From 0581b9166091e732520365ec4a80f2a7e664b9a04fdc77dd52172d071846b0b2 Mon Sep 17 00:00:00 2001 From: Christian Goll Date: Fri, 10 Jan 2020 10:38:48 +0000 Subject: [PATCH] Accepting request 762650 from home:eeich:branches:network:cluster - Update to version 19.05.5 (jsc#SLE-8491) * Check %docdir/NEWS for details. * Includes security fixes CVE-2019-19727, CVE-2019-19728, CVE-2019-12838. * Disable i586 builds as this is no longer supported. * Create libnss_slurm package to support user and group resolution thru slurmstepd. * slurm-2.4.4-rpath.patch -> Remove-rpath-from-build.patch Obsoleted: - pam_slurm_adopt-avoid-running-outside-of-the-sshd-PA.patch - pam_slurm_adopt-send_user_msg-don-t-copy-undefined-d.patch - pam_slurm_adopt-use-uid-to-determine-whether-root-is.patch OBS-URL: https://build.opensuse.org/request/show/762650 OBS-URL: https://build.opensuse.org/package/show/network:cluster/slurm?expand=0&rev=118 --- ...ath.patch => Remove-rpath-from-build.patch | 38 ++- ...avoid-running-outside-of-the-sshd-PA.patch | 298 ------------------ ...send_user_msg-don-t-copy-undefined-d.patch | 32 -- ...use-uid-to-determine-whether-root-is.patch | 56 ---- slurm-18.08.9.tar.bz2 | 3 - slurm-19.05.5.tar.bz2 | 3 + slurm.changes | 16 + slurm.spec | 122 ++++--- 8 files changed, 120 insertions(+), 448 deletions(-) rename slurm-2.4.4-rpath.patch => Remove-rpath-from-build.patch (56%) delete mode 100644 pam_slurm_adopt-avoid-running-outside-of-the-sshd-PA.patch delete mode 100644 pam_slurm_adopt-send_user_msg-don-t-copy-undefined-d.patch delete mode 100644 pam_slurm_adopt-use-uid-to-determine-whether-root-is.patch delete mode 100644 slurm-18.08.9.tar.bz2 create mode 100644 slurm-19.05.5.tar.bz2 diff --git a/slurm-2.4.4-rpath.patch b/Remove-rpath-from-build.patch similarity index 56% rename from slurm-2.4.4-rpath.patch rename to Remove-rpath-from-build.patch index 60e144f..e08add5 100644 --- a/slurm-2.4.4-rpath.patch +++ b/Remove-rpath-from-build.patch @@ -1,16 +1,29 @@ -diff -aruN slurm-2.4.4.orig/contribs/perlapi/libslurm/perl/Makefile.PL.in slurm-2.4.4/contribs/perlapi/libslurm/perl/Makefile.PL.in ---- slurm-2.4.4.orig/contribs/perlapi/libslurm/perl/Makefile.PL.in 2012-11-02 17:46:12.000000000 +0100 -+++ slurm-2.4.4/contribs/perlapi/libslurm/perl/Makefile.PL.in 2012-11-17 17:42:51.919815606 +0100 -@@ -77,7 +77,7 @@ +From: Egbert Eich +Date: Wed Jan 8 20:56:25 2020 +0100 +Subject: Remove rpath from build +Patch-mainline: never +Git-commit: f79af97c35f38775a7a90cd8e4b98814729d9a9c +References: + +Signed-off-by: Egbert Eich +--- + slurm-19.05.5/contribs/perlapi/libslurm/perl/Makefile.PL.in | 4 ++-- + slurm-19.05.5/contribs/perlapi/libslurmdb/perl/Makefile.PL.in | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) +diff --git a/slurm-19.05.5/contribs/perlapi/libslurm/perl/Makefile.PL.in b/slurm-19.05.5/contribs/perlapi/libslurm/perl/Makefile.PL.in +index fcae437..797c943 100644 +--- a/slurm-19.05.5/contribs/perlapi/libslurm/perl/Makefile.PL.in ++++ b/slurm-19.05.5/contribs/perlapi/libslurm/perl/Makefile.PL.in +@@ -77,7 +77,7 @@ DESTDIR_BUG # AIX has problems with not always having the correct # flags so we have to add some :) my $os = lc(`uname`); -my $other_ld_flags = "-Wl,-rpath,@top_builddir@/src/api/.libs -Wl,-rpath,@prefix@/lib"; -+my $other_ld_flags = "-L@top_builddir@/src/api/.libs -lslurm"; ++my $other_ld_flags = "-L@top_builddir@/src/api/.libs -lslurm"; $other_ld_flags = " -brtl -G -bnoentry -bgcbypass:1000 -bexpfull" if $os =~ "aix"; -@@ -88,7 +88,7 @@ +@@ -88,7 +88,7 @@ WriteMakefile( ($] >= 5.005 ? ## Add these new keywords supported since 5.005 (ABSTRACT_FROM => 'lib/Slurm.pm', # retrieve abstract from module AUTHOR => 'Hongjia Cao ') : ()), @@ -19,10 +32,11 @@ diff -aruN slurm-2.4.4.orig/contribs/perlapi/libslurm/perl/Makefile.PL.in slurm- DEFINE => '', # e.g., '-DHAVE_SOMETHING' INC => "-I. -I@top_srcdir@ -I@top_srcdir@/contribs/perlapi/common -I@top_builddir@", # Un-comment this if you add C files to link with later: -diff -aruN slurm-2.4.4.orig/contribs/perlapi/libslurmdb/perl/Makefile.PL.in slurm-2.4.4/contribs/perlapi/libslurmdb/perl/Makefile.PL.in ---- slurm-2.4.4.orig/contribs/perlapi/libslurmdb/perl/Makefile.PL.in 2012-11-02 17:46:12.000000000 +0100 -+++ slurm-2.4.4/contribs/perlapi/libslurmdb/perl/Makefile.PL.in 2012-11-17 17:41:27.163818599 +0100 -@@ -76,7 +76,7 @@ +diff --git a/slurm-19.05.5/contribs/perlapi/libslurmdb/perl/Makefile.PL.in b/slurm-19.05.5/contribs/perlapi/libslurmdb/perl/Makefile.PL.in +index 2db028c..83eb4e2 100644 +--- a/slurm-19.05.5/contribs/perlapi/libslurmdb/perl/Makefile.PL.in ++++ b/slurm-19.05.5/contribs/perlapi/libslurmdb/perl/Makefile.PL.in +@@ -76,7 +76,7 @@ DESTDIR_BUG # AIX has problems with not always having the correct # flags so we have to add some :) my $os = lc(`uname`); @@ -31,11 +45,11 @@ diff -aruN slurm-2.4.4.orig/contribs/perlapi/libslurmdb/perl/Makefile.PL.in slur $other_ld_flags = " -brtl -G -bnoentry -bgcbypass:1000 -bexpfull" if $os =~ "aix"; -@@ -87,7 +87,7 @@ +@@ -87,7 +87,7 @@ WriteMakefile( ($] >= 5.005 ? ## Add these new keywords supported since 5.005 (ABSTRACT_FROM => 'Slurmdb.pm', # retrieve abstract from module AUTHOR => 'Don Lipari ') : ()), -- LIBS => ["-L@top_builddir@/src/db_api/.libs -L@prefix@/lib -lslurmdb"], # e.g., '-lm' +- LIBS => ["-L@top_builddir@/src/api/.libs -L@prefix@/lib -lslurm"], # e.g., '-lm' + LIBS => ["-L@prefix@/lib -lslurmdb"], # e.g., '-lm' DEFINE => '', # e.g., '-DHAVE_SOMETHING' INC => "-I. -I@top_srcdir@ -I@top_srcdir@/contribs/perlapi/common -I@top_builddir@", diff --git a/pam_slurm_adopt-avoid-running-outside-of-the-sshd-PA.patch b/pam_slurm_adopt-avoid-running-outside-of-the-sshd-PA.patch deleted file mode 100644 index e5317fa..0000000 --- a/pam_slurm_adopt-avoid-running-outside-of-the-sshd-PA.patch +++ /dev/null @@ -1,298 +0,0 @@ -From 4c38389917a54e137a4578b45f0f6a821c8c591a Mon Sep 17 00:00:00 2001 -From: Matthias Gerstner -Date: Wed, 5 Dec 2018 15:03:19 +0100 -Subject: [PATCH 1/3] pam_slurm_adopt: avoid running outside of the sshd PAM - service context - -This pam module is tailored towards running in the context of remote ssh -logins. When running in a different context like a local sudo call then -the module could be influenced by e.g. passing environment variables -like SLURM_CONF. - -By limiting the module to only perform its actions when running in the -sshd context by default this situation can be avoided. An additional pam -module argument service= allows an Administrator to control -this