Authfile seems to be ignored Ubuntu 20.04.4 LTS

[sierky]

I have created the authkey with booth-keygen and simply have the following line in my booth.conf authfile=/etc/booth/authkey

I tested this on 5 node cluster (a small vm test setup), on each I created a unique authfile so I would assume they would no longer be able to connect to each other.

But after restarting all the booth services they where all still happily communicating, tickets could be granted and revoked on remote notes.

Tested with Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-121-generic aarch64)

[jfriesse]

@sierky Hi, great catch! The reason is, that authfile is not used at all because of da79b8ba28ad4837a0fee13e5f8fb6f89fe0e24c (what is clearly wrong patch because check is about authfile, not authkey). Luckily simple revert seem to solve problem - as done with PR #115.

Could you please give a PR #115 a try?

[sierky]

Hi @jfriesse, thank you for debugging this so quickly.

I would love to test the fix but I understand I would need to "make/build" the package from the source files. I've tried that even before opening this ticket to see if it might have been fixed in the repo but just not yet in the Ubuntu apt packages.

But when making I'm stuck at the following and I'm unable to resolve, I've read through al the documentation and the yaml file in the project and installed all packages that where described. If you could just point me towards the right package (or maybe linux distro) that would be great.

Currently I'm trying to make on Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-120-generic aarch64) Multipass vm on a m1 macbook.

checking for PCMK... no configure: error: Package requirements (pcmk-service) were not met:

Package 'pcmk-service', required by 'virtual:world', not found

Consider adjusting the PKG_CONFIG_PATH environment variable if you installed software in a non-standard prefix.

Alternatively, you may set the environment variables PCMK_CFLAGS and PCMK_LIBS to avoid the need to call pkg-config. See the pkg-config man page for more details.

[jfriesse]

@sierky Hi, Debian control file contains following list of required libraries:

 asciidoctor,
 cluster-glue-dev,
 debhelper-compat (= 13),
 docbook-xml,
 docbook-xsl,
 libdbus-1-dev,
 libgcrypt20-dev,
 libglib2.0-dev,
 libplumb2-dev,
 libxml2-dev,
 libxml2-utils,
 pacemaker-dev,
 pkg-config,
 xsltproc,

which will configure boot with libglue. For Fedora/RHEL libglue is not used and rather systemd is used, so you would then need (probably, untested) libsystemd-devand configure with --without-glue.

The one you found missing is fulfilled by pacemaker-dev,.

[sierky]

@jfriesse I was able to make from the source files now, however it now triggers the following.

Jul 05 10:05:15 site4 booth: [15448]: ERROR: Unexpected keyword in config file line 14 Jul 05 10:05:15 site4 booth: [15448]: ERROR: cannot read config

As you'll probably guess, the authfile setting is on line 14, please find my config attached.

booth.conf.txt

[jfriesse]

@sierky Hi, it's great to see you are getting closer to successful compilation. I think this time it is about missing libgcrypt20-dev so part of parser responsible for authfile and maxtimeskew is not compiled at all.

Of course after installation of gcrypt it's required to run ./configure again.

[sierky]

Hi @jfriesse , retried it today with your advice regarding libgcrypt20-dev, all seems to be working and the authfile is being used, when changing the file on 1 of the nodes and restarting that node's booth service, it is no longer able to talk to the others.

Thank you very much.

Jul 20 09:16:05 site4 boothd[20375]: Jul 20 09:16:05 site4 boothd-site: [20375]: ERROR: 192.168.64.7 failed to authenticate

Any insight on when this update version of booth will be available via the normal Ubuntu apt repo's? (or should I not hold my breath and for now just build from source for my production sites?)

Kind regards, Sierky

[jfriesse]

@sierky Hi, thank you for good news! I'm neither Debian nor Ubuntu maintainer so I have no clue. I would recommend to file Debian/Ubuntu bug (or write directly to maintainer, maybe @vvidic ?), link to this issue and mention it is probably security issue - then it may get into LTS... I can speak about Fedora/RHEL. Fedora should have it fix today, RHEL is much more problematic but we have to also fix it some way.

[jfriesse]

This issue got assigned CVE-2022-2553 - and related bug https://bugzilla.redhat.com/show_bug.cgi?id=2111667 so I think it's now going to be pretty easy to get it into Debian (Ubuntu is questionable, but you can try to fill issue with them). I've sent heads-up to debian-ha-maintainers ML.

[lucaskanashiro]

@jfriesse Ubuntu will be releasing a fix for the CVE you mentioned soon. Thanks @vvidic for letting me know about this issue.

[jfriesse]

@lucaskanashiro Perfect, thanks.

Also for fedora I've prepared (non-upstream - it's not upstream material and it is only transitional - for f35/36 but not for rawhide) patch which adds option to enable/disable authfile so upgraded cluster don't stop working when not all nodes are updated - something you and @vvidic may consider to include too for stable versions? Anyway, patch is - https://src.fedoraproject.org/rpms/booth/blob/f36/f/0001-config-Add-enable-authfile-option.patch