My Debian Activities in August 2020

FTP master

This month I accepted 159 packages and rejected 16. The overall number of packages that got accepted was 172.

Debian LTS

This was my seventy-fourth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 21.75h. During that time I did LTS uploads of:

  • [DLA 2336-1] firejail security update for two CVEs
  • [DLA 2337-1] python2.7 security update for nine CVEs
  • [DLA 2353-1] bacula security update for one CVE
  • [DLA 2354-1] ndpi security update for one CVE
  • [DLA 2355-1] bind9 security update for two CVEs
  • [DLA 2359-1] xorg-server security update for five CVEs

I also started to work on curl but did not upload a fixed version yet. As usual, testing the package takes up some time.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty sixth ELTS month.

During my allocated time I uploaded:

  • ELA-265-1 for python2.7
  • ELA-270-1 for bind9
  • ELA-272-1 for xorg-server

Like in LTS, I also started to work on curl and encountered the same problems as in LTS above.

Last but not least I did some days of frontdesk duties.

Other stuff

This month I found again some time for other Debian work and uploaded packages to fix bugs, mainly around gcc10:

I also uploaded new upstream versions of:

All package called *osmo* are developed by the Osmocom project, that is about Open Source MObile COMmunication. They are really doing a great job and I apologize that my uploads of new versions are mostly far behind their development.

Some of the uploads are related to new packages:

TDC: Test-driven configuration, module on puppetforge

Today I released v0.0.2 of my Puppet module puppet-tdc on puppetforge. This version now contains all the features that I mentioned in my first article about TDC.

Though having such a low version, I am using the module in production on my own servers now. I am sure one or another bug will appear but those will be only detected by testing :-). Maybe I also have to change the interface, so probably my old examples will be no longer working. The next steps will be the documentation and a first Debian package.

Anyway, this module does not only help to develop new classes with puppet, but also finds some mistakes that became forgotten. I intentionally avoided to automatically configure members of a new hostgroup in addition to the nagios services that I am going to test. So when adding TDC to the apache2 class, suddenly Nagios reported lots of unknown hosts. In this case I simply forgot to add them to the corresponding hostgroup for web servers and even forgot to monitor some hosts at all.

It again proves to be true that manually taking care of lists is really prone to errors.

My Debian Activities in July 2020

FTP master

This month I accepted 434 packages and rejected 54. The overall number of packages that got accepted was 475.

Debian LTS

This was my seventy-third month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 25.25h. During that time I did LTS uploads of:

  • [DLA 2289-1] mupdf security update for five CVEs
  • [DLA 2290-1] e2fsprogs security update for one CVE
  • [DLA 2294-1] salt security update for two CVEs
  • [DLA 2295-1] curl security update for one CVE
  • [DLA 2296-1] luajit security update for one CVE
  • [DLA 2298-1] libapache2-mod-auth-openidc security update for three CVEs

I started to work on python2.7 as well but stumbled over some hurdles in the testsuite, so I did not upload a fixed version yet.

This month was much influenced by the transition from Jessie LTS to Stretch LTS and one or another workflow/script needed some adjustments.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty fifth ELTS month.

During my allocated time I uploaded:

  • ELA-230-1 for luajit
  • ELA-231-1 for curl

Like in LTS, I also started to work on python2.7 and encountered the same hurdles in the testsuite. So I did not upload a fixed version for ELTS as well.

Last but not least I did some days of frontdesk duties.

Other stuff

In this section nothing much happened this month. Thanks a lot to everybody who NMUed a package to fix a bug.

TDC: Test-driven configuration, the first module

The first module I want to develop with TDC is just a small one. I want to distribute email certificates obtained by Lets Encrypt to some email servers:

 class email_cert {

 }

I am using the puppet module puppet-tdc , that is at the moment only available on github.

The first things to add are some tests:

 class email_cert {
  class{'tdc':
  }
  class{'tdc::test_directory':
     directory    => ['/etc/email-cert'],
  }
  class{'tdc::test_file':
     file    => ['/etc/email-cert/mail-fullchain.pem', '/etc/email-cert/mail-privkey.pem'],
  }
 }

I am using the new class tdc and want to check whether the directory for the certificates is available and whether the certificates itself are there.

