Ubuntu CVE Tracker

Merge ~rodrigo-zaiden/ubuntu-cve-tracker:kernel_abi_check_cycle into ubuntu-cve-tracker:master

  1. Git
  2. lp:~rodrigo-zaiden/ubuntu-cve-tracker
  3. kernel_abi_check_cycle
  4. Merge into master
Proposed by Rodrigo Figueiredo Zaiden
Status: Merged
Merged at revision: 146049045bef57c3a927ca6eb28dd2320ef72313
Proposed branch: ~rodrigo-zaiden/ubuntu-cve-tracker:kernel_abi_check_cycle
Merge into: ubuntu-cve-tracker:master
Diff against target: 80 lines (+32/-4)
2 files modified
scripts/kernel-abi-check (+8/-2)
scripts/kernel_lib.py (+24/-2)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+458365@code.launchpad.net

Commit message

scripts/kernel-abi-check: add check-cycle argument

 with the new optional argument, '--check-cycle' the user can print out
 the kernel sru cycle which that kernel that needs an USN is. It is
 useful when we have multiple kernels needing USN and some could be a
 lagging kernel that is in a different cycle, requiring a separated USN.

Description of the change

The usual output for the kernel-abi-check script is:

 $ ./scripts/kernel-abi-check
 USN needed: focal/linux-gcp-5.15: 5.15.0-1048.56~20.04.1 (last USN: 5.15.0-1047.55~20.04.1)
 USN needed: focal/linux-intel-iotg-5.15: 5.15.0-1046.52~20.04.1 (last USN: 5.15.0-1045.51~20.04.1)
 USN needed: focal/linux-iot: 5.4.0-1028.29 (last USN: 5.4.0-1026.27)
 USN needed: jammy/linux-oem-6.1: 6.1.0-1028.28 (last USN: 6.1.0-1027.27)

with the proposed change, if "--check-cycle" is used, we add the capability
to print out which cycle in the kernel sru we are, and will sound like:

 $ ./scripts/kernel-abi-check --check-cycle
 USN needed: focal/linux-gcp-5.15: 5.15.0-1048.56~20.04.1 (last USN: 5.15.0-1047.55~20.04.1) - cycle: 2023.10.30-1
 USN needed: focal/linux-intel-iotg-5.15: 5.15.0-1046.52~20.04.1 (last USN: 5.15.0-1045.51~20.04.1) - cycle: 2023.10.30-1
 USN needed: focal/linux-iot: 5.4.0-1028.29 (last USN: 5.4.0-1026.27) - cycle: 2023.10.30-3
 USN needed: jammy/linux-oem-6.1: 6.1.0-1028.28 (last USN: 6.1.0-1027.27) - cycle: 2023.10.30-5

As the idea here is to add an extra argument, there is no harm for the
current execution of the script.

The major benefit is to give the user who will be doing the USN to be able
to find kernel with same major version, in different cycles (probably with
different CVEs being fixed) that could end up in a same USN, which is
potentially wrong.

To post a comment you must log in.
Revision history for this message
Rodrigo Figueiredo Zaiden (rodrigo-zaiden) wrote :

I've added a new commit that changes the definition of the method
`get_kernel_sru_cycle` from kernel-abi-check script to kernel_lib.py.
In kernel-abi-check we call it from the kernel_lib.

It was suggested by Steve and it makes sense that the method is defined
in a common place where other scripts may take advantage of the method if
needed. for this case for example, we have the script 'kernel-sru-check'
that is placed in UQT nowadays but will be moved to UCT that could be using
it.

I'm passing the lp api connection as a parameter because we already have
it in kernel-abi-check. Another idea would be to have it also defined in
kernel_lib.py only if needed. I think python would not initialize another
instance if the connection was already initialized in kernel-abi-check,
but as I'm not sure, I preferred to keep it simpler.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks Rodrigo, this LGTM. I went ahead and merged this, we can figure out how to handle kernel-sru-check next week.

I think trying to be clever with the lp api connection will probably lead to weird behaviors later, so am happy to leave it as a passed in argument.

I ended up creating a followup commit that makes the argument that adds the proposed pocket, previously only used for ABI checking, also function when looking for kernels that are in that pocket that don't have USNs published for them. This is purely for testing the kernel-abi-script when the archive is in the current state that it is where there are no kernels in either the security or updates pockets that don't have a corresponding USN published for it.