behaviour, if different behaviour is explicitly desired. - -Signed-off-by: Christian Goll ---- - contribs/pam_slurm_adopt/README | 172 ++++++++++++++++++++++++++++- - contribs/pam_slurm_adopt/pam_slurm_adopt.c | 46 ++++++++ - 2 files changed, 217 insertions(+), 1 deletion(-) - -diff --git a/contribs/pam_slurm_adopt/README b/contribs/pam_slurm_adopt/README -index 07039740f8..8baece6d2e 100644 ---- a/contribs/pam_slurm_adopt/README -+++ b/contribs/pam_slurm_adopt/README -@@ -1,5 +1,175 @@ - Current documentation can be found here: - - https://slurm.schedmd.com/pam_slurm_adopt.html -- - (Which is generated from docs/html/pam_slurm_adopt.shtml.) -+ -+======= -+AUTHOR -+ Ryan Cox -+ -+MODULE TYPES PROVIDED -+ account -+ -+DESCRIPTION -+ This module attempts to determine the job which originated this connection. -+ The module is configurable; these are the default steps: -+ -+ 1) Check the local stepd for a count of jobs owned by the non-root user -+ a) If none, deny (option action_no_jobs) -+ b) If only one, adopt the process into that job -+ c) If multiple, continue -+ 2) Determine src/dst IP/port of socket -+ 3) Issue callerid RPC to slurmd at IP address of source -+ a) If the remote slurmd can identify the source job, adopt into that job -+ b) If not, continue -+ 4) Pick a random local job from the user to adopt into (option action_unknown) -+ -+ Jobs are adopted into a job's allocation step. -+ -+MODULE OPTIONS -+This module has the following options (* = default): -+ -+ ignore_root - By default, all root connections are ignored. If the RPC -+ is sent to a node which drops packets to the slurmd port, the -+ RPC will block for some time before failing. This is -+ unlikely to be desirable. Likewise, root may be trying to -+ administer the system and not do work that should be in a job. -+ The job may trigger oom-killer or just exit. If root restarts -+ a service or similar, it will be tracked and killed by Slurm -+ when the job exits. This sounds bad because it is bad. -+ -+ 1* = Let the connection through without adoption -+ 0 = I am crazy. I want random services to die when root jobs exit. I -+ also like it when RPCs block for a while then time out. -+ -+ -+ action_no_jobs - The action to perform if the user has no jobs on the node -+ -+ ignore = Do nothing. Fall through to the next pam module -+ deny* = Deny the connection -+ -+ -+ action_unknown - The action to perform when the user has multiple jobs on -+ the node *and* the RPC does not locate the source job. -+ If the RPC mechanism works properly in your environment, -+ this option will likely be relevant *only* when connecting -+ from a login node. -+ -+ newest* = Pick the newest job on the node. The "newest" job is chosen -+ based on the mtime of the job's step_extern cgroup; asking -+ Slurm would require an RPC to the controller. The user can ssh -+ in but may be adopted into a job that exits earlier than the -+ job they intended to check on. The ssh connection will at -+ least be subject to appropriate limits and the user can be -+ informed of better ways to accomplish their objectives if this -+ becomes a problem -+ allow = Let the connection through without adoption -+ deny = Deny the connection -+ -+ -+ action_adopt_failure - The