Great, after awhile my nagios shows lots of red stuff. Every server that uses my new class email_cert is automatically creating tests for nagios and distributes them. All of them fail.

So now it is time for the real data:

class email_cert {

  class{'tdc':
  }
  class{'tdc::test_directory':
     directory    => ['/etc/email-cert'],
  }
  class{'tdc::test_file':
     file    => ['/etc/email-cert/mail-fullchain.pem', '/etc/email-cert/mail-privkey.pem'],
  }

  file { [ '/etc/email-cert', 
         ]:
          ensure => 'directory',
          mode   => '750',
          owner  => 'Debian-exim',
          group  => 'nagios',
       }
  file { 'cert-fullchain.pem': 
         path    => "/etc/email-cert/mail-fullchain.pem", 
         ensure  => file, 
         mode    => '640',
         owner   => 'Debian-exim',
         group   => 'nagios',
         source  => "puppet:///modules/email_cert/cert/mail-$fqdn-fullchain.pem"
  } 
  file { 'cert-privkey.pem': 
         path    => "/etc/email-cert/mail-privkey.pem", 
         ensure  => file, 
         mode    => '640',
         owner   => 'Debian-exim',
         group   => 'nagios',
         source  => "puppet:///modules/email_cert/cert/mail-$fqdn-privkey.pem"
  } 
 }

After waiting some time, my nagios calms down and everything is green again. According to aNag, I also got 30 new tests.

Of course I had to change the config of nrpe and nagios a bit. In nrpe_local.cfg I had to add:

include_dir=/usr/local/nagios/tdc/config

in order to let nrpe know those newly created tests on the puppet agent.

I also had to tell the nagios server via its puppet module, that there is a new directory containing config data:

      file { '/etc/nagios4/conf.d/tdc':
          ensure => 'directory',
          source => 'puppet:///modules/nagios4_server/tdc',
          recurse => 'remote',
          path => '/etc/nagios4/conf.d/tdc',
          owner => 'root',
          group => 'root',
          mode  => '0755',
          notify  => Service["nagios4"],
        }

TDC: Test-driven configuration, the first steps

During TDD (Test-driven development) you have some kind of specifications that your new module needs to fulfill. Hence you know what functions need to be implemented and what kind of tests you need to write.

During TDC things are similar. You know the software you are going to install. Hence you know how this software works, what configuration is needed and what kind of features you and your users want to use in the beginning.

This results in a number of similar tests for each software.

  1. In a first step you need to check whether …
    • … the binaries are available
    • … the common config files are available
    • … the directories are available
    • … all files and directories have the correct owner and access permissions

    In case you install a package from your distribution, a set of predefined config files should be included in the delivery and your test should be green immediately after installation.

    In case you do a manual installation you need to fiddle around with the configuration files. But as you thought before what config is needed, this task should be an easy one.

    These tests are not only important for the initial installation, but also later on, when you upgrade your system or just install a newer release.
    Often enough names of binaries have been changed (apache -> apache2), the path of config files has been changed, the name of the package has been changed ) or even some binaries are now part of a different package.

    If a test fails, you immediately know that something changed and your configuration (or only the tests) needs to be adapted.

  2. If all files are in the proper place, in the second step you need to check whether their contents is fine as well. Some software has its own tool to check the config files.

    For example “apache2ctl configtest” does a syntax check of the Apache config. Nagios does such checks with “nagios -v nagios.cfg”.

  3. The third step would be to check whether the newly installed software is running. You also need to check whether the correct number of processes is running. For example exim4 basically starts a process for each incoming email and normaly (at least in my case) there are up to five processes running. In case you have 128 exim4 processes running, this might be an indicator that there is something wrong with your incoming email.

As written in the previous article, I am doing configuration management with puppet, so the corresponding puppet module will appear in this repository.

TDC: Test-driven configuration

Is there anything more terrible than getting a phone call and someone complaining about a printer that does not work?
Yes, you have to admit that something is broken and you are not able to repair it immediately.

So, how can you avoid such situations?

