883274b8ea730f11ffc4fa5cb88adb6f94f5 Mon Sep 17 00:00:00 2001 From: Jack Shaw Date: Wed, 24 Apr 2024 11:58:30 +0100 Subject: [PATCH 7/7] Fix client tests gh action for mac In github's MacOs runner images, mongodb is no longer present in versions of toolsets 13 and beyond --- .github/workflows/client-tests.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/client-tests.yml b/.github/workflows/client-tests.yml index a801343365f..0cc49f884ba 100644 --- a/.github/workflows/client-tests.yml +++ b/.github/workflows/client-tests.yml @@ -43,6 +43,15 @@ jobs: run: | make install-mongo-dependencies + - name: "Install Mongo Dependencies: macOS-latest" + if: (matrix.os == 'macOS-latest') + run: | + brew tap mongodb/brew + brew update + brew install mongodb-community@4.4 + brew link mongodb-community@4.4 + brew services start mongodb/brew/mongodb-community@4.4 + - name: "Remove Mongo Dependencies: windows-latest" if: (matrix.os == 'windows-latest') uses: crazy-max/ghaction-chocolatey@90deb87d9fbf0bb2f022b91e3bf11b4441cddda5 # v1