8.131. luci

Security Fix

CVE-2014-3593

It was discovered that luci used eval() on inputs containing strings from the cluster configuration file when generating its web pages. An attacker with privileges to create or edit the cluster configuration could use this flaw to execute arbitrary code as the luci user on a host running luci.

This issue was discovered by Jan Pokorný of Red Hat.

Bug Fixes

BZ#855112

Previously, it was possible to use the following characters in the luci configuration file inside attribute values:

• the less-than sign (<)
• the greater-than sign (>)
• the quotation mark (")

Using such characters inside the attribute values could cause several problems. With this update, when the user attempts to use these special characters inside the attribute value, a warning is returned.

BZ#917738

The prefer_interface parameter was missing from the IP resource in the luci application. This parameter is used for adding an IP address to a particular network interface if a cluster node has multiple active interfaces that have IP addresses on the same subnetwork. The missing parameter has been added to luci with this update.

BZ#917771

Previously, the max_messages, netmtu, seqno_unchanged_const, and window_size configuration fields were missing from the luci configuration file when it was used in expert mode. This update adds the missing fields.

BZ#917780

The possibility to disable the Red Hat Resource Group Manager (rgmanager) was missing from the luci configuration. With this update, it is now possible to disable rgmanager in luci expert mode.

BZ#918795

Previously, luci was missing the Kdump fencing agent. The agent has been added with this update.

BZ#988446

Zooming the luci web interface in the Chrome and Firefox web browsers could cause the Users and Permissions tab to be displayed incorrectly. This bug has been fixed with this update, and the tab is now displayed properly.

BZ#999324

In previous releases, the luci application has been fixed to parse the cluster resource names with a suffix delimited by the period symbol (.) correctly. Due to this fix, the suffix was stripped off automatically. However, it is valid to specify a node name by referring to its IP address in the cluster configuration. When this was done, the node names ending with a suffix delimited by the period symbol, such as “.1” or “.sh”, were not shown properly and could not be edited. Also, such a node was indicated as not being a cluster member. This bug has been fixed, and such nodes are now handled properly in the described scenario.

BZ#1003062

Previously, the luci application used the 10g type as the default for the type attribute of the oracledb resource agent. This behavior was incorrect because luci was supposed to use the original configuration and do not set its own. With this update, the type field is not arbitrarily specified by luci.

BZ#1004011

Certain configurable parameters for the fence_xvm agent were missing from the luci application. This update adds the missing attributes, such as Timeout for expert and non-expert mode and Path to Key File, IP Port, Multicast Address, Multicast Retransmit Time, IP Family, Authentication Type, and Packet Hash Type for expert mode.

BZ#1004922

When creating a new cluster, the post_join_delay parameter in the cluster configuration was set to 3 or 6 seconds depending if the cluster was configured using the cluster.conf file or the cluster software. With this update, this inconsistent approach has been fixed. When no value is specified for post_join_delay, the value is not set in the cluster.conf file but the cluster software specifies the value, which is set to 6 seconds.

BZ#1008510

The name for the fence_enegera agent in the fence list was Egenera SAN Controller. This name was outdated and thus misleading. With this update, the agent is listed correctly as Egenera BladeFrame.

BZ#1019853

Previously, the self_fence parameter was missing from the configuration of the netfs resource agent. Also in the GUI, there was no checkbox entry for the Self-Fence If Unmount Fails option. This update adds the missing parameter.

BZ#1026374

Due to previous changes in the luci application, SELinux no longer labeled the luci process with the confined piranha_web_t SELinux context type. This behavior was incorrect, thus a new script has been added to the luci packages to address this bug. Also the SELinux policy has been modified accordingly. As a result, the luci process now runs as piranha_web_t as expected.

BZ#1100817

Previously, the luci application did not list virtual machine resource agents in the Resources menu in the web UI. An attempt to manually add a virtual machine resource agent in the configuration file caused the error 500 to be returned. This update provides a patch to fix this bug and virtual machine resource agents are now correctly listed in the Resources menu.

Enhancements

BZ#919225

The luci application has been enhanced to display global cluster resources and sort them alphabetically and numerically by the resource name, IP address, and other significant resource attributes.

BZ#919243

With this update, the luci application validates whether an nfsclient resource is always associated with an nfsexport resource. Now, an attempt to create a service with an nfsclient resource that is not associated with an nfsexport resource causes the following error to be returned:

nfsclient resources must have a parent nfsexport resource

BZ#982771

With this update, the luci application checks whether the beaker.session.secret value consists of 20 or more characters. Therefore, the use of values containing less characters is not permitted to increase the security of the server-stored session data.

BZ#991575

This update enhances the luci application with the ability to configure the ciphers for SSL/TLS channel between luci and a connecting web browser, providing better security control for administrators.

BZ#1061786

This update adds the ability to specify a httpd binary in the Apache resource configuration screen. This new feature allows the user to use the Multi-Processing Module (MPM) worker with the httpd daemon in a cluster.

BZ#1070760

With this update, the luci application has been modified to allow the user to set static ports for all NFS-related ports.

BZ#1117398

With this enhancement, several changes have been made in the luci application:

• Support for configuring newly-added bind-mount resource agents has been added.
• Support for configuring the power_timeout, shell_timeout, login_timeout, and retry_on attributes for the fence_brocade agent has been added.
• Support for the newly-added attribute reboot_on_pid_exhaustion for the <rm> tag has been added. This attribute is used in the Red Hat Resource Group Manager (rgmanager) to allow a service recovery when failing to fork a bash child process with a return code 254.
• The skip_undefined attribute was no longer needed and it was removed from the fencing configuration in advanced mode.
• Support for configuring the new startup_wait parameter for the postgres-8 resource agent has been added. This parameter allows users to configure the sleep time according to their needs.
• Support for the ssh_options attribute for the fence_apc, fence_virsh, and fence_rsa agents has been added.
• Support for the newly-added no_kill attribute for the virtual machine (VM) resource agent has been added. This attribute is used to prevent the rgmanager utility from killing VMs that did not shut down properly.