Accepting request 454272 from home:eeich:branches:network:cluster

- Updated to 16.05.8.1
 * Remove StoragePass from being printed out in the slurmdbd log at debug2
   level.
 * Defer PATH search for task program until launch in slurmstepd.
 * Modify regression test1.89 to avoid leaving vestigial job. Also reduce
    logging to reduce likelyhood of Expect buffer overflow.
 * Do not PATH search for mult-prog launches if LaunchParamters=test_exec is
    enabled.
 * Fix for possible infinite loop in select/cons_res plugin when trying to
    satisfy a job's ntasks_per_core or socket specification.
 * If job is held for bad constraints make it so once updated the job doesn't
    go into JobAdminHeld.
 * sched/backfill - Fix logic to reserve resources for jobs that require a
    node reboot (i.e. to change KNL mode) in order to start.
 * When unpacking a node or front_end record from state and the protocol
    version is lower than the min version, set it to the min.
 * Remove redundant lookup for part_ptr when updating a reservation's nodes.
 * Fix memory and file descriptor leaks in slurmd daemon's sbcast logic.
 * Do not allocate specialized cores to jobs using the --exclusive option.
 * Cancel interactive job if Prolog failure with "PrologFlags=contain" or
   "PrologFlags=alloc" configured. Send new error prolog failure message to
   the salloc or srun command as needed.
 * Prevent possible out-of-bounds read in slurmstepd on an invalid #! line.
 * Fix check for PluginDir within slurmctld to work with multiple directories.
 * Cancel interactive jobs automatically on communication error to launching
   srun/salloc process.
 * Fix security issue caused by insecure file path handling triggered by the
   failure of a Prolog script. To exploit this a user needs to anticipate or
   cause the Prolog to fail for their job. CVE-2016-10030 (bsc#1018371).
- Replace group/user add macros with function calls.
- Disable building with netloc support: the netloc API is part of the devel
  branch of hwloc. Since this devel branch was included accidentally and has
  been reversed since, we need to disable this for the time being.
- Conditionalized architecture specific pieces to support non-x86 architectures
  better.

- Remove: unneeded 'BuildRequires:  python'
- Add:
  BuildRequires:  freeipmi-devel
  BuildRequires:  libibmad-devel
  BuildRequires:  libibumad-devel
  so they are picked up by the slurm build.
- Enable modifications from openHPC Project.
- Enable lua API package build.
- Add a recommends for slurm-munge to the slurm package:
  This is way, the munge auth method is available and slurm
  works out of the box.
- Create /var/lib/slurm as StateSaveLocation directory.
  /tmp is dangerous. 

- Keep %{_libdir}/libpmi* and %{_libdir}/mpi_pmi2* on SUSE.

OBS-URL: https://build.opensuse.org/request/show/454272
OBS-URL: https://build.opensuse.org/package/show/network:cluster/slurm?expand=0&rev=13
This commit is contained in:
Corot Sebastien 2017-02-02 20:23:02 +00:00 committed by Git OBS Bridge
parent 7bac92b6f9
commit bd06e0c765
5 changed files with 223 additions and 19 deletions