action to perform if the process is unable to be -+ adopted into any job for whatever reason. If the -+ process cannot be adopted into the job identified by -+ the callerid RPC, it will fall through to the -+ action_unknown code and try to adopt there. A failure -+ at that point or if there is only one job will result -+ in this action being taken. -+ -+ allow* = Let the connection through without adoption -+ deny = Deny the connection -+ -+ action_generic_failure - The action to perform if there are certain failures -+ such as the inability to talk to the local slurmd -+ or if the kernel doesn't offer the correct -+ facilities. -+ -+ ignore* = Do nothing. Fall through to the next pam module -+ allow = Let the connection through without adoption -+ deny = Deny the connection -+ -+ log_level - See SlurmdDebug in slurm.conf(5) for available options. The -+ default log_level is info. -+ -+ disable_x11 - turn off Slurm built-in X11 forwarding support. -+ -+ 1 = Do not check for Slurm's X11 forwarding support, and no not -+ alter the DISPLAY variable. -+ 0* = If the step the job is adopted into has X11 enabled, set -+ the DISPLAY variable in the processes environment accordingly. -+ -+ service - The pam service name for which this module should run. By default -+ it only runs for sshd for which it was designed for. A -+ different service name can be specified like "login" or "*" to -+ allow the module to in any service context. For local pam logins -+ this module could cause unexpected behaviour or even security -+ issues. Therefore if the service name does not match then this -+ module will not perform the adoption logic and returns -+ PAM_IGNORE immediately. -+ -+SLURM.CONF CONFIGURATION -+ PrologFlags=contain must be set in slurm.conf. This sets up the "extern" step -+ into which ssh-launched processes will be adopted. -+ -+ **** IMPORTANT **** -+ PrologFlags=contain must be in place *before* using this module. -+ The module bases its checks on local steps that have already been launched. If -+ the user has no steps on the node, such as the extern step, the module will -+ assume that the user has no jobs allocated to the node. Depending on your -+ configuration of the pam module, you might deny *all* user ssh attempts. -+ -+NOTES -+ This module and the related RPC currently support Linux systems which -+ have network connection information available through /proc/net/tcp{,6}. A -+ proccess's sockets must exist as symlinks in its /proc/self/fd directory. -+ -+ The RPC data structure itself is OS-agnostic. If support is desired for a -+ different OS, relevant code must be added to find one's socket information -+ then match that information on the remote end to a particular process which -+ Slurm is tracking. -+ -+ IPv6 is supported by the RPC data structure itself and the code which sends it -+ and receives it. Sending the RPC to an IPv6 address is not currently -+ supported by Slurm. Once support is added, remove the relevant check in -+ slurm_network_callerid(). -+ -+ For the action_unknown=newest setting to work, the memory cgroup must be in -+ use so that the code can check mtimes of cgroup directories. If you would -+ prefer to use a different subsystem, modify the _indeterminate_multiple -+ function. -+ -+FIREWALLS, IP ADDRESSES, ETC. -+ slurmd should be accessible on any IP address from which a user might launch -+ ssh. The RPC to determine the source job must be able to reach the slurmd -+ port on that particular IP address. -+ -+ If there is no slurmd on the source node, such as on a login node, it is -+ better to have the RPC be rejected rather than silently dropped. This -+ will allow better responsiveness to the RPC initiator. -+ -+EXAMPLES / SUGGESTED USAGE -+ Use of this module is recommended on any compute node. -+ -+ Add the following line to the appropriate file in /etc/pam.d, such as -+ system-auth or sshd: -+ -+ account sufficient pam_slurm_adopt.so -+ -+ If you always want to allow access for an administrative group (e.g. wheel), -+ stack the pam_access module after pam_slurm_adopt. A success with -+ pam_slurm_adopt is sufficient to allow access but the pam_access module can -+ allow others, such as staff, access even without jobs. -+ -+ account sufficient pam_slurm_adopt.so -+ account required pam_access.so -+ -+ -+ Then edit the pam_access configuration file (/etc/security/access.conf): -+ -+ +:wheel:ALL -+ -:ALL:ALL -+ -+ When access is denied, the user will receive a relevant error message. -+ -+ pam_systemd.so is known to not play nice with Slurm's usage of cgroups. It is -+ recommended that you disable it or possibly add pam_slurm_adopt.so after -+ pam_systemd.so. -diff --git a/contribs/pam_slurm_adopt/pam_slurm_adopt.c b/contribs/pam_slurm_adopt/pam_slurm_adopt.c -index 51f21e8729..dccad90185 100644 ---- a/contribs/pam_slurm_adopt/pam_slurm_adopt.c -+++ b/contribs/pam_slurm_adopt/pam_slurm_adopt.c -@@ -94,6 +94,7 @@ static struct { - log_level_t log_level; - char *node_name; - bool disable_x11; -+ char *pam_service; - } opts; - - static void _init_opts(void) -@@ -107,6 +108,7 @@ static void _init_opts(void) - opts.log_level = LOG_LEVEL_INFO; - opts.node_name = NULL; - opts.disable_x11 = false; -+ opts.pam_service = NULL; - } - - static slurm_cgroup_conf_t *slurm_cgroup_conf = NULL; -@@ -576,6 +578,9 @@ static void _parse_opts(pam_handle_t *pamh, int argc, const char **argv) - opts.node_name = xstrdup(v); - } else if (!xstrncasecmp(*argv, "disable_x11=1", 13)) { - opts.disable_x11 = true; -+ } else if (!xstrncasecmp(*argv, "service=", 8)) { -+ v = (char *)(8 + *argv); -+ opts.pam_service = xstrdup(v); - } - } - -@@ -601,6 +606,40 @@ static int _load_cgroup_config() - return SLURM_SUCCESS; - } - -+/* Make sure to only continue if we're running in the sshd context -+ * -+ * If this module is used locally e.g. via sudo then unexpected things might -+ * happen (e.g. passing environment variables interpreted by slurm code like -+ * SLURM_CONF or inheriting file descriptors that are used by _try_rpc()). -+ */ -+static int check_pam_service(pam_handle_t *pamh) -+{ -+ const char *allowed = opts.pam_service ? opts.pam_service : "sshd"; -+ char *service = NULL; -+ int rc; -+ -+ if (!strcmp(allowed, "*")) -+ // any service name is allowed -+ return PAM_SUCCESS; -+ -+ rc = pam_get_item(pamh, PAM_SERVICE, (void*)&service); -+ -+ if (rc != PAM_SUCCESS) { -+ pam_syslog(pamh, LOG_ERR, "failed to obtain PAM_SERVICE name"); -+ return rc; -+ } -+ else if (service == NULL) { -+ // this