debian/0000775000000000000000000000000013155770671007204 5ustar debian/swift-container.swift-container-replicator.upstart0000664000000000000000000000072213126623062021207 0ustar # swift-container-replicator - SWIFT Container Replicator # # The swift container replicator. description "SWIFT Container Replicator" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/container-server.conf" ]; then exec /usr/bin/swift-init container-replicator start else exit 1 fi end script post-stop exec /usr/bin/swift-init container-replicator stop debian/swift-object.swift-object-updater.upstart0000664000000000000000000000065313126623062017262 0ustar # swift-object-updater - SWIFT Object Updater # # The swift object updater. description "SWIFT Object Updater" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/object-server.conf" ]; then exec /usr/bin/swift-init object-updater start else exit 1 fi end script post-stop exec /usr/bin/swift-init object-updater stop debian/control0000664000000000000000000003273313126623062010604 0ustar Source: swift Section: net Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Soren Hansen Uploaders: Monty Taylor , Greg Holt , Jay Payne , Michael Barton , Thomas Goirand Build-Depends: debhelper (>= 7.0.50~), python-all-dev (>= 2.6.6-3~), python-dnspython (>= 1.10.0), python-eventlet (>= 0.9.8), python-greenlet (>= 0.3.1), python-mock, python-netifaces, python-nose, python-openssl, python-paste, python-pastedeploy, python-setuptools, python-simplejson, python-sphinx (>= 1.0), python-swiftclient, python-xattr Standards-Version: 3.9.4 Homepage: http://launchpad.net/swift Vcs-Browser: http://bazaar.launchpad.net/~ubuntu-server-dev/swift/icehouse/files Vcs-Bzr: https://code.launchpad.net/~ubuntu-server-dev/swift/icehouse XS-Testsuite: autopkgtest Package: python-swift Architecture: all Section: python Depends: adduser, python-dnspython (>= 1.10.0), python-eventlet (>= 0.9.8), python-greenlet (>= 0.3.1), python-netifaces, python-openssl, python-paste, python-pastedeploy, python-setuptools, python-simplejson, python-xattr, ${misc:Depends}, ${python:Depends} Provides: ${python:Provides} Breaks: swift (<< 1.13.1~rc1-0ubuntu1~) Replaces: swift (<< 1.13.1~rc1-0ubuntu1~) Description: distributed virtual object store - Python libraries OpenStack Object Storage (code-named Swift) is open source software for creating redundant, scalable object storage using clusters of standardized servers to store petabytes of accessible data. It is not a file system or real-time data storage system, but rather a long-term storage system for a more permanent type of static data that can be retrieved, leveraged, and then updated if necessary. Primary examples of data that best fit this type of storage model are virtual machine images, photo storage, email storage and backup archiving. Having no central "brain" or master point of control provides greater scalability, redundancy and permanence. . Objects are written to multiple hardware devices in the data center, with the OpenStack software responsible for ensuring data replication and integrity across the cluster. Storage clusters can scale horizontally by adding new nodes. Should a node fail, OpenStack works to replicate its content from other active nodes. Because OpenStack uses software logic to ensure data replication and distribution across different devices, inexpensive commodity hard drives and servers can be used in lieu of more expensive equipment. . This package provides the Python libraries that actually implement everything. Package: swift Architecture: all Depends: python-swift (=${binary:Version}), ${misc:Depends}, ${python:Depends}, ${shlibs:Depends} Provides: ${python:Provides} Replaces: swift (<< 1.6.0-0ubuntu1) Breaks: swift (<< 1.6.0-0ubuntu1) Suggests: swift-bench Description: distributed virtual object store - common files OpenStack Object Storage (code-named Swift) is open source software for creating redundant, scalable object storage using clusters of standardized servers to store petabytes of accessible data. It is not a file system or real-time data storage system, but rather a long-term storage system for a more permanent type of static data that can be retrieved, leveraged, and then updated if necessary. Primary examples of data that best fit this type of storage model are virtual machine images, photo storage, email storage and backup archiving. Having no central "brain" or master point of control provides greater scalability, redundancy and permanence. . Objects are written to multiple hardware devices in the data center, with the OpenStack software responsible for ensuring data replication and integrity across the cluster. Storage clusters can scale horizontally by adding new nodes. Should a node fail, OpenStack works to replicate its content from other active nodes. Because OpenStack uses software logic to ensure data replication and distribution across different devices, inexpensive commodity hard drives and servers can be used in lieu of more expensive equipment. . . This package provides some core binaries and clients to control swift. Package: swift-proxy Architecture: all Depends: python-swift (=${binary:Version}), ${misc:Depends}, ${python:Depends}, ${shlibs:Depends} Provides: ${python:Provides} Breaks: swift (<< 1.13.1~rc1-0ubuntu1~) Replaces: swift (<< 1.13.1~rc1-0ubuntu1~) Description: distributed virtual object store - proxy server OpenStack Object Storage (code-named Swift) is open source software for creating redundant, scalable object storage using clusters of standardized servers to store petabytes of accessible data. It is not a file system or real-time data storage system, but rather a long-term storage system for a more permanent type of static data that can be retrieved, leveraged, and then updated if necessary. Primary examples of data that best fit this type of storage model are virtual machine images, photo storage, email storage and backup archiving. Having no central "brain" or master point of control provides greater scalability, redundancy and permanence. . Objects are written to multiple hardware devices in the data center, with the OpenStack software responsible for ensuring data replication and integrity across the cluster. Storage clusters can scale horizontally by adding new nodes. Should a node fail, OpenStack works to replicate its content from other active nodes. Because OpenStack uses software logic to ensure data replication and distribution across different devices, inexpensive commodity hard drives and servers can be used in lieu of more expensive equipment. . This package provides a proxy server on which clients can connect to store object into Swift. Package: swift-object-expirer Architecture: all Depends: python-swift (=${binary:Version}), ${misc:Depends}, ${python:Depends}, ${shlibs:Depends} Provides: ${python:Provides} Breaks: swift-object (<< 1.12.0-0ubuntu2), swift (<< 1.13.1~rc1-0ubuntu1~) Replaces: swift-object (<< 1.12.0-0ubuntu2), swift (<< 1.13.1~rc1-0ubuntu1~) Description: distributed virtual object store - object expirer OpenStack Object Storage (code-named Swift) is open source software for creating redundant, scalable object storage using clusters of standardized servers to store petabytes of accessible data. It is not a file system or real-time data storage system, but rather a long-term storage system for a more permanent type of static data that can be retrieved, leveraged, and then updated if necessary. Primary examples of data that best fit this type of storage model are virtual machine images, photo storage, email storage and backup archiving. Having no central "brain" or master point of control provides greater scalability, redundancy and permanence. . Objects are written to multiple hardware devices in the data center, with the OpenStack software responsible for ensuring data replication and integrity across the cluster. Storage clusters can scale horizontally by adding new nodes. Should a node fail, OpenStack works to replicate its content from other active nodes. Because OpenStack uses software logic to ensure data replication and distribution across different devices, inexpensive commodity hard drives and servers can be used in lieu of more expensive equipment. . This package provides the object-expirer service that provides scheduled deletion of objects in Swift. Package: swift-object Architecture: all Depends: python-swift (=${binary:Version}), rsync, ${misc:Depends}, ${python:Depends}, ${shlibs:Depends} Provides: ${python:Provides} Breaks: swift (<< 1.13.1~rc1-0ubuntu1~) Replaces: swift (<< 1.13.1~rc1-0ubuntu1~) Description: distributed virtual object store - object server OpenStack Object Storage (code-named Swift) is open source software for creating redundant, scalable object storage using clusters of standardized servers to store petabytes of accessible data. It is not a file system or real-time data storage system, but rather a long-term storage system for a more permanent type of static data that can be retrieved, leveraged, and then updated if necessary. Primary examples of data that best fit this type of storage model are virtual machine images, photo storage, email storage and backup archiving. Having no central "brain" or master point of control provides greater scalability, redundancy and permanence. . Objects are written to multiple hardware devices in the data center, with the OpenStack software responsible for ensuring data replication and integrity across the cluster. Storage clusters can scale horizontally by adding new nodes. Should a node fail, OpenStack works to replicate its content from other active nodes. Because OpenStack uses software logic to ensure data replication and distribution across different devices, inexpensive commodity hard drives and servers can be used in lieu of more expensive equipment. . This package provides the swift object server. Package: swift-container Architecture: all Depends: python-swift (=${binary:Version}), rsync, ${misc:Depends}, ${python:Depends}, ${shlibs:Depends} Provides: ${python:Provides} Breaks: swift (<< 1.13.1~rc1-0ubuntu1~) Replaces: swift (<< 1.13.1~rc1-0ubuntu1~) Description: distributed virtual object store - container server OpenStack Object Storage (code-named Swift) is open source software for creating redundant, scalable object storage using clusters of standardized servers to store petabytes of accessible data. It is not a file system or real-time data storage system, but rather a long-term storage system for a more permanent type of static data that can be retrieved, leveraged, and then updated if necessary. Primary examples of data that best fit this type of storage model are virtual machine images, photo storage, email storage and backup archiving. Having no central "brain" or master point of control provides greater scalability, redundancy and permanence. . Objects are written to multiple hardware devices in the data center, with the OpenStack software responsible for ensuring data replication and integrity across the cluster. Storage clusters can scale horizontally by adding new nodes. Should a node fail, OpenStack works to replicate its content from other active nodes. Because OpenStack uses software logic to ensure data replication and distribution across different devices, inexpensive commodity hard drives and servers can be used in lieu of more expensive equipment. . This package provides the swift container server. Package: swift-account Architecture: all Depends: python-swift (=${binary:Version}), rsync, ${misc:Depends}, ${python:Depends}, ${shlibs:Depends} Provides: ${python:Provides} Breaks: swift (<< 1.13.1~rc1-0ubuntu1~) Replaces: swift (<< 1.13.1~rc1-0ubuntu1~) Description: distributed virtual object store - account server OpenStack Object Storage (code-named Swift) is open source software for creating redundant, scalable object storage using clusters of standardized servers to store petabytes of accessible data. It is not a file system or real-time data storage system, but rather a long-term storage system for a more permanent type of static data that can be retrieved, leveraged, and then updated if necessary. Primary examples of data that best fit this type of storage model are virtual machine images, photo storage, email storage and backup archiving. Having no central "brain" or master point of control provides greater scalability, redundancy and permanence. . Objects are written to multiple hardware devices in the data center, with the OpenStack software responsible for ensuring data replication and integrity across the cluster. Storage clusters can scale horizontally by adding new nodes. Should a node fail, OpenStack works to replicate its content from other active nodes. Because OpenStack uses software logic to ensure data replication and distribution across different devices, inexpensive commodity hard drives and servers can be used in lieu of more expensive equipment. . This package provides the swift