Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package neutron
[ Reason ]
The upstream release didn't include python3.9 in the possible python
versions in the rootwrap configuration.
[ Impact ]
Neutron fails to kill the keepalived processes, resulting in a broken
virtual router configuration whenever a router is deleted.
[ Tests ]
This isn't detected by the functional tests upstream (which uses
Python 3.5 to Python 3.8), and the rootrwap tests aren't run in the
unit tests. Though we successfully fixed the setup with the attached
patch in production.
[ Risks ]
No risk, this is just enrichment of an already working config.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock neutron/17.1.1-6
diff -Nru neutron-17.1.1/debian/changelog neutron-17.1.1/debian/changelog
--- neutron-17.1.1/debian/changelog 2021-05-17 20:47:34.000000000 +0200
+++ neutron-17.1.1/debian/changelog 2021-06-30 10:51:00.000000000 +0200
@@ -1,3 +1,9 @@
+neutron (2:17.1.1-6) unstable; urgency=medium
+
+ * Add fix-rootwrap-does-not-include-python-3.9.patch.
+
+ -- Thomas Goirand <z...@debian.org> Wed, 30 Jun 2021 10:51:00 +0200
+
neutron (2:17.1.1-5) unstable; urgency=high
* CVE-2021-20267: Anti-spoofing bypass using Open vSwitch. Applied upstream
diff -Nru
neutron-17.1.1/debian/patches/fix-rootwrap-does-not-include-python-3.9.patch
neutron-17.1.1/debian/patches/fix-rootwrap-does-not-include-python-3.9.patch
---
neutron-17.1.1/debian/patches/fix-rootwrap-does-not-include-python-3.9.patch
1970-01-01 01:00:00.000000000 +0100
+++
neutron-17.1.1/debian/patches/fix-rootwrap-does-not-include-python-3.9.patch
2021-06-30 10:51:00.000000000 +0200
@@ -0,0 +1,16 @@
+Description: Fix rootwrap does not include python 3.9
+Author: Thomas Goirand <z...@debian.org>
+Bug-Debian: https://bugs.debian.org/985104
+Forwarded: no
+Last-Update: 2021-06-30
+
+--- neutron-17.1.1.orig/etc/neutron/rootwrap.d/l3.filters
++++ neutron-17.1.1/etc/neutron/rootwrap.d/l3.filters
+@@ -70,6 +70,7 @@ kill_keepalived_monitor_py3: KillFilter,
+ kill_keepalived_monitor_py36: KillFilter, root, python3.6, -15, -9
+ kill_keepalived_monitor_py37: KillFilter, root, python3.7, -15, -9
+ kill_keepalived_monitor_py38: KillFilter, root, python3.8, -15, -9
++kill_keepalived_monitor_py39: KillFilter, root, python3.9, -15, -9
+ # For e.g. RHEL8 neutron-keepalived-state-change is run by "system python"
+ # which is /usr/libexec/platform-python3.6 so this should be in filters also.
+ # Path /usr/libexec isn't in PATH by default so it has to be given here as
diff -Nru neutron-17.1.1/debian/patches/series
neutron-17.1.1/debian/patches/series
--- neutron-17.1.1/debian/patches/series 2021-05-17 20:47:34.000000000
+0200
+++ neutron-17.1.1/debian/patches/series 2021-06-30 10:51:00.000000000
+0200
@@ -1,2 +1,3 @@
Floating_IP_s_for_routed_networks.patch
CVE-2021-20267_Restrict_IPv6_NA_and_DHCPv6_IP_and_MAC_source_addresses.patch
+fix-rootwrap-does-not-include-python-3.9.patch