shouldn't actually happen -+ return PAM_BAD_ITEM; -+ } -+ -+ if (!strcmp(service, allowed)) { -+ return PAM_SUCCESS; -+ } -+ -+ pam_syslog(pamh, LOG_INFO, "Not adopting process since this is not an allowed pam service"); -+ return PAM_IGNORE; -+} - - /* Parse arguments, etc then get my socket address/port information. Attempt to - * adopt this process into a job in the following order: -@@ -622,6 +661,12 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags - - _init_opts(); - _parse_opts(pamh, argc, argv); -+ -+ retval = check_pam_service(pamh); -+ if (retval != PAM_SUCCESS) { -+ return retval; -+ } -+ - _log_init(opts.log_level); - - switch (opts.action_generic_failure) { -@@ -765,6 +810,7 @@ cleanup: - xfree(buf); - xfree(slurm_cgroup_conf); - xfree(opts.node_name); -+ xfree(opts.pam_service); - return rc; - } - --- -2.16.4 - diff --git a/pam_slurm_adopt-send_user_msg-don-t-copy-undefined-d.patch b/pam_slurm_adopt-send_user_msg-don-t-copy-undefined-d.patch deleted file mode 100644 index 417ad26..0000000 --- a/pam_slurm_adopt-send_user_msg-don-t-copy-undefined-d.patch +++ /dev/null @@ -1,32 +0,0 @@ -From a5d4481c05e2afa1ff1920446663e66c48ef9277 Mon Sep 17 00:00:00 2001 -From: Matthias Gerstner -Date: Wed, 5 Dec 2018 14:08:07 +0100 -Subject: [PATCH 2/3] pam_slurm_adopt: send_user_msg: don't copy undefined data - into message - -Using memcpy, an amount of undefined data from the stack will be copied -into the target buffer. While pam_conv probably doesn't evalute the -extra data it still unclean to do that. It could lead up to an -information leak somewhen. - -Signed-off-by: Christian Goll ---- - contribs/pam_slurm_adopt/helper.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/contribs/pam_slurm_adopt/helper.c b/contribs/pam_slurm_adopt/helper.c -index 9c3e202a87..1bac0a0fcf 100644 ---- a/contribs/pam_slurm_adopt/helper.c -+++ b/contribs/pam_slurm_adopt/helper.c -@@ -128,7 +128,7 @@ send_user_msg(pam_handle_t *pamh, const char *mesg) - - /* Construct msg to send to app. - */ -- memcpy(str, mesg, sizeof(str)); -+ strncpy(str, mesg, sizeof(str)); - msg[0].msg_style = PAM_ERROR_MSG; - msg[0].msg = str; - pmsg[0] = &msg[0]; --- -2.16.4 - diff --git a/pam_slurm_adopt-use-uid-to-determine-whether-root-is.patch b/pam_slurm_adopt-use-uid-to-determine-whether-root-is.patch deleted file mode 100644 index c0fa6de..0000000 --- a/pam_slurm_adopt-use-uid-to-determine-whether-root-is.patch +++ /dev/null @@ -1,56 +0,0 @@ -From d630acbf5709dcf03f9e8cd1739a77cfe6c1e4b8 Mon Sep 17 00:00:00 2001 -From: Matthias Gerstner -Date: Wed, 5 Dec 2018 15:08:53 +0100 -Subject: [PATCH 3/3] pam_slurm_adopt: use uid to determine whether root is - logging on - -In some systems there can be multiple user accounts for uid 0, therefore -the check for literal user name "root" might be insufficient. - -Signed-off-by: Christian Goll ---- - contribs/pam_slurm_adopt/pam_slurm_adopt.c | 21 ++++++++++----------- - 1 file changed, 10 insertions(+), 11 deletions(-) - -diff --git a/contribs/pam_slurm_adopt/pam_slurm_adopt.c b/contribs/pam_slurm_adopt/pam_slurm_adopt.c -index dccad90185..f1d062885e 100644 ---- a/contribs/pam_slurm_adopt/pam_slurm_adopt.c -+++ b/contribs/pam_slurm_adopt/pam_slurm_adopt.c -@@ -708,17 +708,6 