account server. Package: swift-doc Architecture: all Section: doc Depends: libjs-jquery, ${misc:Depends} Description: distributed virtual object store - documentation OpenStack Object Storage (code-named Swift) is open source software for creating redundant, scalable object storage using clusters of standardized servers to store petabytes of accessible data. It is not a file system or real-time data storage system, but rather a long-term storage system for a more permanent type of static data that can be retrieved, leveraged, and then updated if necessary. Primary examples of data that best fit this type of storage model are virtual machine images, photo storage, email storage and backup archiving. Having no central "brain" or master point of control provides greater scalability, redundancy and permanence. . Objects are written to multiple hardware devices in the data center, with the OpenStack software responsible for ensuring data replication and integrity across the cluster. Storage clusters can scale horizontally by adding new nodes. Should a node fail, OpenStack works to replicate its content from other active nodes. Because OpenStack uses software logic to ensure data replication and distribution across different devices, inexpensive commodity hard drives and servers can be used in lieu of more expensive equipment. . This package provides the Sphinx generated documentation for Swift. debian/swift-proxy.install0000664000000000000000000000003313126623062013070 0ustar usr/bin/swift-proxy-server debian/swift.docs0000664000000000000000000000012713126623062011177 0ustar etc/drive-audit.conf-sample etc/swift.conf-sample etc/dispersion.conf-sample CHANGELOG debian/swift-object-expirer.docs0000664000000000000000000000003713126623062014117 0ustar etc/object-expirer.conf-sample debian/swift-container.swift-container-auditor0000664000000000000000000000257313126623062017017 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: swift-container-auditor # Required-Start: $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Swift container auditor server # Description: Container auditor server for swift. ### END INIT INFO set -e SERVICE_NAME="swift-container-auditor" DAEMON="/usr/bin/${SERVICE_NAME}" DAEMON_ARGS="/etc/swift/container-server.conf" PRINT_NAME="Swift countainer auditor" SWIFT_USER=swift SWIFT_GRP=swift PID_FILE=/var/run/swift/${SERVICE_NAME}.pid PID_DIR=`dirname $PID_FILE` if ! [ -x "${DAEMON}" ] ; then exit 0 fi if ! [ -r "${DAEMON_ARGS}" ] ; then echo "No configuration file found in ${DAEMON_ARGS}: exiting" exit 0 fi mkdir -p ${PID_DIR} chown ${SWIFT_USER} ${PID_DIR} . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --start --chuid ${SWIFT_USER}:${SWIFT_GRP} -b -m --pidfile $PID_FILE --exec ${DAEMON} -- ${DAEMON_ARGS} log_end_msg $? ;; stop) log_daemon_msg "Stopping ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --stop --oknodo --pidfile ${PID_FILE} log_end_msg $? ;; restart|force-reload|reload) $0 stop sleep 1 $0 start ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" exit 1 ;; esac exit 0 debian/swift-container.swift-container-updater0000664000000000000000000000255713126623062017016 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: swift-container-updater # Required-Start: $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Swift container updater server # Description: Container updater server for swift. ### END INIT INFO set -e SERVICE_NAME="swift-container-updater" DAEMON="/usr/bin/${SERVICE_NAME}" DAEMON_ARGS="/etc/swift/container-server.conf" PRINT_NAME="Swift countainer updater" SWIFT_USER=swift SWIFT_GRP=swift PID_FILE=/var/run/swift/${SERVICE_NAME}.pid PID_DIR=`dirname $PID_FILE` if ! [ -x "${DAEMON}" ] ; then exit 0 fi if ! [ -r "${DAEMON_ARGS}" ] ; then echo "No configuration file found in ${DAEMON_ARGS}: exiting" exit 0 fi mkdir -p ${PID_DIR} chown ${SWIFT_USER} ${PID_DIR} . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --start --chuid ${SWIFT_USER}:${SWIFT_GRP} -b -m --pidfile $PID_FILE --exec ${DAEMON} -- ${DAEMON_ARGS} log_end_msg $? ;; stop) log_daemon_msg "Stopping ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --stop --oknodo --pidfile ${PID_FILE} log_end_msg $? ;; restart|force-reload|reload) $0 stop sleep 1 $0 start ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $0 {start|stop|restart|reload}" exit 1 ;; esac exit 0 debian/swift-object.swift-object-replicator.upstart0000664000000000000000000000067513126623062017766 0ustar # swift-object-replicator - SWIFT Object Replicator # # The swift object replicator. description "SWIFT Object Replicator" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/object-server.conf" ]; then exec /usr/bin/swift-init object-replicator start else exit 1 fi end script post-stop exec /usr/bin/swift-init object-replicator stop debian/swift-doc.links0000664000000000000000000000030213126623062012125 0ustar # Overwrite jquery.js from upstream tarball with a link to jquery.js # provided by jQuery Debian package /usr/share/javascript/jquery/jquery.js usr/share/doc/swift-doc/html/_static/jquery.js debian/swift-account.swift-account-auditor0000664000000000000000000000255613126623062016144 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: swift-account-auditor # Required-Start: $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Swift account auditor server # Description: Account auditor server for swift. ### END INIT INFO set -e SERVICE_NAME="swift-account-auditor" DAEMON="/usr/bin/${SERVICE_NAME}" DAEMON_ARGS="/etc/swift/account-server.conf" PRINT_NAME="Swift account auditor" SWIFT_USER=swift SWIFT_GRP=swift PID_FILE=/var/run/swift/${SERVICE_NAME}.pid PID_DIR=`dirname $PID_FILE` if ! [ -x "${DAEMON}" ] ; then exit 0 fi if ! [ -r "${DAEMON_ARGS}" ] ; then echo "No configuration file found in ${DAEMON_ARGS}: exiting" exit 0 fi mkdir -p ${PID_DIR} chown ${SWIFT_USER} ${PID_DIR} . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --start --chuid ${SWIFT_USER}:${SWIFT_GRP} -b -m --pidfile $PID_FILE --exec ${DAEMON} -- ${DAEMON_ARGS} log_end_msg $? ;; stop) log_daemon_msg "Stopping ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --stop --oknodo --pidfile ${PID_FILE} log_end_msg $? ;; restart|force-reload|reload) $0 stop sleep 1 $0 start ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" exit 1 ;; esac exit 0 debian/swift-container.upstart0000664000000000000000000000067213126623062013736 0ustar # swift-container-server - SWIFT Container Server # # The swift container server. description "SWIFT Container Server" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/container-server.conf" ]; then exec /usr/bin/swift-init container-server start else exit 1 fi end script post-stop exec /usr/bin/swift-init container-server stop debian/account-server.conf0000664000000000000000000000027413126623062013003 0ustar [DEFAULT] bind_ip = 0.0.0.0 workers = 2 [pipeline:main] pipeline = account-server [app:account-server] use = egg:swift#account [account-replicator] [account-auditor] [account-reaper] debian/changelog0000664000000000000000000005333113155770671011063 0ustar swift (1.13.1-0ubuntu1.5) trusty-security; urgency=medium [ Jamie Strandboge ] * SECURITY UPDATE: disallow unsafe tempurl operations to point to unauthorized data - debian/patches/CVE-2015-5223.patch: disallow creation of DLO object manifests if non-safe tempurl request includes X-Object-Manifest header - CVE-2015-5223 - LP: #1453948 [ Marc Deslauriers ] * SECURITY UPDATE: DoS via incorrectly closed client connections - debian/patches/CVE-2016-0737.patch: get better at closing WSGI iterables in swift/common/middleware/dlo.py, swift/common/middleware/slo.py, swift/common/request_helpers.py, swift/common/swob.py, swift/common/utils.py, test/unit/common/middleware/helpers.py, test/unit/common/middleware/test_dlo.py, test/unit/common/middleware/test_slo.py. - CVE-2016-0737 * SECURITY UPDATE: DoS via incorrectly closed server connections - debian/patches/CVE-2016-0738.patch: fix memory/socket leak in proxy on truncated SLO/DLO GET in swift/common/request_helpers.py, test/unit/common/middleware/test_slo.py. - CVE-2016-0738 * Thanks to Red Hat for the patch backports! * debian/patches/fix-ubuntu-tests.patch: disable another test that no longer works on buildds. -- Marc Deslauriers Tue, 12 Sep 2017 07:36:43 -0400 swift (1.13.1-0ubuntu1.3) trusty; urgency=medium * Fix issue where swift daemons crash while writing logs to a stopped rsyslogd /dev/log socket. (LP: #1683076) - d/patches/fix-infinite-recursion-logging.patch: Cherry-picked from upstream stable/newton branch to avoid infinite loops when logging while rsyslogd is stopped. -- Billy Olsen Mon, 03 Jul 2017 22:22:58 -0700 swift (1.13.1-0ubuntu1.2) trusty-security; urgency=medium * SECURITY UPDATE: metadata constraint bypass via multiple requests - debian/patches/CVE-2014-7960.patch: add metadata checks to swift/account/server.py, swift/common/constraints.py, swift/common/db.py, swift/container/server.py, added tests to test/functional/test_account.py, test/functional/test_container.py, test/unit/common/test_db.py. - CVE-2014-7960 * SECURITY UPDATE: object deletion via x-versions-location container - debian/patches/CVE-2015-1856.patch: prevent unauthorized delete in swift/proxy/controllers/obj.py, added tests to test/functional/tests.py, test/unit/proxy/test_server.py. - CVE-2015-1856 -- Marc Deslauriers Wed, 22 Jul 2015 11:03:05 -0400 swift (1.13.1-0ubuntu1.1) trusty-security; urgency=medium * SECURITY UPDATE: properly quote www-authenticate header value - debian/patches/CVE-2014-3497.patch: urllib2.quote() the Swift realm in swift/common/swob.py - CVE-2014-3497 - LP: #1327414 -- Jamie Strandboge Tue, 24 Jun 2014 07:08:11 -0500 swift (1.13.1-0ubuntu1) trusty; urgency=medium * New upstream release (LP: #1299055). -- Chuck Short Thu, 17 Apr 2014 04:52:50 -0400 swift (1.13.1~rc2-0ubuntu1) trusty; urgency=medium [ Chuck Short ] * New upstream release candidate (LP: #1299055). [ James Page ] * d/control: Add appropriate Breaks/Replaces to support move of man pages between binary packages in 1.13.1~rc1-0ubuntu1 (LP: #1306241). -- James Page Mon, 14 Apr 2014 11:03:23 +0100 swift (1.13.1~rc1-0ubuntu2) trusty; urgency=medium * d/p/ring-perms.patch: Ensure that generated rings can be read by the swift user, fixing autopkgtest failure (LP: #1302700). -- James Page Sun, 06 Apr 2014 21:10:51 +0100 swift (1.13.1~rc1-0ubuntu1) trusty; urgency=medium [ Chuck Short ] * Add new binaries: - d/swift-container.install: Add swift-container-info binary. - d/swift-account.install: Add swift-account-info binary. [ James Page ] * New upstream release candidate (LP: #1299055). * d/rules: Tidy dh_clean override. * d/rules,swift-doc.docs: Re-enable documentation build. * d/*.manpages: Rejig manpage installs into correct packages. * d/container-server.conf: Add missing container-sync section (LP: #1290813). * d/*: Wrap-and-sort. -- James Page Fri, 04 Apr 2014 10:57:51 +0100 swift (1.13.0-0ubuntu1) trusty; urgency=medium [ Chuck Short ] * New upstream release. [ James Page ] * Add object-expirer package and associated configuration (LP: #1235495): - d/control: Add swift-object-expirer package, break/replace swift-object from earlier versions. - d/swift-object.install: Drop install of swift-object-expirer. - d/swift-object-expirer.