For some time now in software development you can find a concept called TDD (Test-driven development). Basically you repeat three steps:

  1. develop a test for a new function; as this function does not exist yet, this test has to fail in the beginning
  2. develop the function; the aim in this step is to pass the test and don’t break any other test
  3. refactor code; code can be optimized and improved, do not break any test in this step

Would it be possible to introduce something similar for the configuration of computers/software? Analogous to TDD one could call this TDC (Test-driven configuration).

There is only one relevant Google hit for this keyword. It is an article written by David Lutz from 2011. Other Keywords like “Test-driven Sysadmin” show among others some slides of Johan van den Dorpe which led to Behavioral Driven Development (BDD) and some software called cucumber. Another software that is mentioned is babushka.

Unfortunately these software does not fit into existing solutions for configuration management like puppet or testing like nagios. They are independent software packages that need their own configuration, which might lead to some kind of synchronization error between both worlds.

Is this really such a weird idea that just a few people thought about this?

Anyway, I will also give it a try and I am curious where all of this is going.

In Wikipedia there is a huge list of configuration management software. As all my systems are running on Debian, I will limit my work on software that is part of Debian and has an arbitrary popcon value of at least 1000. So my main target will be puppet. Other software I will look into are ansible and salt. Due to their trademark policy, chef won’t be part of Debian soon, so I won’t consider it.

In Wikipedia one can also see an even bigger list of network monitoring system. My main target on this list will be nagios. I will also look into zabbix and prometheus.

Finally I found a tweet from Jaana Dogan:
“Configuration testing is quite underrated in an industry where the majority of work is becoming configuration.”

My Debian Activities in June 2020

FTP master

This month I accepted 377 packages and rejected 30. The overall number of packages that got accepted was 411.

Debian LTS

This was my seventy-second month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 30h. During that time I did LTS uploads of:

  • [DLA 2255-1] libtasn1-6 security update for one CVE
  • [DLA 2256-1] libtirpc security update for one CVE
  • [DLA 2257-1] pngquant security update for one CVE
  • [DLA 2258-1] zziplib security update for eight CVEs
  • [DLA 2259-1] picocom security update for one CVE
  • [DLA 2260-1] mcabber security update for one CVE
  • [DLA 2261-1] php5 security update for one CVE

I started to work on curl as well but did not upload a fixed version, so this has to go to ELTS now.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty fourth ELTS month.

Unfortunately in the last month of Wheezy ELTS even I did not find any package to fix a CVE, so during my small allocated time I didn’t uploaded anything.

But at least I did some days of frontdesk duties und updated my working environment for the new ELTS Jessie.

Other stuff

I uploaded a new upstream version of …

My Debian Activities in May 2020

FTP master

This month I accepted 211 packages and rejected only 9. The overall number of packages that got accepted was 228.

Debian LTS

This was my seventy-first month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 17.25h. During that time I did LTS uploads of:

  • [DLA 2196-2] pound regression update
  • [DLA 2219-1] feh security update for one CVE
  • [DLA 2218-1] transmission security update for one CVE
  • [DLA 2220-1] cracklib2 security update for one CVE
  • [DLA 2224-1] dosfstools security update for two CVEs
  • [DLA 2225-1] gst-plugins-good0.10 security update for two CVEs
  • [DLA 2226-1] gst-plugins-ugly0.10 security update for two CVEs
  • [DLA 2227-1] bind9 security update for two CVEs

I started to work on php5 as well but did not upload a fixed version yet.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty third ELTS month.

During my small allocated time I uploaded:

  • ELA-230-1 for bind9 fixing two CVEs
  • ELA-231-1 for php5 fixing one CVE

I also did some days of frontdesk duties.

Other stuff

I improved packaging of …

I sponsored uploads of …

  • … ulfius

On my Go challenge I uploaded:
golang-github-apparentlymart-go-versions, golang-github-hashicorp-go-slug, golang-github-mozillazg-go-httpheader, golang-github-hashicorp-terraform-json, golang-github-hashicorp-terraform-plugin-test, golang-github-sean–pager, golang-github-sean–seed, golang-github-timberio-go-datemath,

My Debian Activities in April 2020

FTP master

This month I accepted 384 packages and rejected 47. The overall number of packages that got accepted was 457.

