Ubuntu CVE Tracker

Merge ~rodrigo-zaiden/ubuntu-cve-tracker:kernel_abi_check_cycle into ubuntu-cve-tracker:master

  1. Git
  2. lp:~rodrigo-zaiden/ubuntu-cve-tracker
  3. kernel_abi_check_cycle
  4. Merge into master
Proposed by Rodrigo Figueiredo Zaiden
Status: Merged
Merged at revision: 146049045bef57c3a927ca6eb28dd2320ef72313
Proposed branch: ~rodrigo-zaiden/ubuntu-cve-tracker:kernel_abi_check_cycle
Merge into: ubuntu-cve-tracker:master
Diff against target: 80 lines (+32/-4)
2 files modified
scripts/kernel-abi-check (+8/-2)
scripts/kernel_lib.py (+24/-2)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+458365@code.launchpad.net

Commit message

scripts/kernel-abi-check: add check-cycle argument

 with the new optional argument, '--check-cycle' the user can print out
 the kernel sru cycle which that kernel that needs an USN is. It is
 useful when we have multiple kernels needing USN and some could be a
 lagging kernel that is in a different cycle, requiring a separated USN.

Description of the change

The usual output for the kernel-abi-check script is:

 $ ./scripts/kernel-abi-check
 USN needed: focal/linux-gcp-5.15: 5.15.0-1048.56~20.04.1 (last USN: 5.15.0-1047.55~20.04.1)
 USN needed: focal/linux-intel-iotg-5.15: 5.15.0-1046.52~20.04.1 (last USN: 5.15.0-1045.51~20.04.1)
 USN needed: focal/linux-iot: 5.4.0-1028.29 (last USN: 5.4.0-1026.27)
 USN needed: jammy/linux-oem-6.1: 6.1.0-1028.28 (last USN: 6.1.0-1027.27)

with the proposed change, if "--check-cycle" is used, we add the capability
to print out which cycle in the kernel sru we are, and will sound like:

 $ ./scripts/kernel-abi-check --check-cycle
 USN needed: focal/linux-gcp-5.15: 5.15.0-1048.56~20.04.1 (last USN: 5.15.0-1047.55~20.04.1) - cycle: 2023.10.30-1
 USN needed: focal/linux-intel-iotg-5.15: 5.15.0-1046.52~20.04.1 (last USN: 5.15.0-1045.51~20.04.1) - cycle: 2023.10.30-1
 USN needed: focal/linux-iot: 5.4.0-1028.29 (last USN: 5.4.0-1026.27) - cycle: 2023.10.30-3
 USN needed: jammy/linux-oem-6.1: 6.1.0-1028.28 (last USN: 6.1.0-1027.27) - cycle: 2023.10.30-5

As the idea here is to add an extra argument, there is no harm for the
current execution of the script.

The major benefit is to give the user who will be doing the USN to be able
to find kernel with same major version, in different cycles (probably with
different CVEs being fixed) that could end up in a same USN, which is
potentially wrong.

To post a comment you must log in.
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

I've added a new commit that changes the definition of the method
`get_kernel_sru_cycle` from kernel-abi-check script to kernel_lib.py.
In kernel-abi-check we call it from the kernel_lib.

It was suggested by Steve and it makes sense that the method is defined
in a common place where other scripts may take advantage of the method if
needed. for this case for example, we have the script 'kernel-sru-check'
that is placed in UQT nowadays but will be moved to UCT that could be using
it.

I'm passing the lp api connection as a parameter because we already have
it in kernel-abi-check. Another idea would be to have it also defined in
kernel_lib.py only if needed. I think python would not initialize another
instance if the connection was already initialized in kernel-abi-check,
but as I'm not sure, I preferred to keep it simpler.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks Rodrigo, this LGTM. I went ahead and merged this, we can figure out how to handle kernel-sru-check next week.

I think trying to be clever with the lp api connection will probably lead to weird behaviors later, so am happy to leave it as a passed in argument.

I ended up creating a followup commit that makes the argument that adds the proposed pocket, previously only used for ABI checking, also function when looking for kernels that are in that pocket that don't have USNs published for them. This is purely for testing the kernel-abi-script when the archive is in the current state that it is where there are no kernels in either the security or updates pockets that don't have a corresponding USN published for it.