Thanks again!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/scripts/kernel-abi-check b/scripts/kernel-abi-check
index fef3354..e16b186 100755
--- a/scripts/kernel-abi-check
+++ b/scripts/kernel-abi-check
@@ -19,7 +19,8 @@ from cve_lib import (is_active_release, is_active_esm_release,
19 esm_releases, get_orig_rel_name)19 esm_releases, get_orig_rel_name)
20from kernel_lib import (meta_kernels, lookup_glitch_version,20from kernel_lib import (meta_kernels, lookup_glitch_version,
21 ignore_kernel_mabi, get_kernel_meta_alt_pkg,21 ignore_kernel_mabi, get_kernel_meta_alt_pkg,
22 kernel_package_abi, kernel_meta_abi)22 kernel_package_abi, kernel_meta_abi,
23 get_kernel_sru_cycle)
23from usn_lib import USNdb24from usn_lib import USNdb
2425
25try:26try:
@@ -52,6 +53,7 @@ parser.add_argument(
52 "--use-lp-bot-account", default=False, action='store_true',53 "--use-lp-bot-account", default=False, action='store_true',
53 help="WHen connecting to launchpad, use an alternate bot account credentials"54 help="WHen connecting to launchpad, use an alternate bot account credentials"
54)55)
56parser.add_argument("--check-cycle", help="Check kernel workflow cycle", action='store_true')
55parser.add_argument("kernel", help="only check specific kernels", nargs="*")57parser.add_argument("kernel", help="only check specific kernels", nargs="*")
56opt = parser.parse_args()58opt = parser.parse_args()
5759
@@ -212,7 +214,11 @@ def pocket_abis_match(release, srcs, meta_pkg, signed):
212 print('Skipping kernel %s in release %s pocket %s' % (src, release, pocket), file=sys.stderr)214 print('Skipping kernel %s in release %s pocket %s' % (src, release, pocket), file=sys.stderr)
213 else:215 else:
214 rc = False216 rc = False
215 print("USN needed: %s/%s: %s (last USN: %s)" % (release, pkg[src][pocket]['name'], pkg[src][pocket]['version'], last_usn), file=sys.stderr)217 kernel_title = f"{pkg[src][pocket]['name']}: {pkg[src][pocket]['version']}"
218 if (opt.check_cycle):
219 print("USN needed: %s/%s (last USN: %s) - cycle: %s" % (release, kernel_title, last_usn, get_kernel_sru_cycle(kernel_title, lp)), file=sys.stderr)
220 else:
221 print("USN needed: %s/%s (last USN: %s)" % (release, kernel_title, last_usn), file=sys.stderr)
216222
217 if opt.ignore_abi:223 if opt.ignore_abi:
218 return rc224 return rc
diff --git a/scripts/kernel_lib.py b/scripts/kernel_lib.py
index 4e0ab90..64a8f64 100755
--- a/scripts/kernel_lib.py
+++ b/scripts/kernel_lib.py
@@ -1,9 +1,9 @@
1#!/usr/bin/env python21#!/usr/bin/env python3
2# -*- coding: utf-8 -*-2# -*- coding: utf-8 -*-
3# Author: Kees Cook <kees@ubuntu.com>3# Author: Kees Cook <kees@ubuntu.com>
4# Author: Jamie Strandboge <jamie@ubuntu.com>4# Author: Jamie Strandboge <jamie@ubuntu.com>
5# Author: Steve Beattie <sbeattie@ubuntu.com>5# Author: Steve Beattie <sbeattie@ubuntu.com>
6# Copyright (C) 2005-2017 Canonical Ltd.6# Copyright (C) 2005-2024 Canonical Ltd.
7#7#
8# This script is distributed under the terms and conditions of the GNU General8# This script is distributed under the terms and conditions of the GNU General
9# Public License, Version 3 or later. See http://www.gnu.org/copyleft/gpl.html9# Public License, Version 3 or later. See http://www.gnu.org/copyleft/gpl.html
@@ -19,6 +19,28 @@ import sys
19from cve_lib import (kernel_srcs, get_esm_name, is_active_esm_release)19from cve_lib import (kernel_srcs, get_esm_name, is_active_esm_release)
2020
2121
22# search for the kernel SRU cycle for a kernel in the format
23# "linux[-complement]: <version>"
24def get_kernel_sru_cycle(kernel_title, lp):
25 cycle = None
26 kernels = lp.projects['kernel-sru-workflow']
27
28 task = kernels.searchTasks(search_text=kernel_title)
29 if len(task) > 1:
30 print('found multiple (%d) results:' % len(task), file=sys.stderr)
31 for _task in task:
32 print(' %s' % _task.bug.title, file=sys.stderr)
33 raise ValueError('More than one task with title %s found' % (kernel_title))
34
35 if task:
36 for tag in task[0].bug.tags:
37 if tag.startswith("kernel-sru-cycle-"):
38 cycle = tag.split('-', maxsplit=3)[3]
39 break
40
41 return cycle
42
43
22# converts a kernel source package name to the signed version, based off44# converts a kernel source package name to the signed version, based off
23# of the default naming style linux-FOO -> linux-signed-FOO45# of the default naming style linux-FOO -> linux-signed-FOO
24def convert_name_to_signed(kernel):46def convert_name_to_signed(kernel):

Subscribers

People subscribed via source and target branches