View File

@ -0,0 +1,82 @@
From: Sebastian Krahmer <krahmer@suse.com>
Date: Thu Feb 2 09:49:38 2017 +0100
Subject: [PATCH]pam_slurm: Initialize arrays and pass sizes
Git-repo: https://github.com/SchedMD/slurm
Git-commit: fbfbb90f6a2e7f134220991ed3263894ba365411
References: bsc#1007053
Signed-off-by: Egbert Eich <eich@suse.de>
PAM is security critical:
- clear arrays
- ensure strings are NULL-terminated.
Signed-off-by: Egbert Eich <eich@suse.com>
---
contribs/pam/pam_slurm.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/contribs/pam/pam_slurm.c b/contribs/pam/pam_slurm.c
index 0968a9c..ee179d5 100644
--- a/contribs/pam/pam_slurm.c
+++ b/contribs/pam/pam_slurm.c
@@ -266,9 +266,9 @@ static int
_gethostname_short (char *name, size_t len)
{
int error_code, name_len;
- char *dot_ptr, path_name[1024];
+ char *dot_ptr, path_name[1024] = {0};
- error_code = gethostname(path_name, sizeof(path_name));
+ error_code = gethostname(path_name, sizeof(path_name) - 1);
if (error_code)
return error_code;
@@ -296,11 +296,11 @@ static int
_slurm_match_allocation(uid_t uid)
{
int authorized = 0, i;
- char hostname[MAXHOSTNAMELEN];
+ char hostname[MAXHOSTNAMELEN] = {0};
char *nodename = NULL;
job_info_msg_t * msg;
- if (_gethostname_short(hostname, sizeof(hostname)) < 0) {
+ if (_gethostname_short(hostname, sizeof(hostname) - 1) < 0) {
_log_msg(LOG_ERR, "gethostname: %m");
return 0;
}
@@ -409,7 +409,7 @@ _send_denial_msg(pam_handle_t *pamh, struct _options *opts,
*/
extern void libpam_slurm_init (void)
{
- char libslurmname[64];
+ char libslurmname[64] = {0};
if (slurm_h)
return;
@@ -417,10 +417,10 @@ extern void libpam_slurm_init (void)
/* First try to use the same libslurm version ("libslurm.so.24.0.0"),
* Second try to match the major version number ("libslurm.so.24"),
* Otherwise use "libslurm.so" */
- if (snprintf(libslurmname, sizeof(libslurmname),
+ if (snprintf(libslurmname, sizeof(libslurmname) - 1,
"libslurm.so.%d.%d.%d", SLURM_API_CURRENT,
SLURM_API_REVISION, SLURM_API_AGE) >=
- sizeof(libslurmname) ) {
+ sizeof(libslurmname) - 1) {
_log_msg (LOG_ERR, "Unable to write libslurmname\n");
} else if ((slurm_h = dlopen(libslurmname, RTLD_NOW|RTLD_GLOBAL))) {
return;
@@ -429,8 +429,10 @@ extern void libpam_slurm_init (void)
libslurmname, dlerror ());
}
- if (snprintf(libslurmname, sizeof(libslurmname), "libslurm.so.%d",
- SLURM_API_CURRENT) >= sizeof(libslurmname) ) {
+ memset(libslurmname, 0, sizeof(libslurmname));
+
+ if (snprintf(libslurmname, sizeof(libslurmname) - 1, "libslurm.so.%d",
+ SLURM_API_CURRENT) >= sizeof(libslurmname) - 1) {
_log_msg (LOG_ERR, "Unable to write libslurmname\n");
} else if ((slurm_h = dlopen(libslurmname, RTLD_NOW|RTLD_GLOBAL))) {
return;

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7d3c30c1683fd207dda22f4078e038d110fa5bce133828fbd8e1ae6317f2ad38
size 8582827

3
slurm-16-05-8-1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2c162d56138360543a9a0f2486ae671c588883685a80eda028e9e17541a1f7b1
size 8432017

View File

@ -1,3 +1,64 @@
-------------------------------------------------------------------
Wed Feb 1 20:17:47 UTC 2017 - eich@suse.com
- Updated to 16.05.8.1
* Remove StoragePass from being printed out in the slurmdbd log at debug2
level.
* Defer PATH search for task program until launch in slurmstepd.
* Modify regression test1.89 to avoid leaving vestigial job. Also reduce
logging to reduce likelyhood of Expect buffer overflow.
* Do not PATH search for mult-prog launches if LaunchParamters=test_exec is
enabled.
* Fix for possible infinite loop in select/cons_res plugin when trying to
satisfy a job's ntasks_per_core or socket specification.
* If job is held for bad constraints make it so once updated the job doesn't
go into JobAdminHeld.
* sched/backfill - Fix logic to reserve resources for jobs that require a
node reboot (i.e. to change KNL mode) in order to start.
* When unpacking a node or front_end record from state and the protocol
version is lower than the min version, set it to the min.
* Remove redundant lookup for part_ptr when updating a reservation's nodes.
* Fix memory and file descriptor leaks in slurmd daemon's sbcast logic.
* Do not allocate specialized cores to jobs using the --exclusive option.
* Cancel interactive job if Prolog failure with "PrologFlags=contain" or
"PrologFlags=alloc" configured. Send new error prolog failure message to
the salloc or srun command as needed.
* Prevent possible out-of-bounds read in slurmstepd on an invalid #! line.
* Fix check for PluginDir within slurmctld to work with multiple directories.
* Cancel interactive jobs automatically on communication error to launching
srun/salloc process.
* Fix security issue caused by insecure file path handling triggered by the
failure of a Prolog script. To exploit this a user needs to anticipate or
cause the Prolog to fail for their job. CVE-2016-10030 (bsc#1018371).
- Replace group/user add macros with function calls.
- Disable building with netloc support: the netloc API is part of the devel
branch of hwloc. Since this devel branch was included accidentally and has
been reversed since, we need to disable this for the time being.
- Conditionalized architecture specific pieces to support non-x86 architectures
better.
-------------------------------------------------------------------
Tue Jan 3 17:21:58 UTC 2017 - eich@suse.com
- Remove: unneeded 'BuildRequires: python'
- Add:
BuildRequires: freeipmi-devel
BuildRequires: libibmad-devel
BuildRequires: libibumad-devel
so they are picked up by the slurm build.
- Enable modifications from openHPC Project.
- Enable lua API package build.
- Add a recommends for slurm-munge to the slurm package:
This is way, the munge auth method is available and slurm
works out of the box.
- Create /var/lib/slurm as StateSaveLocation directory.
/tmp is dangerous.
-------------------------------------------------------------------
Wed Nov 30 15:16:05 UTC 2016 - eich@suse.com
- Keep %{_libdir}/libpmi* and %{_libdir}/mpi_pmi2* on SUSE.
-------------------------------------------------------------------
Tue Nov 22 21:42:04 UTC 2016 - eich@suse.com