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags - opts.ignore_root = 1; - } - -- /* Ignoring root is probably best but the admin can allow it */ -- if (!strcmp(user_name, "root")) { -- if (opts.ignore_root) { -- info("Ignoring root user"); -- return PAM_IGNORE; -- } else { -- /* This administrator is crazy */ -- info("Danger!!! This is a connection attempt by root and ignore_root=0 is set! Hope for the best!"); -- } -- } -- - /* Calculate buffer size for getpwnam_r */ - bufsize = sysconf(_SC_GETPW_R_SIZE_MAX); - if (bufsize == -1) -@@ -740,6 +729,16 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags - - if (_load_cgroup_config() != SLURM_SUCCESS) - return rc; -+ /* Ignoring root is probably best but the admin can allow it */ -+ if (pwd.pw_uid == 0) { -+ if (opts.ignore_root) { -+ info("Ignoring root user"); -+ return PAM_IGNORE; -+ } else { -+ /* This administrator is crazy */ -+ info("Danger!!! This is a connection attempt by root (user id 0) and ignore_root=0 is set! Hope for the best!"); -+ } -+ } - - /* - * Check if there are any steps on the node from any user. A failure here --- -2.16.4 - diff --git a/slurm-18.08.9.tar.bz2 b/slurm-18.08.9.tar.bz2 deleted file mode 100644 index ecaf0a0..0000000 --- a/slurm-18.08.9.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a7103b45c58565b580f94cd68bc546344ffaa7dd0e349d23ec849e5acebff9ad -size 6210190 diff --git a/slurm-19.05.5.tar.bz2 b/slurm-19.05.5.tar.bz2 new file mode 100644 index 0000000..c10b5c0 --- /dev/null +++ b/slurm-19.05.5.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:715be211b7bef80d06df0011ec91c51ab740031bd9ff722a5e60c595feaad282 +size 6232295 diff --git a/slurm.changes b/slurm.changes index 3c77217..77d52de 100644 --- a/slurm.changes +++ b/slurm.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Jan 8 20:01:19 UTC 2020 - Egbert Eich + +- Update to version 19.05.5 (jsc#SLE-8491) + * Check %docdir/NEWS for details. + * Includes security fixes CVE-2019-19727, CVE-2019-19728, + CVE-2019-12838. + * Disable i586 builds as this is no longer supported. + * Create libnss_slurm package to support user and group resolution + thru slurmstepd. + * slurm-2.4.4-rpath.patch -> Remove-rpath-from-build.patch + Obsoleted: + - pam_slurm_adopt-avoid-running-outside-of-the-sshd-PA.patch + - pam_slurm_adopt-send_user_msg-don-t-copy-undefined-d.patch + - pam_slurm_adopt-use-uid-to-determine-whether-root-is.patch + ------------------------------------------------------------------- Thu Jan 2 09:14:56 UTC 2020 - Egbert Eich diff --git a/slurm.spec b/slurm.spec index d7e7221..615a5f0 100644 --- a/slurm.spec +++ b/slurm.spec @@ -17,15 +17,20 @@ # Check file META in sources: update so_version to (API_CURRENT - API_AGE) -%define so_version 33 -%define ver 18.08.9 -%define _ver _18_08 +%define so_version 34 +%define ver 19.05.5 +%define _ver _19_05 %define dl_ver %{ver} # so-version is 0 and seems to be stable %define pmi_so 0 +%define nss_so 2 %define pname slurm +%ifarch i586 +ExclusiveArch: do_not_build +%endif + %if 0%{?sle_version} == 120200 %define base_ver 1702 %endif @@ -42,6 +47,9 @@ %if 0%{?base_ver} > 0 && 0%{?base_ver} < %(echo %{_ver} | tr -d _) %define upgrade 1 %endif +%if !0%{?is_opensuse} && 0%{!?upgrade:1} && 0%{?sle_version} < 