{install,upstart}: Install swift-object-expirer and associated upstart configuration. - d/rules,object-expirer.conf: Provide basic object-expirer configuration. - debian/swift-object-expirer.docs: Add full example configuration to docs. * d/rules,swift-container.swift-container-sync.upstart: Add upstart configuration for swift-container-sync process (LP: #1250171). -- Chuck Short Thu, 06 Mar 2014 12:29:10 -0500 swift (1.12.0-0ubuntu1) trusty; urgency=medium * New upstream release. * debian/patches/fix-ubuntu-tests.patch: Rediffed. * debian/rules: Add pythonpath for tests. -- Chuck Short Wed, 29 Jan 2014 09:14:25 -0500 swift (1.11.0-0ubuntu2) trusty; urgency=low * d/tests/swift-daemons: Use service command to restart daemons instead of directly using non-existent scripts in /etc/init.d. -- James Page Fri, 13 Dec 2013 09:14:19 +0000 swift (1.11.0-0ubuntu1) trusty; urgency=low [ Chuck Short ] * debian/control: open icehouse release. * debian/rules: - Fix doc installation. - Removed debian distribution checking. * Removed init scripts, they dont get installed anyways. * Renamed upstart.in to regular upstart jobs. * debian/swift-doc.docs: Drop doc/build/html. * debian/swift.install: Remove swift-bench and swift-bench-client, it has moved into its own project. * debian/control: Suggest swift-bench. * debian/fix-ubuntu-tests.patch: Disable tests that fail on buildds. [ James Page ] * d/rules: Don't clean debian/*.upstart; we need those now! -- Chuck Short Thu, 12 Dec 2013 10:50:46 -0500 swift (1.10.0-0ubuntu1) saucy; urgency=low * New upstream release (LP: #1236462). -- Chuck Short Thu, 17 Oct 2013 10:26:18 -0400 swift (1.10.0~rc1-0ubuntu1) saucy; urgency=low * New upstream release candidate. -- Chuck Short Wed, 09 Oct 2013 15:05:24 -0400 swift (1.9.1-0ubuntu3) saucy; urgency=low * d/python-swift.postinst: Allow swift user to write to /var/cache/swift, resolving repeated errors in swift syslog (LP: #1234657). -- James Page Fri, 04 Oct 2013 16:21:14 +0100 swift (1.9.1-0ubuntu2) saucy; urgency=low * d/control: Add missing dependency on python-dnspython >= 1.10.0. * d/control: Wrap and sort. -- James Page Wed, 25 Sep 2013 16:08:35 +0100 swift (1.9.1-0ubuntu1) saucy; urgency=low [ James Page ] * d/control: Update VCS fields for new branch locations. [ Chuck Short ] * New upstream release. -- Chuck Short Tue, 13 Aug 2013 10:37:13 -0400 swift (1.9.0-0ubuntu1) saucy; urgency=low [ Chuck Short ] * New upstream release. * debian/swift.install: Add swift-config. * debian/control: Nump standards version to 3.9.4 [ Yolanda Robla ] * debian/tests: added autopkg tests -- Chuck Short Tue, 02 Jul 2013 10:26:07 -0500 swift (1.8.0-0ubuntu1) raring; urgency=low * New upstream release. -- Chuck Short Thu, 04 Apr 2013 10:38:18 -0500 swift (1.8.0~rc2-0ubuntu1) raring; urgency=low * New usptream release candidate for grizzly. -- Chuck Short Tue, 02 Apr 2013 09:06:48 -0500 swift (1.8.0~rc1-0ubuntu1) raring; urgency=low * New upstream release candidate for grizzly. -- Chuck Short Wed, 20 Mar 2013 08:19:17 -0500 swift (1.7.6-0ubuntu1) raring; urgency=low * New upstream release. -- Chuck Short Mon, 28 Jan 2013 09:44:34 -0600 swift (1.7.5-0ubuntu1) raring; urgency=low * New upstream release. * debian/control: Dropped python-webob. * debian/swift.install: Add swift-bench-client. -- Chuck Short Wed, 14 Nov 2012 12:11:47 -0600 swift (1.7.4-0ubuntu2) quantal; urgency=low * debian/control: Conflicts/Breaks on swift 1.6.0-ubuntu1 when upgrading from precise, since the swift client has been moved to python-swiftclient. (LP: #1061064) -- Chuck Short Thu, 11 Oct 2012 09:06:02 -0500 swift (1.7.4-0ubuntu1) quantal; urgency=low * New upstream release. * debian/rules: Fail to build the packages if testsuite fails. -- Chuck Short Wed, 26 Sep 2012 09:19:43 -0500 swift (1.7.2-0ubuntu1) quantal; urgency=low * New upstream release, this release fixes a major regression introduced in the last release. -- Chuck Short Thu, 20 Sep 2012 08:42:59 -0500 swift (1.7.0-0ubuntu1) quantal; urgency=low [ Soren Hansen ] * Update debian/watch to account for symbolically named tarballs and use newer URL. * Run unit tests at build time. * Fix Launchpad URLs in debian/watch. [ Chuck Short ] * New upstream release * debian/control: Add python-mock as a build dep * debian/rules: Dont fail if testsuite fails. -- Chuck Short Fri, 07 Sep 2012 19:02:36 -0500 swift (1.6.0-0ubuntu1) quantal; urgency=low [ Adam Gandelman ] * debian/patches/fix-ubuntu-unitteests.patch: Refreshed against tarball generated by sdist. * debian/control: Add python-swiftclient to Build-Depends. * debian/swift.install: Remove swift CLI client, moved to python-swiftclient. * debian/patches/fix-ubuntu-unittests.patch: Dropped. Similar upstream commit ensures logging exceptions are properly handled. * debian/rules: *Temporarily* disable test suite. [ Chuck Short ] * New upstream version. * python-swift.dirs: Add /var/cache/swift * debian/man/*: Removed used upstream man pages and replaced with upstream manpages. (LP: #1006671) -- Chuck Short Tue, 07 Aug 2012 09:31:35 -0500 swift (1.5.0-0ubuntu1) quantal; urgency=low * New upstream version * debian/patches/fix-ubuntu-unittests.patch: Refreshed * debian/patches/fix-doc-no-network.patch: Refreshed * swift.docs: Add changelog * swift.install: Remove missing binaries. * debian/control: Bump to version 3.9.3 * debian/swift.install: Add swift-temp-url and swift-form-signature. -- Chuck Short Mon, 18 Jun 2012 09:30:05 -0400 swift (1.4.8-0ubuntu2) precise; urgency=low * debian/patches/fix-ubuntu-unittests.patch: Refreshed to fix testsuite failures. -- Chuck Short Thu, 12 Apr 2012 12:05:29 -0400 swift (1.4.8-0ubuntu1) precise; urgency=low * New upstream release. * debian/patches/fix-ubuntu-unittests.patch: Refreshed. * debian/patches/fix-doc-no-network.patch: Dont access network when trying to build docs. -- Chuck Short Tue, 10 Apr 2012 09:23:54 -0400 swift (1.4.7-0ubuntu3) precise; urgency=low * debian/rules: Make the build fail if the testsuite doesnt pass. * debian/patches/fix-ubuntu-unittests.patch: Various fixes to build swift in the buildds. (LP: #961871) -- Chuck Short Mon, 26 Mar 2012 12:11:25 -0400 swift (1.4.7-0ubuntu2) precise; urgency=low * Fixup upstart configurations (LP: #954477): - d/rules: Correctly generate ALL upstart configurations when building for Ubuntu. - d/*.upstart.in: Update upstart config's to use new conf file locations. -- James Page Thu, 15 Mar 2012 15:34:19 +0000 swift (1.4.7-0ubuntu1) precise; urgency=low [ Chuck Short ] * New upstream release. [ Thierry Carrez (ttx) ] * Remove swift-stats-populate, swift-stats-report and stats.conf-sample to match Swift 1.4.7 contents -- Chuck Short Fri, 09 Mar 2012 13:26:07 -0500 swift (1.4.7~20120302.1721-0ubuntu1) precise; urgency=low * New upstream release. -- Chuck Short Fri, 02 Mar 2012 13:27:27 -0500 swift (1.4.7~20120224.1690-0ubuntu1) precise; urgency=low [ Chuck Short ] * New upstream release. [ Chmouel Boudjnah ] * Add more samples to packages (LP:#667935) -- Chuck Short Fri, 24 Feb 2012 09:10:12 -0500 swift (1.4.7~20120210.1686-0ubuntu1) precise; urgency=low * New upstream release. * debian/control: Add python-paste. -- Chuck Short Fri, 10 Feb 2012 09:41:51 -0500 swift (1.4.6~20120202.1676-0ubuntu1) precise; urgency=low * New upstream version. -- Chuck Short Fri, 03 Feb 2012 09:35:18 -0500 swift (1.4.6~20120119.1666-0ubuntu2) precise; urgency=low * Update swift.install to reflect release. -- Chuck Short Thu, 26 Jan 2012 09:05:51 -0500 swift (1.4.6~20120119.1666-0ubuntu1) precise; urgency=low [Chuck Short] * New upstream release. [ Daniel T Chen ] * debian/control: Fix Vcs entries. * debian/swift.install: Add new scripts. Fixes FTBFS. [ Marc Cluet ] * Changed swift-proxy upstart script to watch /etc/swift/proxy-server.conf (LP:#917893) -- Chuck Short Fri, 20 Jan 2012 13:20:46 -0500 swift (1.4.6~20120112.1660-0ubuntu1) precise; urgency=low [Chuck Short] * New upstream release. * Merged changes from upstream packaging, thanks to Thierry Carrez. * debian/rules: + Remove egg-info on clean. [Thierry Carrez (ttx)] * Added usr/bin/swift-recon[-cron] to swift package. -- Chuck Short Mon, 09 Jan 2012 11:26:25 -0500 swift (1.4.5~20111202.1634-0ubuntu3) precise; urgency=low * debian/swift.manpages: Remove swauth man pages. -- Matthias Klose Wed, 21 Dec 2011 18:29:35 +0100 swift (1.4.5~20111202.1634-0ubuntu2) precise; urgency=low [ Chuck Short ] * Drop swauth man pages. (LP: #900888) * debian/control: - Clean up build depends. - Update VCS info to point to the right branches. * debian/rules: Run the swift testsuite. * debian/python-swift.postinst: Change user's shell to /bin/false. * Fix some lintian warnings. [ Thierry Carrez (ttx) ] * Ship swift-oldies and swift-orphans in swift package -- Chuck Short Fri, 16 Dec 2011 09:45:28 -0500 swift (1.4.5~20111202.1634-0ubuntu1) precise; urgency=low * New upstream release. -- Chuck Short Fri, 02 Dec 2011 09:49:32 -0500 swift (1.4.5~20111117.1632-0ubuntu1) precise; urgency=low * New upstream release. * Convert init scripts to upstart. -- Chuck Short Fri, 18 Nov 2011 13:25:16 -0500 swift (1.4.4~20111108.1612-0ubuntu1) precise; urgency=low * New upstream release. * debian/rules: Add --fail-missing. * Update .isntall files. (LP: #882679, #841853) -- Chuck Short Fri, 11 Nov 2011 10:49:12 -0500 swift (1.4.4~20111014.1599-0ubuntu1) precise; urgency=low * New upstream verison. * Dropped: - debian/patches/backport-change-swift-ring-builder-exit-codes. -- Chuck Short Fri, 21 Oct 2011 13:50:47 -0400 swift (1.4.3-0ubuntu2) oneiric; urgency=low [ Adam Gandelman ] * debian/patches/backport-change-swift-ring-builder-exit-codes: Standardize exit codes now to reduce hassles after future upgrades (LP: #836922) -- Chuck Short Fri, 30 Sep 2011 15:00:26 -0400 swift (1.4.3-0ubuntu1) oneiric; urgency=low [Chuck Short] * New upstream release. [Monty Taylor] * Work around dh_python2 for lucid. (LP: #848971) -- Monty Taylor Fri, 16 Sep 2011 15:40:19 -0400 swift (1.4.3~20110902.354-0ubuntu1) oneiric; urgency=low * New upstream release. -- Chuck Short Fri, 02 Sep 2011 14:10:27 -0400 swift (1.4.3~20110823.347-0ubuntu1) oneiric; urgency=low * New upstream release. -- Chuck Short Fri, 26 Aug 2011 14:11:09 -0400 swift (1.4.3~20110811.341-0ubuntu1) oneiric; urgency=low * New upstream release. -- Chuck Short Fri, 12 Aug 2011 05:33:16 -0400 swift (1.4.3~20110728.333-0ubuntu1) UNRELEASED; urgency=low [ Soren Hansen ] * New upstream snapshot. * Remove debian-changes patch file. * Remove SOURCES.txt in clean target to avoid gettings its changes in our diff.gz. * Add "status" support to all init scripts. * Use "shutdown" instead of "stop" as the action argument for swift- init. This shuts down the services gracefully (letting live requests finish). * Add swift-dispersion-{report,populate} to swift.install. [ Thomas Goirand ] * Added missing adduser and lsb-base dependency. * Made the long description longer (it was really minimalistic). * Reworked all Debian init.d scripts. * Added many missing manpages. * Added default container-server.conf & object-server.conf files. [ James Page ] * Added debian/python-swift.postrm: Remove swift user when purging package (LP: #825670). -- James Page Tue, 16 Aug 2011 10:33:00 +0100 swift (1.4.2-0ubuntu1) oneiric; urgency=low * New upstream release. * debian/control: - Update vcs infomration. - Cleaned up build dependencies. - Bump standards to version 3.9.2. * debian/README.Source: Add doc to upload swift to the ubuntu archive. * dh_python2 transition. -- Chuck Short Thu, 28 Jul 2011 10:39:51 -0400 swift (1.4.2~20110624.319-0ubuntu3) oneiric; urgency=low * Clean up missing files. -- Chuck Short Mon, 27 Jun 2011 06:30:51 -0400 swift (1.4.2~20110624.319-0ubuntu2) oneiric; urgency=low * New upstream release. -- Chuck Short Fri, 24 Jun 2011 14:00:18 -0400 swift (1.4.1-0ubuntu1) oneiric; urgency=low * New upstream release. -- Chuck Short Mon, 20 Jun 2011 13:08:04 -0400 swift (1.4.1~20110615.r304-0ubuntu1) oneiric; urgency=low [ Gregory Holt ] * Removed swauth references. [ Soren Hansen ] * st was renamed to swift. [ Chuck Short ] * New upstream release. -- Chuck Short Thu, 16 Jun 2011 09:25:37 -0400 swift (1.4-dev+bzr300-0ubuntu1) oneiric; urgency=low * New upstream release. -- Chuck Short Tue, 31 May 2011 14:29:10 -0400 swift (1.3.0-0ubuntu1) natty; urgency=low * New upstream release. -- Chuck Short Fri, 15 Apr 2011 08:25:53 -0400 swift (1.3-rc+bzr266-0ubuntu1) UNRELEASED; urgency=low * New upstream release. -- Chuck Short Thu, 14 Apr 2011 09:38:42 -0400 swift (1.2.0+bzr208-0ubuntu1) natty; urgency=low * New upstream release. -- Chuck Short Tue, 12 Apr 2011 10:32:30 -0400 swift (1.2.0-0ubuntu1) natty; urgency=low * New upstream release. * Updated VC locations in control file. * Set maintainer properly for Ubuntu. -- Monty Taylor Wed, 16 Feb 2011 08:50:48 -0800 swift (1.1.0+bzr173-0ubuntu1) natty; urgency=low * Fresh snapshot. * Updated watch file to also know about the new tarballs place. * Update Maintainer to point to myself. * Add a get-orig-source target to debian/rules. -- Soren Hansen Sat, 15 Jan 2011 00:19:38 +0100 swift (1.0.99+1.1.0rc1-1) unstable; urgency=low * New upstream release. * Updated to standards version 3.9.1. * Use jquery package to provide jquery.js. * Updated some of the control file to make lintian happy. -- Monty Taylor Tue, 19 Oct 2010 14:32:17 -0700 swift (1.0.2-7) unstable; urgency=low * Added swift-bench to swift package. -- Monty Taylor Mon, 18 Oct 2010 09:14:22 -0700 swift (1.0.2-6) unstable; urgency=low * swift-auth-create-account is now swift-auth-add-user. -- Greg Holt Fri, 03 Sep 2010 13:32:20 +0000 swift (1.0.2-5) unstable; urgency=low * Add a step in debian/rules to create doc/build if it doesn't exist. -- Monty Taylor Wed, 25 Aug 2010 08:55:45 -0700 swift (1.0.2-4) unstable; urgency=low * Fixed the depend on sphinx - it actually only needs to be >= 1.0. * Added paste-deploy as a depend. -- Monty Taylor Tue, 24 Aug 2010 12:02:31 -0700 swift (1.0.2-3) unstable; urgency=low [ Greg Holt ] * Added a png to the docs. [ Monty Taylor ] * Add rsync and remove duplicate net-tools dependency. * Added Jay Payne to uploaders. * Added Greg Holt to uploaders. * Updated VCS location to use UDD locations. * We actually depend on 1.0 of sphinx. -- Monty Taylor Tue, 24 Aug 2010 00:02:00 -0700 swift (1.0.2-2) unstable; urgency=low * Created python-swift package and actually put the python files in it. * Added python build dep. * Added debhelper token to postinst script. Also removed the byte-compiling of the files, since python-support should do that for us. * Cleaned up control file - removed homepage entries in description, removed trailing periods. * Changed provides in swift-proxy to match policy. -- Monty Taylor Wed, 28 Jul 2010 13:32:55 -0700 swift (1.0.2-1) unstable; urgency=low * New upstream release. * Added VCS info to control file. -- Monty Taylor Thu, 22 Jul 2010 18:32:02 -0500 swift (1.0.1-1) unstable; urgency=low * New upstream release. -- Monty Taylor Mon, 19 Jul 2010 11:22:41 -0500 swift (1.0.0-1) unstable; urgency=low [ Michael Barton ] * Initial release [ Monty Taylor ] * Added docs to doc system. -- Monty Taylor Wed, 14 Jul 2010 10:41:11 -0500 debian/swift-object.docs0000664000000000000000000000012413126623062012440 0ustar etc/object-server.conf-sample etc/rsyncd.conf-sample etc/object-expirer.conf-sample debian/swift-object.swift-object-auditor0000664000000000000000000000253413126623062015564 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: swift-object-auditor # Required-Start: $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Swift object auditor server # Description: Object auditor server for swift. ### END INIT INFO set -e SERVICE_NAME="swift-object-auditor" DAEMON="/usr/bin/${SERVICE_NAME}" DAEMON_ARGS="/etc/swift/object-server.conf" PRINT_NAME="Swift object auditor" SWIFT_USER=swift SWIFT_GRP=swift PID_FILE=/var/run/swift/${SERVICE_NAME}.pid PID_DIR=`dirname $PID_FILE` if ! [ -x "${DAEMON}" ] ; then exit 0 fi if ! [ -r "${DAEMON_ARGS}" ] ; then echo "No configuration file found in ${DAEMON_ARGS}: exiting" exit 0 fi mkdir -p ${PID_DIR} chown ${SWIFT_USER} ${PID_DIR} . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --start --chuid ${SWIFT_USER}:${SWIFT_GRP} -b -m --pidfile $PID_FILE --exec ${DAEMON} -- ${DAEMON_ARGS} log_end_msg $? ;; stop) log_daemon_msg "Stopping ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --stop --oknodo --pidfile ${PID_FILE} log_end_msg $? ;; restart|force-reload|reload) $0 stop sleep 1 $0 start ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $0 {start|stop|restart|reload}" exit 1 ;; esac exit 0 debian/swift-doc.docs0000664000000000000000000000001713126623062011740 0ustar doc/build/html debian/swift-object.swift-object-replicator0000664000000000000000000000256713126623062016267 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: swift-object-replicator # Required-Start: $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Swift object replicator server # Description: Object replicator server for swift. ### END INIT INFO set -e SERVICE_NAME="swift-object-replicator" DAEMON="/usr/bin/${SERVICE_NAME}" DAEMON_ARGS="/etc/swift/object-server.conf" PRINT_NAME="Swift object replicator" SWIFT_USER=swift SWIFT_GRP=swift PID_FILE=/var/run/swift/${SERVICE_NAME}.pid PID_DIR=`dirname $PID_FILE` if ! [ -x "${DAEMON}" ] ; then exit 0 fi if ! [ -r "${DAEMON_ARGS}" ] ; then echo "No configuration file found in ${DAEMON_ARGS}: exiting" exit 0 fi mkdir -p ${PID_DIR} chown ${SWIFT_USER} ${PID_DIR} . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --start --chuid ${SWIFT_USER}:${SWIFT_GRP} -b -m --pidfile $PID_FILE --exec ${DAEMON} -- ${DAEMON_ARGS} log_end_msg $? ;; stop) log_daemon_msg "Stopping ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --stop --oknodo --pidfile ${PID_FILE} log_end_msg $? ;; restart|force-reload|reload) $0 stop sleep 1 $0 start ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" exit 1 ;; esac exit 0 debian/swift-account.swift-account-replicator0000664000000000000000000000255713126623062016642 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: swift-account-replicator # Required-Start: $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Swift account replicator # Description: Account replicator for swift. ### END INIT INFO set -e SERVICE_NAME="swift-account-replicator" DAEMON="/usr/bin/${SERVICE_NAME}" DAEMON_ARGS="/etc/swift/account-server.conf" PRINT_NAME="Swift account replicator" SWIFT_USER=swift SWIFT_GRP=swift PID_FILE=/var/run/swift/${SERVICE_NAME}.pid PID_DIR=`dirname $PID_FILE` if ! [ -x "${DAEMON}" ] ; then exit 0 fi if ! [ -r "${DAEMON_ARGS}" ] ; then echo "No configuration file found in ${DAEMON_ARGS}: exiting" exit 0 fi mkdir -p ${PID_DIR} chown ${SWIFT_USER} ${PID_DIR} . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --start --chuid ${SWIFT_USER}:${SWIFT_GRP} -b -m --pidfile $PID_FILE --exec ${DAEMON} -- ${DAEMON_ARGS} log_end_msg $? ;; stop) log_daemon_msg "Stopping ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --stop --oknodo --pidfile ${PID_FILE} log_end_msg $? ;; restart|force-reload|reload) $0 stop sleep 1 $0 start ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" exit 1 ;; esac exit 0 debian/swift-proxy.upstart0000664000000000000000000000062713126623062013135 0ustar # swift-proxy - SWIFT Proxy Server # # The swift proxy server. description "SWIFT Proxy Server" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/proxy-server.conf" ]; then exec /usr/bin/swift-init proxy-server start else exit 1 fi end script post-stop exec /usr/bin/swift-init proxy-server stop debian/python-swift.install0000664000000000000000000000011513126623062013231 0ustar usr/bin/swift-drive-audit usr/bin/swift-init usr/lib/python*/dist-packages/* debian/swift-account.swift-account-reaper.upstart0000664000000000000000000000065413126623062017451 0ustar # swift-account-reaper - SWIFT Account Reaper # # The swift account reaper. description "SWIFT Account Reaper" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/account-server.conf" ]; then exec /usr/bin/swift-init account-reaper start else exit 1 fi end script post-stop exec /usr/bin/swift-init account-reaper stop debian/python-swift.postinst0000664000000000000000000000056313126623062013455 0ustar #!/bin/sh -e #DEBHELPER# if ! getent passwd swift > /dev/null ; then adduser --system --quiet --disabled-login --disabled-password --no-create-home --group --shell /bin/false swift fi usermod -G adm swift if [ -d /var/cache/swift ] ; then # Allow swift user to write to cache directory chown root:swift /var/cache/swift chmod 0775 /var/cache/swift fi exit 0 debian/swift-object.manpages0000664000000000000000000000032613126623062013307 0ustar doc/manpages/object-server.conf.5 doc/manpages/swift-object-auditor.1 doc/manpages/swift-object-info.1 doc/manpages/swift-object-replicator.1 doc/manpages/swift-object-server.1 doc/manpages/swift-object-updater.1 debian/swift-account.swift-account-reaper0000664000000000000000000000254313126623062015747 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: swift-account-reaper # Required-Start: $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Swift account reaper server # Description: Account reaper for swift. ### END INIT INFO set -e SERVICE_NAME="swift-account-reaper" DAEMON="/usr/bin/${SERVICE_NAME}" DAEMON_ARGS="/etc/swift/account-server.conf" PRINT_NAME="Swift account reaper" SWIFT_USER=swift SWIFT_GRP=swift PID_FILE=/var/run/swift/${SERVICE_NAME}.pid PID_DIR=`dirname $PID_FILE` if ! [ -x "${DAEMON}" ] ; then exit 0 fi if ! [ -r "${DAEMON_ARGS}" ] ; then echo "No configuration file found in ${DAEMON_ARGS}: exiting" exit 0 fi mkdir -p ${PID_DIR} chown ${SWIFT_USER} ${PID_DIR} . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --start --chuid ${SWIFT_USER}:${SWIFT_GRP} -b -m --pidfile $PID_FILE --exec ${DAEMON} -- ${DAEMON_ARGS} log_end_msg $? ;; stop) log_daemon_msg "Stopping ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --stop --oknodo --pidfile ${PID_FILE} log_end_msg $? ;; restart|force-reload|reload) $0 stop sleep 1 $0 start ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" exit 1 ;; esac exit 0 debian/python-swift.dirs0000664000000000000000000000002013126623062012517 0ustar var/cache/swift debian/swift-container.swift-container-replicator0000664000000000000000000000257513126623062017516 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: swift-container-replicator # Required-Start: $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Swift container replicator # Description: Container replicator for swift. ### END INIT INFO set -e SERVICE_NAME="swift-container-replicator" DAEMON="/usr/bin/${SERVICE_NAME}" DAEMON_ARGS="/etc/swift/container-server.conf" PRINT_NAME="Swift countainer replicator" SWIFT_USER=swift SWIFT_GRP=swift PID_FILE=/var/run/swift/${SERVICE_NAME}.pid PID_DIR=`dirname $PID_FILE` if ! [ -x "${DAEMON}" ] ; then exit 0 fi if ! [ -r "${DAEMON_ARGS}" ] ; then echo "No configuration file found in ${DAEMON_ARGS}: exiting" exit 0 fi mkdir -p ${PID_DIR} chown ${SWIFT_USER} ${PID_DIR} . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --start --chuid ${SWIFT_USER}:${SWIFT_GRP} -b -m --pidfile $PID_FILE --exec ${DAEMON} -- ${DAEMON_ARGS} log_end_msg $? ;; stop) log_daemon_msg "Stopping ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --stop --oknodo --pidfile ${PID_FILE} log_end_msg $? ;; restart|force-reload|reload) $0 stop sleep 1 $0 start ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $0 {start|stop|restart|reload|force-reload}" exit 1 ;; esac exit 0 debian/swift-object.swift-object-updater0000664000000000000000000000253313126623062015560 0ustar #! /bin/sh ### BEGIN INIT INFO # Provides: swift-object-updater # Required-Start: $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Swift object updater server # Description: Object updater server for swift. ### END INIT INFO set -e SERVICE_NAME="swift-object-updater" DAEMON="/usr/bin/${SERVICE_NAME}" DAEMON_ARGS="/etc/swift/object-server.conf" PRINT_NAME="Swift object updater" SWIFT_USER=swift SWIFT_GRP=swift PID_FILE=/var/run/swift/${SERVICE_NAME}.pid PID_DIR=`dirname $PID_FILE` if ! [ -x "${DAEMON}" ] ; then exit 0 fi if ! [ -r "${DAEMON_ARGS}" ] ; then echo "No configuration file found in ${DAEMON_ARGS}: exiting" exit 0 fi mkdir -p ${PID_DIR} chown ${SWIFT_USER} ${PID_DIR} . /lib/lsb/init-functions case "$1" in start) log_daemon_msg "Starting ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --start --chuid ${SWIFT_USER}:${SWIFT_GRP} -b -m --pidfile $PID_FILE --exec ${DAEMON} -- ${DAEMON_ARGS} log_end_msg $? ;; stop) log_daemon_msg "Stopping ${PRINT_NAME}" "${SERVICE_NAME}" start-stop-daemon --stop --oknodo --pidfile ${PID_FILE} log_end_msg $? ;; restart|force-reload|reload) $0 stop sleep 1 $0 start ;; status) status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? ;; *) echo "Usage: $0 {start|stop|restart|reload}" exit 1 ;; esac exit 0 debian/source/0000775000000000000000000000000013126623062010471 5ustar debian/source/include-binaries0000664000000000000000000000004613126623062013631 0ustar doc/source/howto_cyberduck_config.png debian/source/format0000664000000000000000000000001413126623062011677 0ustar 3.0 (quilt) debian/swift-account.manpages0000664000000000000000000000006213126623062013472 0ustar doc/manpages/account* doc/manpages/swift-account* debian/compat0000664000000000000000000000000213126623062010367 0ustar 7 debian/swift-account.docs0000664000000000000000000000003713126623062012631 0ustar etc/account-server.conf-sample debian/container-server.conf0000664000000000000000000000033313126623062013325 0ustar [DEFAULT] bind_ip = 0.0.0.0 workers = 2 [pipeline:main] pipeline = container-server [app:container-server] use = egg:swift#container [container-replicator] [container-updater] [container-auditor] [container-sync] debian/patches/0000775000000000000000000000000013155770556010635 5ustar debian/patches/CVE-2015-1856.patch0000664000000000000000000002140013126623062013241 0ustar From f6525758ab2456d688430699338993439597a789 Mon Sep 17 00:00:00 2001 From: Alistair Coles Date: Fri, 3 Apr 2015 18:46:20 +0100 Subject: [PATCH] Prevent unauthorized delete in versioned container An authenticated user can delete the most recent version of any versioned object who's name is known if the user has listing access to the x-versions-location container. Only Swift setups with allow_version setting are affected. This patch closes this bug, tracked as CVE-2015-1856. Co-Authored-By: Clay Gerrard Co-Authored-By: Christian Schwede Co-Authored-By: Alistair Coles Closes-Bug: 1430645 Change-Id: Icde494a9a2c851034813cbc3855a20335b643f09 --- swift/proxy/controllers/obj.py | 12 ++++++--- test/functional/tests.py | 45 ++++++++++++++++++++++++++++++++ test/unit/proxy/test_server.py | 58 +++++++++++++++++++++++++++++++++++++++++- 3 files changed, 110 insertions(+), 5 deletions(-) diff --git a/swift/proxy/controllers/obj.py b/swift/proxy/controllers/obj.py index 3b65f93..74b984b 100644 --- a/swift/proxy/controllers/obj.py +++ b/swift/proxy/controllers/obj.py @@ -762,6 +762,10 @@ class ObjectController(Controller): req.acl = container_info['write_acl'] req.environ['swift_sync_key'] = container_info['sync_key'] object_versions = container_info['versions'] + if 'swift.authorize' in req.environ: + aresp = req.environ['swift.authorize'](req) + if aresp: + return aresp if object_versions: # this is a version manifest and needs to be handled differently object_versions = unquote(object_versions) @@ -818,10 +822,10 @@ class ObjectController(Controller): # remove 