View File

@ -23,12 +23,26 @@
%if 0%{?suse_version} >= 1220 || 0%{?sle_version} >= 120000
%define with_systemd 1
%endif
%if 0%{suse_version} >= 1310
%if 0
%define have_netloc 1
%endif
%ifarch x86_64
%define have_libnuma 1
%else
%ifarch %{ix86}
%if 0%{?sle_version} >= 120200
%define have_libnuma 1
%endif
%endif
%endif
%define libslurm libslurm29
%define ver_exp 16-05-5-1
%define ver_exp 16-05-8-1
%define slurm_u %name
%define slurm_g %name
Name: slurm
Version: %{vers_f %ver_exp}
@ -44,14 +58,19 @@ Patch0: slurm-2.4.4-rpath.patch
Patch1: slurm-2.4.4-init.patch
Patch2: slurmd-Fix-slurmd-for-new-API-in-hwloc-2.0.patch
Patch3: plugins-cgroup-Fix-slurmd-for-new-API-in-hwloc-2.0.patch
Patch4: pam_slurm-Initialize-arrays-and-pass-sizes.patch
Requires: slurm-plugins = %{version}
%if 0%{?suse_version} <= 1140
Requires(pre): pwdutils
%else
Requires(pre): shadow
%endif
BuildRequires: fdupes
BuildRequires: gcc-c++
BuildRequires: gtk2-devel
BuildRequires: libbitmask-devel
BuildRequires: libcpuset-devel
BuildRequires: libhwloc-devel
%ifarch x86_64
%if 0%{?have_libnuma}
BuildRequires: libnuma-devel
%endif
BuildRequires: mysql-devel >= 5.0.0
@ -59,8 +78,17 @@ BuildRequires: ncurses-devel
BuildRequires: openssl-devel >= 0.9.6
BuildRequires: pkgconfig
BuildRequires: postgresql-devel >= 8.0.0
BuildRequires: python
BuildRequires: readline-devel
%if 0%{?suse_version} > 1310 || 0%{?sle_version}
BuildRequires: libibmad-devel
BuildRequires: libibumad-devel
%endif
%if 0%{?suse_version} > 1140
BuildRequires: libhwloc-devel
%ifarch %{ix86} x86_64
BuildRequires: freeipmi-devel
%endif
%endif
%if 0%{?with_systemd}
%{?systemd_requires}
BuildRequires: systemd
@ -68,6 +96,7 @@ BuildRequires: systemd
PreReq: %insserv_prereq %fillup_prereq
%endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Recommends: %{name}-munge
%description
SLURM is an open source, fault-tolerant, and highly
@ -243,6 +272,15 @@ Linux Utility for Resource Managment (SLURM) is in use. Access is granted
to root, any user with an SLURM-launched job currently running on the node,
or any user who has allocated resources on the node according to the SLURM
%package lua
Summary: Lua API for SLURM
Group: Development/Libraries/Other
Requires: slurm = %{version}
BuildRequires: lua-devel
%description lua
LUA API package for SLURM. This package includes the lua API to provide a
helpful interface to SLURM through LUA.
%prep
%setup -q -n %{name}-%{name}-%{ver_exp}
@ -250,17 +288,18 @@ or any user who has allocated resources on the node according to the SLURM
%patch1 -p1
%patch2 -p1
%patch3 -p1
chmod 0644 doc/html/*.{gif,jpg}
%patch4 -p1
%build
%configure --enable-shared \
--disable-static \
--without-rpath \
%{!?have_netloc:--without-netloc} \
--sysconfdir=%{_sysconfdir}/%{name}
make %{?_smp_mflags}
%install
%makeinstall
%make_install
make install-contrib DESTDIR=$RPM_BUILD_ROOT PERL_MM_PARAMS="INSTALLDIRS=vendor"
rm -f $RPM_BUILD_ROOT/%{_sysconfdir}/slurm.conf.template
rm -f $RPM_BUILD_ROOT/%{_sbindir}/slurmconfgen.py
@ -294,10 +333,11 @@ install -D -m755 contribs/sjstat ${RPM_BUILD_ROOT}%{_bindir}/sjstat
%if 0%{?OHPC_BUILD}
# 6/16/15 karl.w.schulz@intel.com - do not package Slurm's version of libpmi with OpenHPC.
rm -f $RPM_BUILD_ROOT/%{_libdir}/libpmi*
