We have recently fixed some serious security issues on LAVA server.
CVE-2022-44641: Recursive XML entity expansion
Users with valid accounts can submit a specially crafted XML document via the
XMLRPC that causes a recursive XML entity expansion, consuming large amounts
of resources and eventually cause a Denial of Service on the LAVA server.
This problem was found, and the fix provided, by Igor Ponomarev from
Collabora. The fix has been released in 2022.11, with the following patch:
https://git.lavasoftware.org/lava/lava/-/commit/1bee0f8957741582c2bed800974…
CVE-2022-45132: Code execution in jinja templates
A specially crafted jinja2 template can be submitted to a publicly accessible
REST API endpoint without any authentication and cause a remote command
execution as the same user that is running the LAVA server web application.
This problem was found, and the fix provided, by Igor Ponomarev from
Collabora. The fix has been released in 2022.11.1, with the following patch:
https://git.lavasoftware.org/lava/lava/-/commit/ab17e8304f10c7c0fe912067f2e…
We strongly recommend that administrators upgrade to the 2022.11.1
release immediately, or failing that, at least apply the patches linked
above locally to their lava server.
Hi folks,
The 2022.11 tag has been pushed to master on git.lavasoftware.org
<http://git.lavasoftware.org/>.
.deb packages have been built in GitLab CI and are published at
https://apt.lavasoftware.org/release
Docker images for amd64 and arm64 have been built in GitLab CI and
are available from
https://hub.lavasoftware.org/
and
https://hub.docker.com/u/lavasoftware
Changes in this release
==================
# Device-types
## New device-types
New supported devices:
* kv260
* sm8350-hdk
* asus-CM1400CXA-dalboz
## imx8
* separate common configure of 8u series to imx8u-common and add new device
type imx8ulp-9x9-evk
# LAVA dispatcher
* Modifying sparse rootfs is now fully supported.
* Add ava and base-edk2 device types
* schema.deploy.fvp: add the optional uniquify param
# Bug fixes
* Fix filenames when overlaying tar files
* Add missing OIDC setting keys to common settings
* share/requires.py: fix building for debian -backports and -security suites
* reprepro-release: don't trigger on debian/* tags
* Fix a huge performance issue when parsing kernel boot log
* schema: allow to use auto_login in depthcharge boot action
* kernel messages: fix match for login prompts
* device-type: add bcu_board_name for some missed imx boards
* fvp: raise a JobError when escaping is required
Thanks,
--
Stevan Radaković | Senior Engineer
Linaro.org <www.linaro.org> │ Open source software for ARM SoCs
Hi folks,
The 2022.10 tag has been pushed to master on git.lavasoftware.org.
.deb packages have been built in GitLab CI and are published at
https://apt.lavasoftware.org/release
Docker images for amd64 and arm64 have been built in GitLab CI and
are available from
https://hub.lavasoftware.org/
and
https://hub.docker.com/u/lavasoftware
Changes in this release
==================
## New device-types
New supported devices:
* acer-R721T-grunt
* k3-am625-sk
* r8a77950-ulcb
* sc7180-trogdor-kingoftown
## Security issue
A security issue as been discovered in LAVA. We advice LAVA admins to
upgrade their instances.
## Django authentication
Fix two authorization issues for device (type) visibility
First one is on worker detail page while looking at transitions, a
non-authorized user can see device transitions for devices he's not
supposed to.
Second one is the device type health history; users are able to view the
whole page they're not supposed to. Also on the same page, transitions are
shown to non-authorized users.
## Use monotonic times
`time.time()` is affected by system time changes like daylight savings,
leap seconds and clock drift.
Monotonic time will always move forward. lava-dispatcher is now using it to
compute duration and timeouts.
Thanks
--
Rémi Duraffort
LAVA and Tux Architect
Linaro
Hi folks,
The 2022.08 tag has been pushed to master on git.lavasoftware.org.