Thanks again!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/kernel-abi-check b/scripts/kernel-abi-check
2index fef3354..e16b186 100755
3--- a/scripts/kernel-abi-check
4+++ b/scripts/kernel-abi-check
5@@ -19,7 +19,8 @@ from cve_lib import (is_active_release, is_active_esm_release,
6 esm_releases, get_orig_rel_name)
7 from kernel_lib import (meta_kernels, lookup_glitch_version,
8 ignore_kernel_mabi, get_kernel_meta_alt_pkg,
9- kernel_package_abi, kernel_meta_abi)
10+ kernel_package_abi, kernel_meta_abi,
11+ get_kernel_sru_cycle)
12 from usn_lib import USNdb
13
14 try:
15@@ -52,6 +53,7 @@ parser.add_argument(
16 "--use-lp-bot-account", default=False, action='store_true',
17 help="WHen connecting to launchpad, use an alternate bot account credentials"
18 )
19+parser.add_argument("--check-cycle", help="Check kernel workflow cycle", action='store_true')
20 parser.add_argument("kernel", help="only check specific kernels", nargs="*")
21 opt = parser.parse_args()
22
23@@ -212,7 +214,11 @@ def pocket_abis_match(release, srcs, meta_pkg, signed):
24 print('Skipping kernel %s in release %s pocket %s' % (src, release, pocket), file=sys.stderr)
25 else:
26 rc = False
27- print("USN needed: %s/%s: %s (last USN: %s)" % (release, pkg[src][pocket]['name'], pkg[src][pocket]['version'], last_usn), file=sys.stderr)
28+ kernel_title = f"{pkg[src][pocket]['name']}: {pkg[src][pocket]['version']}"
29+ if (opt.check_cycle):
30+ print("USN needed: %s/%s (last USN: %s) - cycle: %s" % (release, kernel_title, last_usn, get_kernel_sru_cycle(kernel_title, lp)), file=sys.stderr)
31+ else:
32+ print("USN needed: %s/%s (last USN: %s)" % (release, kernel_title, last_usn), file=sys.stderr)
33
34 if opt.ignore_abi:
35 return rc
36diff --git a/scripts/kernel_lib.py b/scripts/kernel_lib.py
37index 4e0ab90..64a8f64 100755
38--- a/scripts/kernel_lib.py
39+++ b/scripts/kernel_lib.py
40@@ -1,9 +1,9 @@
41-#!/usr/bin/env python2
42+#!/usr/bin/env python3
43 # -*- coding: utf-8 -*-
44 # Author: Kees Cook <kees@ubuntu.com>
45 # Author: Jamie Strandboge <jamie@ubuntu.com>
46 # Author: Steve Beattie <sbeattie@ubuntu.com>
47-# Copyright (C) 2005-2017 Canonical Ltd.
48+# Copyright (C) 2005-2024 Canonical Ltd.
49 #
50 # This script is distributed under the terms and conditions of the GNU General
51 # Public License, Version 3 or later. See http://www.gnu.org/copyleft/gpl.html
52@@ -19,6 +19,28 @@ import sys
53 from cve_lib import (kernel_srcs, get_esm_name, is_active_esm_release)
54
55
56+# search for the kernel SRU cycle for a kernel in the format
57+# "linux[-complement]: <version>"
58+def get_kernel_sru_cycle(kernel_title, lp):
59+ cycle = None
60+ kernels = lp.projects['kernel-sru-workflow']
61+
62+ task = kernels.searchTasks(search_text=kernel_title)
63+ if len(task) > 1:
64+ print('found multiple (%d) results:' % len(task), file=sys.stderr)
65+ for _task in task:
66+ print(' %s' % _task.bug.title, file=sys.stderr)
67+ raise ValueError('More than one task with title %s found' % (kernel_title))
68+
69+ if task:
70+ for tag in task[0].bug.tags:
71+ if tag.startswith("kernel-sru-cycle-"):
72+ cycle = tag.split('-', maxsplit=3)[3]
73+ break
74+
75+ return cycle
76+
77+
78 # converts a kernel source package name to the signed version, based off
79 # of the default naming style linux-FOO -> linux-signed-FOO
80 def convert_name_to_signed(kernel):

Subscribers

People subscribed via source and target branches