[MIR] New package - walinuxagent

Packaging is ready for MIR. I made a number of changes to the agent that make it more suitable for use on Ubuntu.

Changed statust to "In Progress" to bump this along.

[Maintenance]

Ben Howard (utlemming) will maintain walinuxagent in conjunction with the Canonical Ubuntu Engineering Server & Cloud Workloads team to ensure bugs are being resolved, package updates as necessary in response to Ubuntu / cloud provider infrastructure changes, and security vulnerabilities addressed.

-Thanks.

[Maintenance]

Canonical's Professional Engineering Services Commercial Engineering team will regularly test this software, identify and report issues, and collaborate with Ubuntu engineering and the community to resolve issues.

It is unusual to get MIR approval for a bzr branch. Can someone get this uploaded so others have the opportunity to look at it if they want? While for our purposes, it does need to be in main, it is conceivable that others could use it, so having it in universe isn't worthless (as implied in the description).

Oh, 'a' is also needed so we can file bugs against the package, get the right people subscribed to it, etc, etc.

FYI, walinuxagent has now been uploaded and has been deNEWed.

Security review:

After performing a shallow, high-level code audit:
- There is one python script and no dbus services, setuid capabilities, fscaps or cron jobs. But there are security relevant items to note:
- Ubuntu patches wagent to add an upstart job via '--setup' that runs the agent as a daemon as root. '--setup' is run during postinst
- When creating an account (happens during specific state changes), it creates /etc/sudoers.d/waagent. If the the uid of the user is < UID_MIN from /etc/login.defs, it adds NOPASSWD to the entry in /etc/sudoers.d/waagent. This could be a problem if someone with a UID of 999 creates an account but in all other ways is a non-system user. I'm not sure if it makes sense to have a system user added, so maybe this NOPASSWD bit can be patched out?
- /etc/sudoers.d/waagent is unconditionally deleted on account removal, meaning if multiple accounts were added via waagent, any other accounts likely are broken
- Run() is implemented as 'os.system()' with no input filtering. This is not good because shell injection attacks can be performed if the input to os.system() is user controllable. Run() should be converted to use subprocess.Popen(). Based on ovfobj = OvfEnv().Parse(ovfxml) from the Agent class, this means anything on the DVD could do bad stuff-- though we must expect the DVD to be trusted. Run() is also used extensively via the HostingEnvironmentConfig. I don't consider this a security issue in and of itself (the agent necessarily trusts the server and DVD), but it would be good to use subprocess.Popen() as a hardening measure.
- Will start up a server LoadBalancerProbeServer() that runs a simple SocketServer.TCPServer(). This server just returns the date and time, and load balances its log. Adding an iptables rule to only allow access to this port from the fabric
 controller may be a useful hardening measure.
- DoDhcpWork() unconditionally opens port 68/udp (dhcp client) on the firewall in the INPUT chain, then makes a dhcp request
- In general, waagent uses a poll architecture (http://www.faqs.org/patents/imgfull/20120102186_04), where the agent periodically asked the Endpoint for things to do. This is fine so long as the server can be trusted. It might be worthwhile
 to add an egress rule so the agent can only talk to the fabric controller on th
e defined port for the fabric controller.

In all, while the code is running as root, there is only one listening service and it is extremely simple. As mentioned, adding ingress filtering for this service is recommended, but not a condition of this MIR. waagent touches large parts of the system, but that is what it is designed to do. While I do have some reservations based on my findings and the newness of the code, it sounds like this will be well maintained in Ubuntu since several people from Canonical have stepped up to maintain it. ACK from the security team.

MIR Review:
- no security history (the software is new)
- Builds with only packages in main
- no testsuite
- it does not use dh_python3, but this is a server package
- package is not in Debian
- Ubuntu does carry patches from upstream, but looks like they are being forwarded upstream and will be maintained by Canonical in the meantime
- please setup a bug subscriber.
- there is no watch file as there is only a git snapshot. README.source discusse
s this and how to get the source.
- the current release is packaged
- it is my understanding this package must be in main for the images
- there is a lintian warning about a missing manpage for usr/sbin/waagent
- debian/rules is clean

ACK. Feel free to seed after setting up a bug subscriber.

Ubuntu Server Team subscribed to bug mail.

No change backport uploaded to precise-proposed as discussed with skaet on IRC.

Moved to main in quantal.

The walinuxagent package in precise-proposed NEW queue is based on an earlier version from quantal, so is missing this change:

  * Restrict target architectures to i386 and amd64.

I assume that if this was worth an upload in quantal, we should have it in the precise version as well, in which case it should be included on the first accept so we don't have to redo the NEW processing. Can you please reupload with this fix?

Hello Ben, or anyone else affected,

Accepted walinuxagent into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/walinuxagent/1.0~git20120606.c16f5e9-0ubuntu2~12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Confirmed to work on Azure, with all provisioning functions working.

Is this version number intentionally less than the version of the package in the existing 12.04 azure cloud-image?

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package walinuxagent - 1.0~git20120606.c16f5e9-0ubuntu2~12.04.1

---------------
walinuxagent (1.0~git20120606.c16f5e9-0ubuntu2~12.04.1) precise-proposed; urgency=low

  * Backport for enablement of Windows Azure IaaS platform in
    Ubuntu 12.04 (LP: #1014864).
 -- James Page <email address hidden> Thu, 09 Aug 2012 21:51:23 +0100