.deb packages have been built in GitLab CI and are published at
https://apt.lavasoftware.org/release
Docker images for amd64 and arm64 have been built in GitLab CI and
are available from
https://hub.lavasoftware.org/
and
https://hub.docker.com/u/lavasoftware
Changes in this release
==================
## New device-types
New supported devices:
* aaeon-UPN-EHLX4RE-A10-0864
* imx8ulp-evk
* imx93-11x11-evk
* mt8192-asurada-spherion-r0
* synquacer-uboot
## Grub based device-types
Allow device-type to easily disable interrupting boot. This is not required
if grub is build to always drop to a shell.
In the device-type template or device dictionary, add:
```jinja
{% set grub_needs_interrupt = false %}
```
## UUU and BCU
Add support for [BCU](https://github.com/NXPmicro/bcu#readme) to the UUU
based device-types. This utility allows changing the board's boot
configuration (mainly SD card, eMMC or USB Serial Download Protocol)
through a serial interface.
In the device dictionary, add:
```jinja
{% set bcu_board_id = '2-1.3' %}
```
Then in the job definition, you can use bcu directly:
```yaml
- boot:
method: uuu
commands:
- bcu: reset usb
- uuu: -b emmc {boot}
- bcu: set_boot_mode emmc
timeout:
minutes: 20
```
The support has been enabled for imx8dxl-evk imx8ulp-evk imx8mp-evk and
imx93-11x11-evk device-types.
## OpenID connect
LAVA server can now support OpenID connect (for instance Azure ID or
Keycloack) to authenticate users.
In roder to use this feature, you should install `mozilla-django-oidc` and
add to the settings:
```yaml
AUTH_OIDC:
OIDC_RP_CLIENT_ID: "1"
OIDC_RP_CLIENT_SECRET: "bd01adf93cfb"
OIDC_OP_AUTHORIZATION_ENDPOINT: "http://testprovider:8080/openid/authorize
"
OIDC_OP_TOKEN_ENDPOINT: "http://testprovider:8080/openid/token"
OIDC_OP_USER_ENDPOINT: "http://testprovider:8080/openid/userinfo"
```
See [mozilla-django-oidc](
https://mozilla-django-oidc.readthedocs.io/en/stable/settings.html) for the
full list of options.
## Transfer Overlay
For device-type where the base OS does not provide tools to download over
http (like wget or curl), the transfer overlay action can now use NFS.
In order to use this, the job definition would look like:
```yaml
- boot:
[...]
transfer_overlay:
transfer_method: nfs
download_command: mount -t nfs -o nolock
unpack_command: cp -rf
```
Rgds
--
Rémi Duraffort
Tux and LAVA Architect
Linaro
Hi folks,
The 2022.06 tag has been pushed to master on git.lavasoftware.org.
.deb packages have been built in GitLab CI and are published at
https://apt.lavasoftware.org/release
Docker images for amd64 and arm64 have been built in GitLab CI and
are available from
https://hub.lavasoftware.org/
and
https://hub.docker.com/u/lavasoftware
Changes in this release
==================
# Device-types
## New device-types
New supported devices:
* bcm2835-rpi-b-rev2
* jh7100-visionfive
* kontron-bl-imx8mm
* rk3399-roc-pc
# Docker test shell
Starting from this release, when using the docker test shell, the current
device connection will be recorded in the logs as a feedback connection.
This allows to print the DUT logs while running a docker test shell.
# Callbacks
It is now possible to receive a callback notification for both `running`
and `finished` job. You have to set `criteria: all` in the job definition.
# Private instance
It is now possible to require all users to login before accessing any page
outside of the home page, documentation pages and the login page itself by
setting the `REQUIRE_LOGIN` variable in any YAML configuration file under
`/etc/lava-server/settings.d/*.yaml`.
Rgds
--
Rémi Duraffort
TuxArchitect
Linaro
Hi folks,
The 2022.05 tag has been pushed to master on git.lavasoftware.org.