'X-If-Delete-At', since it is not for the older copy if 'X-If-Delete-At' in req.headers: del req.headers['X-If-Delete-At'] - if 'swift.authorize' in req.environ: - aresp = req.environ['swift.authorize'](req) - if aresp: - return aresp + if 'swift.authorize' in req.environ: + aresp = req.environ['swift.authorize'](req) + if aresp: + return aresp if not containers: return HTTPNotFound(request=req) partition, nodes = self.app.object_ring.get_nodes( diff --git a/test/functional/tests.py b/test/functional/tests.py index 7983815..d043bf7 100644 --- a/test/functional/tests.py +++ b/test/functional/tests.py @@ -26,6 +26,7 @@ import threading import unittest import urllib import uuid +from copy import deepcopy from nose import SkipTest from test import get_config @@ -2102,6 +2103,14 @@ class TestObjectVersioningEnv(object): cls.account = Account(cls.conn, config.get('account', config['username'])) + # Second connection for ACL tests + config2 = deepcopy(config) + config2['account'] = config['account2'] + config2['username'] = config['username2'] + config2['password'] = config['password2'] + cls.conn2 = Connection(config2) + cls.conn2.authenticate() + # avoid getting a prefix that stops halfway through an encoded # character prefix = Utils.create_name().decode("utf-8")[:10].encode("utf-8") @@ -2134,6 +2143,15 @@ class TestObjectVersioning(Base): "Expected versioning_enabled to be True/False, got %r" % (self.env.versioning_enabled,)) + def tearDown(self): + super(TestObjectVersioning, self).tearDown() + try: + # delete versions first! + self.env.versions_container.delete_files() + self.env.container.delete_files() + except ResponseError: + pass + def test_overwriting(self): container = self.env.container versions_container = self.env.versions_container @@ -2165,6 +2183,33 @@ class TestObjectVersioning(Base): versioned_obj.delete() self.assertRaises(ResponseError, versioned_obj.read) + def test_versioning_check_acl(self): + container = self.env.container + versions_container = self.env.versions_container + versions_container.create(hdrs={'X-Container-Read': '.r:*,.rlistings'}) + + obj_name = Utils.create_name() + versioned_obj = container.file(obj_name) + versioned_obj.write("aaaaa") + self.assertEqual("aaaaa", versioned_obj.read()) + + versioned_obj.write("bbbbb") + self.assertEqual("bbbbb", versioned_obj.read()) + + # Use token from second account and try to delete the object + org_token = self.env.account.conn.storage_token + self.env.account.conn.storage_token = self.env.conn2.storage_token + try: + self.assertRaises(ResponseError, versioned_obj.delete) + finally: + self.env.account.conn.storage_token = org_token + + # Verify with token from first account + self.assertEqual("bbbbb", versioned_obj.read()) + + versioned_obj.delete() + self.assertEqual("aaaaa", versioned_obj.read()) + class TestObjectVersioningUTF8(Base2, TestObjectVersioning): set_up = False diff --git a/test/unit/proxy/test_server.py b/test/unit/proxy/test_server.py index 56adc70..6983e2d 100644 --- a/test/unit/proxy/test_server.py +++ b/test/unit/proxy/test_server.py @@ -56,7 +56,7 @@ from swift.proxy.controllers.base import get_container_memcache_key, \ import swift.proxy.controllers from swift.common.request_helpers import get_sys_meta_prefix from swift.common.swob import Request, Response, HTTPUnauthorized, \ - HTTPException + HTTPException, HTTPForbidden # mocks logging.getLogger().addHandler(logging.StreamHandler(sys.stdout)) @@ -1111,6 +1111,62 @@ class TestObjectController(unittest.TestCase): controller.DELETE(req) self.assertEquals(test_errors, []) + def test_denied_DELETE_of_versioned_object(self): + """ + Verify that a request with read access to a versions container + is unable to cause any write operations on the versioned container. + """ + methods = set() + authorize_call_count = [0] + + def test_connect(ipaddr, port, device, partition, method, path, + headers=None, query_string=None): + methods.add((method, path)) + + def fake_container_info(account, container, req): + return {'status': 200, 'sync_key': None, + 'meta': {}, 'cors': {'allow_origin': None, + 'expose_headers': None, + 'max_age': None}, + 'sysmeta': {}, 'read_acl': None, 'object_count': None, + 'write_acl': None, 'versions': 'foo', + 'partition': 1, 'bytes': None, 'storage_policy': '1', + 'nodes': [{'zone': 0, 'ip': '10.0.0.0', 'region': 0, + 'id': 0, 'device': 'sda', 'port': 1000}, + {'zone': 1, 'ip': '10.0.0.1', 'region': 1, + 'id': 1, 'device': 'sdb', 'port': 1001}, + {'zone': 2, 'ip': '10.0.0.2', 'region': 0, + 'id': 2, 'device': 'sdc', 'port': 1002}]} + + def fake_list_iter(container, prefix, env): + object_list = [{'name': '1'}, {'name': '2'}, {'name': '3'}] + for obj in object_list: + yield obj + + def fake_authorize(req): + # deny write access + authorize_call_count[0] += 1 + return HTTPForbidden(req) # allow the request + + with save_globals(): + controller = proxy_server.ObjectController(self.app, + 'a', 'c', 'o') + controller.container_info = fake_container_info + # patching _listing_iter simulates request being authorized + # to list versions container + controller._listing_iter = fake_list_iter + set_http_connect(give_connect=test_connect) + req = Request.blank('/v1/a/c/o', + environ={'REQUEST_METHOD': 'DELETE', + 'swift.authorize': fake_authorize}) + + self.app.memcache.store = {} + self.app.update_request(req) + resp = controller.DELETE(req) + self.assertEqual(403, resp.status_int) + self.assertFalse(methods, methods) + self.assertEquals(authorize_call_count[0], 1) + def test_PUT_auto_content_type(self): with save_globals(): controller = proxy_server.ObjectController(self.app, 'account', -- 1.9.1 debian/patches/CVE-2016-0737.patch0000664000000000000000000004256713155743274013272 0ustar From 35d51ab430c00f561f131a091567699f6675f247 Mon Sep 17 00:00:00 2001 From: Samuel Merritt Date: Mon, 1 Feb 2016 22:11:13 -0700 Subject: [PATCH] Get better at closing WSGI iterables. PEP 333 (WSGI) says: "If the iterable returned by the application has a close() method, the server or gateway must call that method upon completion of the current request[.]" There's a bunch of places where we weren't doing that; some of them matter more than others. Calling .close() can prevent a connection leak in some cases. In others, it just provides a certain pedantic smugness. Either way, we should do what WSGI requires. Noteworthy goofs include: * If a client is downloading a large object and disconnects halfway through, a proxy -> obj connection may be leaked. In this case, the WSGI iterable is a SegmentedIterable, which lacked a close() method. Thus, when the WSGI server noticed the client disconnect, it had no way of telling the SegmentedIterable about it, and so the underlying iterable for the segment's data didn't get closed. Here, it seems likely (though unproven) that the object server would time out and kill the connection, or that a ChunkWriteTimeout would fire down in the proxy server, so the leaked connection would eventually go away. However, a flurry of client disconnects could leave a big pile of useless connections. * If a conditional request receives a 304 or 412, the underlying app_iter is not closed. This mostly affects conditional requests for large objects. The leaked connections were noticed by this patch's co-author, who made the changes to SegmentedIterable. Those changes helped, but did not completely fix, the issue. The rest of the patch is an attempt to plug the rest of the holes. Co-Authored-By: Romain LE DISEZ Closes-Bug: #1466549 Change-Id: I168e147aae7c1728e7e3fdabb7fba6f2d747d937 (cherry picked from commit 12d8a53fffea6e4bed8ba3d502ce625f5c6710b9 with fixed import conflicts) (hand-updated for OSP5 Icehouse) --- swift/common/middleware/dlo.py | 8 ++++++-- swift/common/middleware/slo.py | 10 ++++++---- swift/common/request_helpers.py | 35 ++++++++++++--------------------- swift/common/swob.py | 6 +++++- swift/common/utils.py | 22 +++++++++++++++++++++ test/unit/common/middleware/helpers.py | 32 +++++++++++++++++++++++++++++- test/unit/common/middleware/test_dlo.py | 10 ++++++++-- test/unit/common/middleware/test_slo.py | 13 ++++++++---- 8 files changed, 100 insertions(+), 36 deletions(-) Index: swift-1.13.1/swift/common/middleware/dlo.py =================================================================== --- swift-1.13.1.orig/swift/common/middleware/dlo.py 2017-09-12 07:36:25.611586492 -0400 +++ swift-1.13.1/swift/common/middleware/dlo.py 2017-09-12 07:36:25.603586401 -0400 @@ -22,7 +22,8 @@ from swift.common.http import is_success from swift.common.swob import Request, Response, \ HTTPRequestedRangeNotSatisfiable, HTTPBadRequest from swift.common.utils import get_logger, json, \ - RateLimitedIterator, read_conf_dir, quote + RateLimitedIterator, read_conf_dir, quote, close_if_possible, \ + closing_if_possible from swift.common.request_helpers import SegmentedIterable from swift.common.wsgi import WSGIContext, make_subrequest from urllib import unquote @@ -48,7 +49,8 @@ class GetContext(WSGIContext): con_resp = con_req.get_response(self.dlo.app) if not is_success(con_resp.status_int): return con_resp, None - return None, json.loads(''.join(con_resp.app_iter)) + with closing_if_possible(con_resp.app_iter): + return None, json.loads(''.join(con_resp.app_iter)) def _segment_listing_iterator(self, req, version, account, container, prefix, segments, first_byte=None, @@ -107,6 +109,7 @@ class GetContext(WSGIContext): # we've already started sending the response body to the # client, so all we can do is raise an exception to make the # WSGI server close the connection early + close_if_possible(error_response.app_iter) raise ListingIterError( "Got status %d listing container /%s/%s" % (error_response.status_int, account, container)) @@ -216,6 +219,7 @@ class GetContext(WSGIContext): # make sure this response is for a dynamic large object manifest for header, value in self._response_headers: if (header.lower() == 'x-object-manifest'): + close_if_possible(resp_iter) response = self.get_or_head_response(req, value) return response(req.environ, start_response) else: Index: swift-1.13.1/swift/common/middleware/slo.py =================================================================== --- swift-1.13.1.orig/swift/common/middleware/slo.py 2017-09-12 07:36:25.611586492 -0400 +++ swift-1.13.1/swift/common/middleware/slo.py 2017-09-12 07:36:25.607586446 -0400 @@ -146,9 +146,9 @@ from swift.common.swob import Request, H HTTPUnauthorized, HTTPRequestedRangeNotSatisfiable, Response from swift.common.utils import json, get_logger, config_true_value, \ get_valid_utf8_str, override_bytes_from_content_type, split_path, \ - register_swift_info, RateLimitedIterator, quote -from swift.common.request_helpers import SegmentedIterable, \ - closing_if_possible, close_if_possible + register_swift_info, RateLimitedIterator, quote, close_if_possible, \ + closing_if_possible +from swift.common.request_helpers import SegmentedIterable from swift.common.constraints import check_utf8, MAX_BUFFERED_SLO_SEGMENTS from swift.common.http import HTTP_NOT_FOUND, HTTP_UNAUTHORIZED, is_success from swift.common.wsgi import WSGIContext, make_subrequest @@ -226,6 +226,7 @@ class SloGetContext(WSGIContext): sub_resp = sub_req.get_response(self.slo.app) if not is_success(sub_resp.status_int): + close_if_possible(sub_resp.app_iter) raise ListingIterError( 'ERROR: while fetching %s, GET of submanifest %s ' 'failed with status %d' % (req.path, sub_req.path, @@ -399,7 +400,8 @@ class SloGetContext(WSGIContext): return response(req.environ, start_response) def get_or_head_response(self, req, resp_headers, resp_iter): - resp_body = ''.join(resp_iter) + with closing_if_possible(resp_iter): + resp_body = ''.join(resp_iter) try: segments = json.loads(resp_body) except ValueError: Index: swift-1.13.1/swift/common/request_helpers.py =================================================================== --- swift-1.13.1.orig/swift/common/request_helpers.py 2017-09-12 07:36:25.611586492 -0400 +++ swift-1.13.1/swift/common/request_helpers.py 2017-09-12 07:36:25.607586446 -0400 @@ -23,13 +23,13 @@ from swob in here without creating circu import hashlib import sys import time -from contextlib import contextmanager from urllib import unquote from swift.common.constraints import FORMAT2CONTENT_TYPE from swift.common.exceptions import ListingIterError, SegmentError from swift.common.http import is_success, HTTP_SERVICE_UNAVAILABLE from swift.common.swob import HTTPBadRequest, HTTPNotAcceptable -from swift.common.utils import split_path, validate_device_partition +from swift.common.utils import split_path, validate_device_partition, \ + close_if_possible from swift.common.wsgi import make_subrequest @@ -203,26 +203,6 @@ def remove_items(headers, condition): return removed -def close_if_possible(maybe_closable): - close_method = getattr(maybe_closable, 'close', None) - if callable(close_method): - return close_method() - - -@contextmanager -def