rm -f $RPM_BUILD_ROOT/%{_libdir}/mpi_pmi2*
## rm -f $RPM_BUILD_ROOT/%%{_libdir}/libpmi*
## rm -f $RPM_BUILD_ROOT/%%{_libdir}/mpi_pmi2*
# 9/8/14 karl.w.schulz@intel.com - provide starting config file
head -n -2 $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/slurm.conf.example | grep -v ReturnToService > $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/slurm.conf
sed -i 's#\(StateSaveLocation=\).*#\1%_localstatedir/lib/slurm#' $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/slurm.conf
echo "# OpenHPC default configuration" >> $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/slurm.conf
echo "PropagateResourceLimitsExcept=MEMLOCK" >> $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/slurm.conf
echo "SlurmdLogFile=/var/log/slurm.log" >> $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/slurm.conf
@ -309,6 +349,7 @@ echo "PartitionName=normal Nodes=c[1-4] Default=YES MaxTime=24:00:00 State=UP" >
echo "ReturnToService=1" >> $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/slurm.conf
# 9/17/14 karl.w.schulz@intel.com - Add option to drop VM cache during epilog
sed -i '/^# No other SLURM jobs,/i \\n# Drop clean caches (OpenHPC)\necho 3 > /proc/sys/vm/drop_caches\n\n#' $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/slurm.epilog.clean
%{__mkdir_p} $RPM_BUILD_ROOT%_localstatedir/lib/slurm
%endif
# Delete unpackaged files:
@ -359,18 +400,23 @@ libdir=%{_libdir}
Cflags: -I\${includedir}
Libs: -L\${libdir} -lslurm
Description: Slurm API
Name: %{pname}
Name: %{name}
Version: %{version}
EOF
%fdupes -s $RPM_BUILD_ROOT
%if 0%{?with_systemd}
%pre
%if 0%{?with_systemd}
%service_add_pre slurmd.service
%service_add_pre slurmctld.service
%endif
%define slurmdir %{_sysconfdir}/slurm
%define slurmdescr "SLURM workload manager"
getent group %name >/dev/null || groupadd -r %name
getent passwd %name >/dev/null || useradd -r -g %name -d %slurmdir -s /bin/false -c %{slurmdescr} %name
exit 0
%post
%if 0%{?with_systemd}
@ -512,6 +558,7 @@ EOF
%{_sbindir}/rcslurm
%endif
%{?with_systemd:%{_sbindir}/rcslurmctld}
%{?OHPC_BUILD:%attr(0755, %slurm_u, %slurm_g) %_localstatedir/lib/slurm}
%files openlava
%defattr(-,root,root)
@ -537,8 +584,8 @@ EOF
%files devel
%defattr(-,root,root)
%{_prefix}/include/slurm
%{!?OHPC_BUILD:%{_libdir}/libpmi.so}
%{!?OHPC_BUILD:%{_libdir}/libpmi2.so}
%{_libdir}/libpmi.so
%{_libdir}/libpmi2.so
%{_libdir}/libslurm.so
%{_libdir}/libslurmdb.so
%{_libdir}/slurm/src/*
@ -553,7 +600,7 @@ EOF
%files sched-wiki
%defattr(-,root,root)
%{_libdir}/slurm/sched_wiki*.so
%{_mandir}/man5/wiki.*
#%%{_mandir}/man5/wiki.*
%files auth-none
%defattr(-,root,root)
@ -683,6 +730,20 @@ EOF
%{_libdir}/slurm/mcs_group.so
%{_libdir}/slurm/mcs_none.so
%{_libdir}/slurm/mcs_user.so
%if 0%{?suse_version} > 1310
%{_libdir}/slurm/acct_gather_infiniband_ofed.so
%endif
%if 0%{?suse_version} > 1140
%ifarch %{ix86} x86_64
%{_libdir}/slurm/acct_gather_energy_ipmi.so
%endif
%endif
%{_libdir}/slurm/node_features_knl_generic.so
%files lua
%defattr(-,root,root)
%{_libdir}/slurm/job_submit_lua.so
%{_libdir}/slurm/proctrack_lua.so
%files torque
%defattr(-,root,root)