.deb packages have been built in GitLab CI and are published at
https://apt.lavasoftware.org/release
Docker images for amd64 and arm64 have been built in GitLab CI and
are available from
https://hub.lavasoftware.org/
and
https://hub.docker.com/u/lavasoftware
Changes in this release
==================
# Device-types
## New device-types
New supported devices:
* am437x-idk-evm
* am57xx-beagle-x15
* armada-388-clearfog-pro
* hp-14-db0003na-grunt
* imx6dl-udoo
* kontron-kswitch-d10-mmt-6g-2gs
* kontron-kswitch-d10-mmt-8g
* rk3399-khadas-edge-v
* sun9i-a80-cubieboard4
## depthcharge
Add extra_kernel_args parameter to the Depthcharge boot method, to allow
specifying additional kernel arguments specific for each boot action in
multi-stage jobs.
# Debian package
## lava-dispatcher-host
Allow to install the package on Ubuntu focal. This allows to run a lava
worker on Ubuntu focal thanks to `lava-docker-worker`.
# Social accounts
Add a page allowing users to manage the social account connection.
# Performances
## Scheduler
Improve scheduler performance by caching the device-type templates. The
previous caching mechanism was in fact broken.
## Web interface
Improve server performances when browsing the LAVA web interface as
anonymous user.
Rgds
--
Rémi Duraffort
LAVA and TuxArchitect
Linaro
Hi folks,
The 2022.04 tag has been pushed to master on git.lavasoftware.org.
.deb packages have been built in GitLab CI and are published at
https://apt.lavasoftware.org/release
Docker images for amd64 and arm64 have been built in GitLab CI and
are available from
https://hub.lavasoftware.org/
and
https://hub.docker.com/u/lavasoftware
Changes in this release
==================
# Device-types
## New device-types
New supported devices:
* morello
# Authentications
Allow to enable login with multiple social accounts at once. The login page
will display the available options with logos.
# Environment
The dispatcher IP is now available in the test shell actions as
`LAVA_DISPATCHER_IP`.
# Git authentication
LAVA can now clone from authenticated git repositories. The credentials
should be present in the local environment variable, for example via the
`secrets` dictionary. LAVA dispatcher now expands environment variables in
git urls:
```yaml
actions:
- test:
definitions:
- repository: https://${USER}:${TOKEN}@example.com/definitions.git
from: git
[...]
secrets:
USER: MY_USER
TOKEN: MY_TOKEN
```
# lava-docker-worker
The LAVA team advice to replace `lava-worker` by `lava-docker-worker` as
this daemon will automatically upgrade and downgrade the local lava-woker
container to match the remote server version.
For this release, the `lava-docker-worker` daemon stability as been improve
a lot in this release. This is now used in production at Linaro.
# Overlays
The lava dispatcher is now able to run `img2simg` after applying the
overlays. Users should add `spare: true`:
```yaml
rootfs:
url: "http://example.com/rootfs.ext4.xz"
format: ext4
sparse: true
overlays:
modules:
url: "http://example.com/modules.tar.xz"
[...]
```
# Server performances
## logging interval
Starting from this release, the default logging interval is set to 5s.
lava-run will now send the job logs every 5s, instead of every seconds.
This should decrease the load on the LAVA server.
## Scheduler lock
Prior to this release, the lava-scheduler process was locking the worker
table during the scheduling. On large instances, this would prevent the
workers to update their status.
Starting from this release, lava-scheduler is not locking the worker table
anymore.
# XML-RPC API
## Device-types
The XML-RPC API is now returning the `health_denominator` and
`health_frequency` when calling `scheduler.device_types.show`. This
function will also return a boolean (`default_template`) indicating if this
device-type is using a custom templare or the default one.
## Devices
The XML-RPC API allows to change the device-type of a specific device when
calling `scheduler.devices.update`.
## workers
The XML-RPC API call `scheduler.workers.show` is now returning booleans
(`default_config`, `default_env` and `default_env_dut`) to indicate if the
worker is using a custom config (env or env-dut) file.
Rgds
--
Rémi Duraffort
LAVA and Tux Architect
Linaro
Hi folks,
The 2022.03 tag has been pushed to master on git.lavasoftware.org.