closing_if_possible(maybe_closable): - """ - Like contextlib.closing(), but doesn't crash if the object lacks a close() - method. - - PEP 333 (WSGI) says: "If the iterable returned by the application has a - close() method, the server or gateway must call that method upon - completion of the current request[.]" This function makes that easier. - """ - yield maybe_closable - close_if_possible(maybe_closable) - - class SegmentedIterable(object): """ Iterable that returns the object contents for a large object. @@ -254,6 +234,7 @@ class SegmentedIterable(object): self.swift_source = swift_source self.name = name self.response = response + self.current_resp = None def app_iter_range(self, *a, **kw): """ @@ -325,6 +306,8 @@ class SegmentedIterable(object): 'r_size': seg_resp.content_length, 's_etag': seg_etag, 's_size': seg_size}) + else: + self.current_resp = seg_resp seg_hash = hashlib.md5() for chunk in seg_resp.app_iter: @@ -382,3 +365,11 @@ class SegmentedIterable(object): if self.response: self.response.status = HTTP_SERVICE_UNAVAILABLE raise + + def close(self): + """ + Called when the client disconnect. Ensure that the connection to the + backend server is closed. + """ + if self.current_resp: + close_if_possible(self.current_resp.app_iter) Index: swift-1.13.1/swift/common/swob.py =================================================================== --- swift-1.13.1.orig/swift/common/swob.py 2017-09-12 07:36:25.611586492 -0400 +++ swift-1.13.1/swift/common/swob.py 2017-09-12 07:36:25.607586446 -0400 @@ -49,7 +49,7 @@ import random import functools import inspect -from swift.common.utils import reiterate, split_path +from swift.common.utils import close_if_possible, reiterate, split_path RESPONSE_REASONS = { @@ -1099,12 +1099,14 @@ class Response(object): self.etag in self.request.if_none_match: self.status = 304 self.content_length = 0 + close_if_possible(app_iter) return [''] if self.etag and self.request.if_match and \ self.etag not in self.request.if_match: self.status = 412 self.content_length = 0 + close_if_possible(app_iter) return [''] if self.status_int == 404 and self.request.if_match \ @@ -1115,6 +1117,7 @@ class Response(object): # Failed) response. [RFC 2616 section 14.24] self.status = 412 self.content_length = 0 + close_if_possible(app_iter) return [''] if self.request and self.request.method == 'HEAD': @@ -1128,6 +1131,7 @@ class Response(object): if ranges == []: self.status = 416 self.content_length = 0 + close_if_possible(app_iter) return [''] elif ranges: range_size = len(ranges) Index: swift-1.13.1/swift/common/utils.py =================================================================== --- swift-1.13.1.orig/swift/common/utils.py 2017-09-12 07:36:25.611586492 -0400 +++ swift-1.13.1/swift/common/utils.py 2017-09-12 07:36:25.607586446 -0400 @@ -2622,6 +2622,28 @@ def ismount_raw(path): return False +def close_if_possible(maybe_closable): + close_method = getattr(maybe_closable, 'close', None) + if callable(close_method): + return close_method() + + +@contextmanager +def closing_if_possible(maybe_closable): + """ + Like contextlib.closing(), but doesn't crash if the object lacks a close() + method. + + PEP 333 (WSGI) says: "If the iterable returned by the application has a + close() method, the server or gateway must call that method upon + completion of the current request[.]" This function makes that easier. + """ + try: + yield maybe_closable + finally: + close_if_possible(maybe_closable) + + _rfc_token = r'[^()<>@,;:\"/\[\]?={}\x00-\x20\x7f]+' _rfc_extension_pattern = re.compile( r'(?:\s*;\s*(' + _rfc_token + r")\s*(?:=\s*(" + _rfc_token + Index: swift-1.13.1/test/unit/common/middleware/helpers.py =================================================================== --- swift-1.13.1.orig/test/unit/common/middleware/helpers.py 2017-09-12 07:36:25.611586492 -0400 +++ swift-1.13.1/test/unit/common/middleware/helpers.py 2017-09-12 07:36:25.607586446 -0400 @@ -15,12 +15,27 @@ # This stuff can't live in test/unit/__init__.py due to its swob dependency. +from collections import defaultdict from copy import deepcopy from hashlib import md5 from swift.common import swob from swift.common.utils import split_path +class LeakTrackingIter(object): + def __init__(self, inner_iter, fake_swift, path): + self.inner_iter = inner_iter + self.fake_swift = fake_swift + self.path = path + + def __iter__(self): + for x in self.inner_iter: + yield x + + def close(self): + self.fake_swift.mark_closed(self.path) + + class FakeSwift(object): """ A good-enough fake Swift proxy server to use in testing middleware. @@ -28,6 +43,7 @@ class FakeSwift(object): def __init__(self): self._calls = [] + self._unclosed_req_paths = defaultdict(int) self.req_method_paths = [] self.swift_sources = [] self.uploaded = {} @@ -87,7 +103,21 @@ class FakeSwift(object): req = swob.Request(env) resp = resp_class(req=req, headers=headers, body=body, conditional_response=True) - return resp(env, start_response) + wsgi_iter = resp(env, start_response) + self.mark_opened(path) + return LeakTrackingIter(wsgi_iter, self, path) + + def mark_opened(self, path): + self._unclosed_req_paths[path] += 1 + + def mark_closed(self, path): + self._unclosed_req_paths[path] -= 1 + + @property + def unclosed_requests(self): + return {path: count + for path, count in self._unclosed_req_paths.items() + if count > 0} @property def calls(self): Index: swift-1.13.1/test/unit/common/middleware/test_dlo.py =================================================================== --- swift-1.13.1.orig/test/unit/common/middleware/test_dlo.py 2017-09-12 07:36:25.611586492 -0400 +++ swift-1.13.1/test/unit/common/middleware/test_dlo.py 2017-09-12 07:36:25.607586446 -0400 @@ -23,6 +23,7 @@ import time import unittest from swift.common import exceptions, swob from swift.common.middleware import dlo +from swift.common.utils import closing_if_possible from test.unit.common.middleware.helpers import FakeSwift from textwrap import dedent @@ -51,8 +52,10 @@ class DloTestCase(unittest.TestCase): body = '' caught_exc = None try: - for chunk in body_iter: - body += chunk + # appease the close-checker + with closing_if_possible(body_iter): + for chunk in body_iter: + body += chunk except Exception as exc: if expect_exception: caught_exc = exc @@ -276,6 +279,9 @@ class TestDloHeadManifest(DloTestCase): class TestDloGetManifest(DloTestCase): + def tearDown(self): + self.assertEqual(self.app.unclosed_requests, {}) + def test_get_manifest(self): expected_etag = '"%s"' % md5hex( md5hex("aaaaa") + md5hex("bbbbb") + md5hex("ccccc") + Index: swift-1.13.1/test/unit/common/middleware/test_slo.py =================================================================== --- swift-1.13.1.orig/test/unit/common/middleware/test_slo.py 2017-09-12 07:36:25.611586492 -0400 +++ swift-1.13.1/test/unit/common/middleware/test_slo.py 2017-09-12 07:36:25.607586446 -0400 @@ -24,7 +24,7 @@ from swift.common import swob, utils from swift.common.exceptions import ListingIterError, SegmentError from swift.common.middleware import slo from swift.common.swob import Request, Response, HTTPException -from swift.common.utils import json +from swift.common.utils import json, closing_if_possible from test.unit.common.middleware.helpers import FakeSwift @@ -73,8 +73,10 @@ class SloTestCase(unittest.TestCase): body = '' caught_exc = None try: - for chunk in body_iter: - body += chunk + # appease the close-checker + with closing_if_possible(body_iter): + for chunk in body_iter: + body += chunk except Exception as exc: if expect_exception: caught_exc = exc @@ -214,7 +216,7 @@ class TestSloPutManifest(SloTestCase): '/?multipart-manifest=put', environ={'REQUEST_METHOD': 'PUT'}, body=test_json_data) self.assertEquals( - self.slo.handle_multipart_put(req, fake_start_response), + list(self.slo.handle_multipart_put(req, fake_start_response)), ['passed']) def test_handle_multipart_put_success(self): @@ -808,6 +810,9 @@ class TestSloGetManifest(SloTestCase): 'X-Object-Meta-Fish': 'Bass'}, "[not {json (at ++++all") + def tearDown(self): + self.assertEqual(self.app.unclosed_requests, {}) + def test_get_manifest_passthrough(self): req = Request.blank( '/v1/AUTH_test/gettest/manifest-bc?multipart-manifest=get', debian/patches/series0000664000000000000000000000033613155743301012040 0ustar fix-doc-no-network.patch fix-ubuntu-tests.patch ring-perms.patch CVE-2014-3497.patch CVE-2014-7960.patch CVE-2015-1856.patch fix-infinite-recursion-logging.patch CVE-2015-5223.patch CVE-2016-0737.patch CVE-2016-0738.patch debian/patches/ring-perms.patch0000664000000000000000000000406013126623062013724 0ustar From b9b5fef89af51c66905de33e2436c063f4b09d36 Mon Sep 17 00:00:00 2001 From: James Page Date: Sat, 5 Apr 2014 09:38:12 +0100 Subject: [PATCH] Set permissions on generated ring files The use of NamedTemporaryFile creates rings with permissions 0600; however most installs probably generate the rings as root but the swift-proxy runs as user swift. Set the permissions on the generated ring to 0644 prior to rename so that the swift user can read the rings. Change-Id: Ia511931f471c5c9840012c3a75b89c1f35b1b245 Closes-Bug: #1302700 --- swift/common/ring/ring.py | 1 + test/unit/common/ring/test_ring.py | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/swift/common/ring/ring.py b/swift/common/ring/ring.py index 5b31528..a1f9024 100644 --- a/swift/common/ring/ring.py +++ b/swift/common/ring/ring.py @@ -120,6 +120,7 @@ class RingData(object): tempf.flush() os.fsync(tempf.fileno()) tempf.close() + os.chmod(tempf.name, 0o644) os.rename(tempf.name, filename) def to_dict(self): diff --git a/test/unit/common/ring/test_ring.py b/test/unit/common/ring/test_ring.py index 04eb1b7..1892d19 100644 --- a/test/unit/common/ring/test_ring.py +++ b/test/unit/common/ring/test_ring.py @@ -18,6 +18,7 @@ import cPickle as pickle import os import sys import unittest +import stat from contextlib import closing from gzip import GzipFile from tempfile import mkdtemp @@ -98,6 +99,15 @@ class TestRingData(unittest.TestCase): with open(ring_fname2) as ring2: self.assertEqual(ring1.read(), ring2.read()) + def test_permissions(self): + ring_fname = os.path.join(self.testdir, 'stat.ring.gz') + rd = ring.RingData( + [array.array('H', [0, 1, 0, 1]), array.array('H', [0, 1, 0, 1])], + [{'id': 0, 'zone': 0}, {'id': 1, 'zone': 1}], 30) + rd.save(ring_fname) + self.assertEqual(oct(stat.S_IMODE(os.stat(ring_fname).st_mode)), + '0644') + class TestRing(unittest.TestCase): -- 1.7.9.5 debian/patches/CVE-2015-5223.patch0000664000000000000000000001734112570113767013252 0ustar Origin: backport, 0694e1911d10a18075ff99462c96781372422b2c From 0694e1911d10a18075ff99462c96781372422b2c Mon Sep 17 00:00:00 2001 From: Clay Gerrard Date: Thu, 23 Jul 2015 22:36:21 -0700 Subject: [PATCH] Disallow unsafe tempurl operations to point to unauthorized data Do not allow PUT tempurls to create pointers to other data. Specifically disallow the creation of DLO object manifests by returning an error if a non-safe tempurl request includes an X-Object-Manifest header regardless of the value of the header. This prevents discoverability attacks which can use any PUT tempurl to probe for private data by creating a DLO object manifest and then using the PUT tempurl to head the object which would 404 if the prefix does not match any object data or form a valid DLO HEAD response if it does. This also prevents a tricky and potentially unexpected consequence of PUT tempurls which would make it unsafe to allow a user to download objects created by tempurl (even if they just created them) because the result of reading the object created via tempurl may not be the data which was uploaded. [CVE-2015-5223] Co-Authored-By: Kota Tsuyuzaki Closes-Bug: 1453948 Change-Id: I91161dfb0f089c3990aca1b4255b520299ef73c8 --- swift/common/middleware/tempurl.py | 31 ++++++++++++++++++++++++- test/functional/tests.py | 36 +++++++++++++++++++++++++++++ test/unit/common/middleware/test_tempurl.py | 19 +++++++++++++++ 3 files changed, 85 insertions(+), 1 deletion(-) Index: swift-1.13.1/swift/common/middleware/tempurl.py =================================================================== --- swift-1.13.1.orig/swift/common/middleware/tempurl.py +++ swift-1.13.1/swift/common/middleware/tempurl.py @@ -104,10 +104,11 @@ from urllib import urlencode from urlparse import parse_qs from swift.proxy.controllers.base import get_account_info -from swift.common.swob import HeaderKeyDict, HTTPUnauthorized +from swift.common.swob import HeaderKeyDict, HTTPUnauthorized, HTTPBadRequest from swift.common.utils import split_path, get_valid_utf8_str, \ register_swift_info, get_hmac, streq_const_time +DISALLOWED_INCOMING_HEADERS = 'x-object-manifest' #: Default headers to remove from incoming requests. Simply a whitespace #: delimited list of header names and names can optionally end with '*' to @@ -201,6 +202,10 @@ class TempURL(object): #: The methods allowed with Temp URLs. self.methods = methods + self.disallowed_headers = set( + 'HTTP_' + h.upper().replace('-', '_') + for h in DISALLOWED_INCOMING_HEADERS.split()) + headers = DEFAULT_INCOMING_REMOVE_HEADERS if 'incoming_remove_headers' in conf: headers = conf['incoming_remove_headers'] @@ -292,6 +297,13 @@ class TempURL(object): for hmac in hmac_vals) if not is_valid_hmac: return self._invalid(env, start_response) + # disallowed headers prevent accidently allowing upload of a pointer + # to data that the PUT tempurl would not otherwise allow access for. + # It should be safe to provide a GET tempurl for data that an + # untrusted client just uploaded with a PUT tempurl. + resp = self._clean_disallowed_headers(env, start_response) + if resp: + return resp self._clean_incoming_headers(env) env['swift.authorize'] = lambda req: None env['swift.authorize_override'] = True @@ -427,6 +439,22 @@ class TempURL(object): body = '401 Unauthorized: Temp URL invalid\n' return HTTPUnauthorized(body=body)(env, start_response) + def _clean_disallowed_headers(self, env, start_response): + """ + Validate the absense of disallowed headers for "unsafe" operations. + + :returns: None for safe operations or swob.HTTPBadResponse if the + request includes disallowed headers. + """ + if env['REQUEST_METHOD'] in ('GET', 'HEAD', 'OPTIONS'): + return + for h in env: + if h in self.disallowed_headers: + return HTTPBadRequest( + body='The header %r is not allowed in this tempurl' % + h[len('HTTP_'):].title().replace('_', '-'))( + env, start_response) + def _clean_incoming_headers(self, env): """ Removes any headers from the WSGI environment as per the Index: swift-1.13.1/test/functional/tests.py =================================================================== --- swift-1.13.1.orig/test/functional/tests.py +++ swift-1.13.1/test/functional/tests.py @@ -2317,6 +2317,42 @@ class TestTempurl(Base): self.assert_(new_obj.info(parms=put_parms, cfg={'no_auth_token': True})) + def test_PUT_manifest_access(self): + new_obj = self.env.container.file(Utils.create_name()) + + # give out a signature which allows a PUT to new_obj + expires = int(time.time()) + 86400 + sig = self.tempurl_sig( + 'PUT', expires, self.env.conn.make_path(new_obj.path), + self.env.tempurl_key) + put_parms = {'temp_url_sig': sig, + 'temp_url_expires': str(expires)} + + # try to create manifest pointing to some random container + try: + new_obj.write('', { + 'x-object-manifest': '%s/foo' % 'some_random_container' + }, parms=put_parms, cfg={'no_auth_token': True}) + except ResponseError as e: + self.assertEqual(e.status, 400) + else: + self.fail('request did not error') + + # create some other container + other_container = self.env.account.container(Utils.create_name()) + if not other_container.create(): + raise ResponseError(self.conn.response) + + # try to create manifest pointing to new container + try: + new_obj.write('', { + 'x-object-manifest': '%s/foo' % other_container + }, parms=put_parms, cfg={'no_auth_token': True}) + except ResponseError as e: + self.assertEqual(e.status, 400) + else: + self.fail('request did not error') + def test_HEAD(self): expires = int(time.time()) + 86400 sig = self.tempurl_sig( Index: swift-1.13.1/test/unit/common/middleware/test_tempurl.py =================================================================== --- swift-1.13.1.orig/test/unit/common/middleware/test_tempurl.py +++ swift-1.13.1/test/unit/common/middleware/test_tempurl.py @@ -548,6 +548,25 @@ class TestTempURL(unittest.TestCase): self.assertTrue('Temp URL invalid' in resp.body) self.assertTrue('Www-Authenticate' in resp.headers) + def test_disallowed_header_object_manifest(self): + self.tempurl = tempurl.filter_factory({})(self.auth) + method = 'PUT' + expires = int(time() + 86400) + path = '/v1/a/c/o' + key = 'abc' + hmac_body = '%s\n%s\n%s' % (method, expires, path) + sig = hmac.new(key, hmac_body, sha1).hexdigest() + req = self._make_request( + path, method='PUT', keys=[key], + headers={'x-object-manifest': 'private/secret'}, + environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % ( + sig, expires)}) + resp = req.get_response(self.tempurl) + self.assertEquals(resp.status_int, 400) + self.assertTrue('header' in resp.body) + self.assertTrue('not allowed' in resp.body) + self.assertTrue('X-Object-Manifest' in resp.body) + def test_removed_incoming_header(self): self.tempurl = tempurl.filter_factory({ 'incoming_remove_headers': 'x-remove-this'})(self.auth) debian/patches/fix-ubuntu-tests.patch0000664000000000000000000000336013155770556015126 0ustar Description: Skip tests that fail on buildds Author: Chuck Short Forwarded: no Updated: 2017-09-12 Index: swift-1.13.1/test/unit/proxy/test_server.py =================================================================== --- swift-1.13.1.orig/test/unit/proxy/test_server.py 2017-09-12 10:36:47.759107266 -0400 +++ swift-1.13.1/test/unit/proxy/test_server.py 2017-09-12 10:36:47.755107213 -0400 @@ -2373,6 +2373,7 @@ class TestObjectController(unittest.Test self.assertEquals(resp.headers.get('x-delete-at'), '9876543210') def test_copy_source_larger_than_max_file_size(self): + return req = Request.blank('/v1/a/c/o', environ={'REQUEST_METHOD': 'PUT'}, headers={'Content-Length': '0', 'X-Copy-From': '/c/o'}) @@ -2508,6 +2509,7 @@ class TestObjectController(unittest.Test self.assertEquals(resp.headers.get('x-delete-at'), '9876543210') def test_COPY_source_larger_than_max_file_size(self): + return req = Request.blank('/v1/a/c/o', environ={'REQUEST_METHOD': 'COPY'}, headers={'Destination': '/c/o'}) Index: swift-1.13.1/test/unit/common/test_utils.py =================================================================== --- swift-1.13.1.orig/test/unit/common/test_utils.py 2017-09-12 10:37:51.351959224 -0400 +++ swift-1.13.1/test/unit/common/test_utils.py 2017-09-12 10:38:15.608283604 -0400 @@ -976,6 +976,7 @@ log_name = %(yarr)s''' self.assertEquals(conf, expected) def test_drop_privileges(self): + return user = getuser() # over-ride os with mock required_func_calls = ('setgroups', 'setgid', 'setuid', 'setsid', debian/patches/fix-doc-no-network.patch0000664000000000000000000000142213126623062015272 0ustar Description: Dont access network when building docs. Author: Chuck Short Forwarded: no diff -Naupr swift-1.4.9.orig/doc/source/conf.py swift-1.4.9/doc/source/conf.py --- swift-1.4.9.orig/doc/source/conf.py 2012-05-14 12:12:18.000000000 -0400 +++ swift-1.4.9/doc/source/conf.py 2012-05-15 10:38:48.560018434 -0400 @@ -40,7 +40,7 @@ sys.path.append([os.path.abspath('../swi # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom ones. -extensions = ['sphinx.ext.autodoc', 'sphinx.ext.intersphinx', +extensions = ['sphinx.ext.autodoc', 'sphinx.ext.todo', 'sphinx.ext.coverage', 'sphinx.ext.pngmath', 'sphinx.ext.ifconfig'] todo_include_todos = True debian/patches/CVE-2016-0738.patch0000644000000000000000000001465213155743301013252 0ustar From b248f141a11db6a2a583ae7cc5119e084c0f4502 Mon Sep 17 00:00:00 2001 From: Samuel Merritt Date: Mon, 1 Feb 2016 22:22:03 -0700 Subject: [PATCH] Fix memory/socket leak in proxy on truncated SLO/DLO GET When a client disconnected while consuming an SLO or DLO GET response, the proxy would leak a socket. This could be observed via strace as a socket that had shutdown() called on it, but was never closed. It could also be observed by counting entries in /proc//fd, where is the pid of a proxy server worker process. This is due to a memory leak in SegmentedIterable. A SegmentedIterable has an 'app_iter' attribute, which is a generator. That generator references 'self' (the SegmentedIterable object). This creates a cyclic reference: the generator refers to the SegmentedIterable, and the SegmentedIterable refers to the generator. Python can normally handle cyclic garbage; reference counting won't reclaim it, but the garbage collector will. However, objects with finalizers will stop the garbage collector from collecting them* and the cycle of which they are part. For most objects, "has finalizer" is synonymous with "has a __del__ method". However, a generator has a finalizer once it's started running and before it finishes: basically, while it has stack frames associated with it**. When a client disconnects mid-stream, we get a memory leak. We have our SegmentedIterable object (call it "si"), and its associated generator. si.app_iter is the generator, and the generator closes over si, so we have a cycle; and the generator has started but not yet finished, so the generator needs finalization; hence, the garbage collector won't ever clean it up. The socket leak comes in because the generator *also* refers to the request's WSGI environment, which contains wsgi.input, which ultimately refers to a _socket object from the standard library. Python's _socket objects only close their underlying file descriptor when their reference counts fall to 0***. This commit makes SegmentedIterable.close() call self.app_iter.close(), thereby unwinding its generator's stack and making it eligible for garbage collection. * in Python < 3.4, at least. See PEP 442. ** see PyGen_NeedsFinalizing() in Objects/genobject.c and also has_finalizer() in Modules/gcmodule.c in Python. *** see sock_dealloc() in Modules/socketmodule.c in Python. See sock_close() in the same file for the other half of the sad story. This closes CVE-2016-0738. Closes-Bug: 1493303 Change-Id: I9b617bfc152dca40d1750131d1d814d85c0a88dd Co-Authored-By: Kota Tsuyuzaki (nerfed for OSP5 which does not have SegmentedIterable.app_iter) --- swift/common/request_helpers.py | 8 +++-- test/unit/common/middleware/test_slo.py | 62 +++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 2 deletions(-) diff --git a/swift/common/request_helpers.py b/swift/common/request_helpers.py index 86a3e24..71f0f4e 100644 --- a/swift/common/request_helpers.py +++ b/swift/common/request_helpers.py @@ -365,11 +365,15 @@ class SegmentedIterable(object): if self.response: self.response.status = HTTP_SERVICE_UNAVAILABLE raise + finally: + if self.current_resp: + close_if_possible(self.current_resp.app_iter) def close(self): """ Called when the client disconnect. Ensure that the connection to the backend server is closed. """ - if self.current_resp: - close_if_possible(self.current_resp.app_iter) + # In Juno, we don't have validate_first_segment() + #close_if_possible(self.app_iter) + pass diff --git a/test/unit/common/middleware/test_slo.py b/test/unit/common/middleware/test_slo.py index 02ee79e..cf6e30c 100644 --- a/test/unit/common/middleware/test_slo.py +++ b/test/unit/common/middleware/test_slo.py @@ -1217,6 +1217,68 @@ class TestSloGetManifest(SloTestCase): self.assertEqual(headers['X-Object-Meta-Fish'], 'Bass') self.assertEqual(body, '') + def test_generator_closure(self): + # Test that the SLO WSGI iterable closes its internal .app_iter when + # it receives a close() message. + # + # This is sufficient to fix a memory leak. The memory leak arises + # due to cyclic references involving a running generator; a running + # generator sometimes preventes the GC from collecting it in the + # same way that an object with a defined __del__ does. + # + # There are other ways to break the cycle and fix the memory leak as + # well; calling .close() on the generator is sufficient, but not + # necessary. However, having this test is better than nothing for + # preventing regressions. + leaks = [0] + + class LeakTracker(object): + def __init__(self, inner_iter): + leaks[0] += 1 + self.inner_iter = iter(inner_iter) + + def __iter__(self): + return self + + def next(self): + return next(self.inner_iter) + + def close(self): + leaks[0] -= 1 + self.inner_iter.close() + + class LeakTrackingSegmentedIterable(slo.SegmentedIterable): + def _internal_iter(self, *a, **kw): + it = super( + LeakTrackingSegmentedIterable, self)._internal_iter( + *a, **kw) + return LeakTracker(it) + + status = [None] + headers = [None] + + def start_response(s, h, ei=None): + status[0] = s + headers[0] = h + + req = Request.blank( + '/v1/AUTH_test/gettest/manifest-abcd', + environ={'REQUEST_METHOD': 'GET', + 'HTTP_ACCEPT': 'application/json'}) + + # can't self.call_slo() here since we don't want to consume the + # whole body + with patch.object(slo, 'SegmentedIterable', + LeakTrackingSegmentedIterable): + app_resp = self.slo(req.environ, start_response) + self.assertEqual(status[0], '200 OK') # sanity check + body_iter = iter(app_resp) + chunk = next(body_iter) + self.assertEqual(chunk, 'aaaaa') # sanity check + + app_resp.close() + self.assertEqual(0, leaks[0]) + def test_head_manifest_is_efficient(self): req = Request.blank( '/v1/AUTH_test/gettest/manifest-abcd', debian/patches/CVE-2014-7960.patch0000664000000000000000000004053613126623062013255 0ustar From 2c4622a28ea04e1c6b2382189b0a1f6cccdc9c0f Mon Sep 17 00:00:00 2001 From: "Richard (Rick) Hawkins" Date: Wed, 1 Oct 2014 09:37:47 -0400 Subject: [PATCH] Fix metadata overall limits bug Currently metadata limits are checked on a per request basis. If multiple requests are sent within