150200 +%define legacy_cray 1 +%endif # Build with PMIx only for SLE >= 15.2 and TW %if 0%{?sle_version} >= 150200 || 0%{suse_version} >= 1550 @@ -111,7 +119,7 @@ Group: Productivity/Clustering/Computing URL: https://www.schedmd.com Source: https://download.schedmd.com/slurm/%{pname}-%{dl_ver}.tar.bz2 Source1: slurm-rpmlintrc -Patch0: slurm-2.4.4-rpath.patch +Patch0: Remove-rpath-from-build.patch Patch1: slurm-2.4.4-init.patch Patch2: pam_slurm-Initialize-arrays-and-pass-sizes.patch Patch3: split-xdaemon-in-xdaemon_init-and-xdaemon_finish-for.patch @@ -121,9 +129,6 @@ Patch6: slurmdbd-uses-xdaemon_-for-systemd.patch Patch7: slurmsmwd-uses-xdaemon_-for-systemd.patch Patch8: removed-deprecated-xdaemon.patch Patch9: slurmctld-rerun-agent_init-when-backup-controller-takes-over.patch -Patch10: pam_slurm_adopt-avoid-running-outside-of-the-sshd-PA.patch -Patch11: pam_slurm_adopt-send_user_msg-don-t-copy-undefined-d.patch -Patch12: pam_slurm_adopt-use-uid-to-determine-whether-root-is.patch %{?upgrade:Provides: %{pname} = %{version}} %{?upgrade:Conflicts: %{pname}} @@ -240,29 +245,37 @@ through Perl. Summary: Libraries for SLURM Group: System/Libraries Requires: %{name}-config = %{version} +Provides: libslurm = %{version} +Conflicts: libslurm %description -n %{libslurm} This package contains the library needed to run programs dynamically linked with SLURM. -%package -n libpmi%{pmi_so}%{?upgrade:%{_ver}} -Summary: Libraries for SLURM +%package -n libpmi%{pmi_so} +Summary: SLURM PMI Library Group: System/Libraries -%{?upgrade:Provides: libpmi%{pmi_so} = %{version}} -%{?upgrade:Conflicts: libpmi%{pmi_so}} -%description -n libpmi%{pmi_so}%{?upgrade:%{_ver}} +%description -n libpmi%{pmi_so} This package contains the library needed to run programs dynamically linked with SLURM. +%package -n libnss_%{pname}%{nss_so} +Summary: NSS Plugin for SLURM +Group: System/Libraries + +%description -n libnss_%{pname}%{nss_so} +libnss_slurm is an optional NSS plugin that permits password and group +resolution for a job on a compute node to be serviced through the local +slurmstepd process. %package devel Summary: Development package for SLURM Group: Development/Libraries/C and C++ Requires: %{libslurm} = %{version} Requires: %{name} = %{version} -Requires: libpmi%{pmi_so}%{?upgrade:%{_ver}} = %{version} +Requires: libpmi%{pmi_so} = %{version} %{?upgrade:Provides: %{pname}-devel = %{version}} %{?upgrade:Conflicts: %{pname}-devel} @@ -449,6 +462,7 @@ This package contains just the minmal code to run a compute node. %package config Summary: Config files and directories for slurm services Group: Productivity/Clustering/Computing +Requires: logrotate %if 0%{?suse_version} <= 1140 Requires(pre): pwdutils %else @@ -493,7 +507,7 @@ Contains also cray specific documentation. %prep %setup -q -n %{pname}-%{dl_ver} -%patch0 -p1 +%patch0 -p2 %patch1 -p1 %patch2 -p1 %patch3 -p1 @@ -504,9 +518,6 @@ Contains also cray specific documentation. %patch8 -p1 # Drop this fix as it is considered to be resolved by c1a537dbbe6 ##%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 %build %define _lto_cflags %{nil} @@ -691,7 +702,13 @@ Alias /slurm/ "/usr/share/doc/slurm-%{ver}/html/" EOF - +cat > %{buildroot}/%{_sysconfdir}/%{pname}/nss_slurm.conf <