.deb packages have been built in GitLab CI and are published at
https://apt.lavasoftware.org/release
Docker images for amd64 and arm64 have been built in GitLab CI and
are available from
https://hub.lavasoftware.org/
and
https://hub.docker.com/u/lavasoftware
Changes in this release
==================
# Device-types
## New device-types
New supported devices:
* at91sam9g20ek
# Server performances
Improve server performances by dropping COUNT queries that where used for
pagination. Also cache permissions to avoid recalculation in the same page.
# lava-(docker)-worker
Allow to set `--job-log-interval` for both `lava-docker-worker` and
`lava-worker`. On large instances, admins can increase the value to lower
server load.
# lava-dispatcher-host
Fix a file descriptor leak. Without this patch, after some jobs, the
process will run out of file descriptors.
# lava-run
Add job definition secrets to the environment when starting `lava-run`.
This allows to download from private git repositories by providing
authentication in the job definition secrets.
Rgds
--
Rémi Duraffort
TuxArchitect
Linaro
Hi folks,
The 2022.02 tag has been pushed to master on git.lavasoftware.org.
.deb packages have been built in GitLab CI and are published at
https://apt.lavasoftware.org/release
Docker images for amd64 and arm64 have been built in GitLab CI and
are available from
https://hub.lavasoftware.org/
and
https://hub.docker.com/u/lavasoftware
Changes in this release
==================
# Device-types
## New device-types
New supported devices:
* seco-c61
## d05
Use NFS version 3 by default when loading the root file-system with NFS.
## dephtcharge
Allow to boot from emmc. Typical extra kernel arguments for booting a
Chrome OS image are `root=/dev/mmcblk0p3 cros_debug cros_secure`.
## hp-x360-14-G1-sona
Automatically retry on boot failures to workaround bootloader issues.
## UUU
Enable "on worker" uuu_usb_otg_path configuration instead of modifying
devices definitions located on the master.
Before this change, the LAVA device dictionary contained static uuu USB ID
as a string, like:
```jinja
{% set uuu_usb_otg_path = '1:324' %}
```
The dictionary can now contain a command that will actually return this
string.
```jinja
{% set uuu_usb_otg_path_command = ['board-control', 'imx8mq-evk-01',
'extra', 'uuu_otg_path', '--silent'] %}
```
# docker + adb,fastboot
We often observe race conditions where a USB device will disconnect between
the time when it gets added to the docker command line as a `--device=
option` and the time that the container actually starts.
Instead of running one-off containers, start the containers first, wait for
them to be up, map devices into them with lava-dispatcher-host, and then
run the command. This way, if the device gets disconnected it will be
re-shared with the container once it is enumerated again.
# Settings
The LAVA server settings can now be configured from environment variables.
Every variables that starts with `LAVA_SETTINGS_` will be added to the
django settings.
For complex settings, admins can use LAVA_JSON_SETTINGS which is expected
to be a dictionary as json, base64 encoded. For instance:
```python
import base64
import json
data = {
"WORKER_AUTO_REGISTER_NETMASK": ["::1"]
}
print(base64.b64encode(json.dumps(data).encode("utf-8")).decode("utf-8"))
```
In order to use it, add to the environment:
`LAVA_JSON_SETTINGS="eyJXT1JLRVJfQVVUT19SRUdJU1RFUl9ORVRNQVNLIjogWyI6OjEiXX0="`.
See [the documentation](
https://lava.readthedocs.io/en/latest/admin/basic-tutorials/instance/config…
).
# Container images
Fix LDAP support when using LDAPS and upgrade sentry-sdk to 1.5.5 in
lava-server images.
# Debian packaging
Ensure `lava-celery-worker`, `lava-dispatcher-host` and
`lava-docker-worker` are restarted on upgrades.
# Worker
## Logging interval
By default, lava-run will send the new logs to the server every second. For
large labs, this would generate a consequent load on the server. This
interval is now configurable when calling `lava-docker-worker` and
`lava-worker`.
Rgds
--
Rémi Duraffort
TuxArchitect
Linaro