Debian LTS

This was my seventieth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 28.75h. During that time I did LTS uploads of:

  • [DLA 2183-1] libgsf security update for one CVE
  • [DLA 2184-1] jsch security update for one CVE
  • [DLA 2185-1] eog security update for one CVE
  • [DLA 2187-1] radicale security update for one CVE
  • [DLA 2186-1] ncmpc security update for one CVE
  • [DLA 2188-1] php5 security update for three CVEs
  • [DLA 2189-1] rzip security update for one CVE
  • [DLA 2195-1] w3m security update for two CVEs
  • [DLA 2194-1] yodl security update for one CVE
  • [DLA 2197-1] miniupnpc security update for one CVE
  • [DLA 2196-1] pound security update for one CVE

As there have been lots of no-dsa-CVEs I continued my work on wireshark.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty second ELTS month.

During my small allocated time I only uploaded:

  • ELA-227-1 for php5 fixing four CVEs

I also did some days of frontdesk duties.

Other stuff

Unfortunately this month again strange things happened outside Debian and I only got some stuff done.

I improved packaging of …

I sponsored uploads of …

  • … ulfius

I uploaded the new package …

  • … puppet-module-cirrax-gitolite

On my Go challenge I uploaded:
golang-github-facebookgo-subset, golang-github-facebookgo-ensure, golang-github-shurcool-gopherjslib, golang-github-grafana-grafana-plugin-model, golang-github-crewjam-httperr, golang-github-hashicorp-terraform-svchost, golang-github-neelance-sourcemap, golang-github-neelance-astrewrite, golang-github-kisielk-gotool, golang-github-gopherjs-gopherjs, golang-github-yvasiyarov-newrelic-platform-go, golang-github-rhnvrm-simples3, golang-github-robfig-go-cache, golang-github-xorcare-pointer, golang-github-goburrow-serial

My Debian Activities in March 2020

FTP master

This month I accepted 156 packages and rejected 26. The overall number of packages that got accepted was 203.

Debian LTS

This was my sixty ninth month that I did some work for the Debian LTS initiative, started by Raphael Hertzog at Freexian.

This month my all in all workload has been 30h. During that time I did LTS uploads of:

  • [DLA 2156-1] e2fsprogs security update for one CVE
  • [DLA 2157-1] weechat security update for three CVEs
  • [DLA 2160-1] php5 security update for two CVEs
  • [DLA 2164-1] gst-plugins-bad0.10 security update for four CVEs
  • [DLA 2165-1] apng2gif security update for one CVE

Also my work on graphicsmagic was accepted which resulted in:

  • [DSA 4640-1] graphicsmagick security update in Buster and Strech for 16 CVEs

Further I sent debdiffs of weechat/stretch, weechat/buster, e2fsprogs/stretch to the corresponding maintainers but got no feedback yet.

As there have been lots of no-dsa-CVEs accumulated for wireshark, I started to work on them but could not upload yet.

Last but not least I did some days of frontdesk duties.

Debian ELTS

This month was the twenty first ELTS month.

During my really allocated time I uploaded:

  • ELA-218-1 for e2fsprogs
  • ELA-220-1 for php5
  • ELA-221-1 for nss

I also did some days of frontdesk duties.

Other stuff

Unfortunately this month again strange things happened outside Debian and the discussions within Debian did not stop. Nonetheless I got some stuff done.

I improved packaging of …

I sponsored uploads of …

  • … ocf-spec-core
  • … theme-d-gnome

Sorry to all people who also requested sponsoring, but sometimes things happen and your upload might be delayed.

I uploaded new upstream versions of …

On my Go challenge I uploaded:
golang-github-dreamitgetit-statuscake, golang-github-ensighten-udnssdk, golang-github-apparentlymart-go-dump, golang-github-suapapa-go-eddystone, golang-github-joyent-gosdc, golang-github-nrdcg-goinwx, golang-github-bmatcuk-doublestar, golang-github-go-xorm-core, golang-github-svanharmelen-jsonapi, golang-github-goji-httpauth, golang-github-phpdave11-gofpdi