the per request limits, it is possible to exceed the overall limits. This patch adds an overall metadata check to ensure that multiple requests to add metadata to an account/container will check overall limits before adding the additional metadata. This is a backport to the stable/icehouse branch for commit SHA 5b2c27a5874c2b5b0a333e4955b03544f6a8119f. Closes-Bug: 1365350 Conflicts: swift/common/db.py swift/container/server.py Change-Id: Id9fca209c9c1216f1949de7108bbe332808f1045 --- swift/account/server.py | 4 +- swift/common/constraints.py | 5 ++- swift/common/db.py | 34 ++++++++++++++- swift/container/server.py | 4 +- test/functional/test_account.py | 66 ++++++++++++++++++++++++++++ test/functional/test_container.py | 20 +++++++++ test/unit/common/test_db.py | 90 ++++++++++++++++++++++++++++++++++++++- 7 files changed, 216 insertions(+), 7 deletions(-) diff --git a/swift/account/server.py b/swift/account/server.py index 53889a1..9a5084d 100644 --- a/swift/account/server.py +++ b/swift/account/server.py @@ -153,7 +153,7 @@ class AccountController(object): for key, value in req.headers.iteritems() if is_sys_or_user_meta('account', key)) if metadata: - broker.update_metadata(metadata) + broker.update_metadata(metadata, validate_metadata=True) if created: return HTTPCreated(request=req) else: @@ -259,7 +259,7 @@ class AccountController(object): for key, value in req.headers.iteritems() if is_sys_or_user_meta('account', key)) if metadata: - broker.update_metadata(metadata) + broker.update_metadata(metadata, validate_metadata=True) return HTTPNoContent(request=req) def __call__(self, env, start_response): diff --git a/swift/common/constraints.py b/swift/common/constraints.py index 7a480ea..3495e72 100644 --- a/swift/common/constraints.py +++ b/swift/common/constraints.py @@ -92,7 +92,10 @@ FORMAT2CONTENT_TYPE = {'plain': 'text/plain', 'json': 'application/json', def check_metadata(req, target_type): """ - Check metadata sent in the request headers. + Check metadata sent in the request headers. This should only check + that the metadata in the request given is valid. Checks against + account/container overall metadata should be forwarded on to its + respective server to be checked. :param req: request object :param target_type: str: one of: object, container, or account: indicates diff --git a/swift/common/db.py b/swift/common/db.py index 192d17d..7abdbe3 100644 --- a/swift/common/db.py +++ b/swift/common/db.py @@ -31,7 +31,9 @@ import sqlite3 from swift.common.utils import json, normalize_timestamp, renamer, \ mkdirs, lock_parent_directory, fallocate +from swift.common.constraints import MAX_META_COUNT, MAX_META_OVERALL_SIZE from swift.common.exceptions import LockTimeout +from swift.common.swob import HTTPBadRequest #: Whether calls will be made to preallocate disk space for database files. @@ -643,7 +645,35 @@ class DatabaseBroker(object): metadata = {} return metadata - def update_metadata(self, metadata_updates): + @staticmethod + def validate_metadata(metadata): + """ + Validates that metadata_falls within acceptable limits. + + :param metadata: to be validated + :raises: HTTPBadRequest if MAX_META_COUNT or MAX_META_OVERALL_SIZE + is exceeded + """ + meta_count = 0 + meta_size = 0 + for key, (value, timestamp) in metadata.iteritems(): + key = key.lower() + if value != '' and (key.startswith('x-account-meta') or + key.startswith('x-container-meta')): + prefix = 'x-account-meta-' + if key.startswith('x-container-meta-'): + prefix = 'x-container-meta-' + key = key[len(prefix):] + meta_count = meta_count + 1 + meta_size = meta_size + len(key) + len(value) + if meta_count > MAX_META_COUNT: + raise HTTPBadRequest('Too many metadata items; max %d' + % MAX_META_COUNT) + if meta_size > MAX_META_OVERALL_SIZE: + raise HTTPBadRequest('Total metadata too large; max %d' + % MAX_META_OVERALL_SIZE) + + def update_metadata(self, metadata_updates, validate_metadata=False): """ Updates the metadata dict for the database. The metadata dict values are tuples of (value, timestamp) where the timestamp indicates when @@ -676,6 +706,8 @@ class DatabaseBroker(object): value, timestamp = value_timestamp if key not in md or timestamp > md[key][1]: md[key] = value_timestamp + if validate_metadata: + DatabaseBroker.validate_metadata(md) conn.execute('UPDATE %s_stat SET metadata = ?' % self.db_type, (json.dumps(md),)) conn.commit() diff --git a/swift/container/server.py b/swift/container/server.py index ebf7295..ec41396 100644 --- a/swift/container/server.py +++ b/swift/container/server.py @@ -286,7 +286,7 @@ class ContainerController(object): metadata['X-Container-Sync-To'][0] != \ broker.metadata['X-Container-Sync-To'][0]: broker.set_x_container_sync_points(-1, -1) - broker.update_metadata(metadata) + broker.update_metadata(metadata, validate_metadata=True) resp = self.account_update(req, account, container, broker) if resp: return resp @@ -473,7 +473,7 @@ class ContainerController(object): metadata['X-Container-Sync-To'][0] != \ broker.metadata['X-Container-Sync-To'][0]: broker.set_x_container_sync_points(-1, -1) - broker.update_metadata(metadata) + broker.update_metadata(metadata, validate_metadata=True) return HTTPNoContent(request=req) def __call__(self, env, start_response): diff --git a/test/functional/test_account.py b/test/functional/test_account.py index 30cef31..1cc61bc 100755 --- a/test/functional/test_account.py +++ b/test/functional/test_account.py @@ -32,6 +32,42 @@ from test.functional.tests import load_constraint class TestAccount(unittest.TestCase): + def setUp(self): + self.max_meta_count = load_constraint('max_meta_count') + self.max_meta_name_length = load_constraint('max_meta_name_length') + self.max_meta_overall_size = load_constraint('max_meta_overall_size') + self.max_meta_value_length = load_constraint('max_meta_value_length') + + def head(url, token, parsed, conn): + conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token}) + return check_response(conn) + resp = retry(head) + self.existing_metadata = set([ + k for k, v in resp.getheaders() if + k.lower().startswith('x-account-meta')]) + + def tearDown(self): + def head(url, token, parsed, conn): + conn.request('HEAD', parsed.path, '', {'X-Auth-Token': token}) + return check_response(conn) + resp = retry(head) + resp.read() + new_metadata = set( + [k for k, v in resp.getheaders() if + k.lower().startswith('x-account-meta')]) + + def clear_meta(url, token, parsed, conn, remove_metadata_keys): + headers = {'X-Auth-Token': token} + headers.update((k, '') for k in remove_metadata_keys) + conn.request('POST', parsed.path, '', headers) + return check_response(conn) + extra_metadata = list(self.existing_metadata ^ new_metadata) + for i in range(0, len(extra_metadata), 90): + batch = extra_metadata[i:i + 90] + resp = retry(clear_meta, batch) + resp.read() + self.assertEqual(resp.status // 100, 2) + def test_metadata(self): if skip: raise SkipTest @@ -733,6 +769,21 @@ class TestAccount(unittest.TestCase): resp.read() self.assertEqual(resp.status, 400) + def test_bad_metadata2(self): + if skip: + raise SkipTest + + def post(url, token, parsed, conn, extra_headers): + headers = {'X-Auth-Token': token} + headers.update(extra_headers) + conn.request('POST', parsed.path, '', headers) + return check_response(conn) + + # TODO: Find the test that adds these and remove them. + headers = {'x-remove-account-meta-temp-url-key': 'remove', + 'x-remove-account-meta-temp-url-key-2': 'remove'} + resp = retry(post, headers) + headers = {} for x in xrange(MAX_META_COUNT): headers['X-Account-Meta-%d' % x] = 'v' @@ -746,6 +797,21 @@ class TestAccount(unittest.TestCase): resp.read() self.assertEqual(resp.status, 400) + def test_bad_metadata3(self): + if skip: + raise SkipTest + + def post(url, token, parsed, conn, extra_headers): + headers = {'X-Auth-Token': token} + headers.update(extra_headers) + conn.request('POST', parsed.path, '', headers) + return check_response(conn) + + # TODO: Find the test that adds these and remove them. + headers = {'x-remove-account-meta-temp-url-key': 'remove', + 'x-remove-account-meta-temp-url-key-2': 'remove'} + resp = retry(post, headers) + headers = {} header_value = 'k' * MAX_META_VALUE_LENGTH size = 0 diff --git a/test/functional/test_container.py b/test/functional/test_container.py index 7c0fd3e..91702e9 100755 --- a/test/functional/test_container.py +++ b/test/functional/test_container.py @@ -382,6 +382,16 @@ class TestContainer(unittest.TestCase): resp.read() self.assertEqual(resp.status, 400) + def test_POST_bad_metadata2(self): + if skip: + raise SkipTest + + def post(url, token, parsed, conn, extra_headers): + headers = {'X-Auth-Token': token} + headers.update(extra_headers) + conn.request('POST', parsed.path + '/' + self.name, '', headers) + return check_response(conn) + headers = {} for x in xrange(MAX_META_COUNT): headers['X-Container-Meta-%d' % x] = 'v' @@ -395,6 +405,16 @@ class TestContainer(unittest.TestCase): resp.read() self.assertEqual(resp.status, 400) + def test_POST_bad_metadata3(self): + if skip: + raise SkipTest + + def post(url, token, parsed, conn, extra_headers): + headers = {'X-Auth-Token': token} + headers.update(extra_headers) + conn.request('POST', parsed.path + '/' + self.name, '', headers) + return check_response(conn) + headers = {} header_value = 'k' * MAX_META_VALUE_LENGTH size = 0 diff --git a/test/unit/common/test_db.py b/test/unit/common/test_db.py index aa9ae11..d62a1d0 100644 --- a/test/unit/common/test_db.py +++ b/test/unit/common/test_db.py @@ -28,11 +28,14 @@ from mock import patch, MagicMock from eventlet.timeout import Timeout import swift.common.db +from swift.common.constraints import \ + MAX_META_VALUE_LENGTH, MAX_META_COUNT, MAX_META_OVERALL_SIZE from swift.common.db import chexor, dict_factory, get_db_connection, \ DatabaseBroker, DatabaseConnectionError, DatabaseAlreadyExists, \ GreenDBConnection from swift.common.utils import normalize_timestamp, mkdirs from swift.common.exceptions import LockTimeout +from swift.common.swob import HTTPException class TestDatabaseConnectionError(unittest.TestCase): @@ -230,7 +233,7 @@ class TestDatabaseBroker(unittest.TestCase): conn.execute('CREATE TABLE test (one TEXT)') conn.execute('CREATE TABLE test_stat (id TEXT)') conn.execute('INSERT INTO test_stat (id) VALUES (?)', - (str(uuid4),)) + (str(uuid4),)) conn.execute('INSERT INTO test (one) VALUES ("1")') conn.commit() stub_called = [False] @@ -679,6 +682,91 @@ class TestDatabaseBroker(unittest.TestCase): [first_value, first_timestamp]) self.assert_('Second' not in broker.metadata) + @patch.object(DatabaseBroker, 'validate_metadata') + def test_validate_metadata_is_called_from_update_metadata(self, mock): + broker = self.get_replication_info_tester(metadata=True) + first_timestamp = normalize_timestamp(1) + first_value = '1' + metadata = {'First': [first_value, first_timestamp]} + broker.update_metadata(metadata, validate_metadata=True) + self.assertTrue(mock.called) + + @patch.object(DatabaseBroker, 'validate_metadata') + def test_validate_metadata_is_not_called_from_update_metadata(self, mock): + broker = self.get_replication_info_tester(metadata=True) + first_timestamp = normalize_timestamp(1) + first_value = '1' + metadata = {'First': [first_value, first_timestamp]} + broker.update_metadata(metadata) + self.assertFalse(mock.called) + + def test_metadata_with_max_count(self): + metadata = {} + for c in xrange(MAX_META_COUNT): + key = 'X-Account-Meta-F{0}'.format(c) + metadata[key] = ('B', normalize_timestamp(1)) + key = 'X-Account-Meta-Foo'.format(c) + metadata[key] = ('', normalize_timestamp(1)) + try: + DatabaseBroker.validate_metadata(metadata) + except HTTPException: + self.fail('Unexpected HTTPException') + + def test_metadata_raises_exception_over_max_count(self): + metadata = {} + for c in xrange(MAX_META_COUNT + 1): + key = 'X-Account-Meta-F{0}'.format(c) + metadata[key] = ('B', normalize_timestamp(1)) + message = '' + try: + DatabaseBroker.validate_metadata(metadata) + except HTTPException as e: + message = str(e) + self.assertEqual(message, '400 Bad Request') + + def test_metadata_with_max_overall_size(self): + metadata = {} + metadata_value = 'v' * MAX_META_VALUE_LENGTH + size = 0 + x = 0 + while size < (MAX_META_OVERALL_SIZE - 4 + - MAX_META_VALUE_LENGTH): + size += 4 + MAX_META_VALUE_LENGTH + metadata['X-Account-Meta-%04d' % x] = (metadata_value, + normalize_timestamp(1)) + x += 1 + if MAX_META_OVERALL_SIZE - size > 1: + metadata['X-Account-Meta-k'] = ( + 'v' * (MAX_META_OVERALL_SIZE - size - 1), + normalize_timestamp(1)) + try: + DatabaseBroker.validate_metadata(metadata) + except HTTPException: + self.fail('Unexpected HTTPException') + + def test_metadata_raises_exception_over_max_overall_size(self): + metadata = {} + metadata_value = 'k' * MAX_META_VALUE_LENGTH + size = 0 + x = 0 + while size < (MAX_META_OVERALL_SIZE - 4 + - MAX_META_VALUE_LENGTH): + size += 4 + MAX_META_VALUE_LENGTH + metadata['X-Account-Meta-%04d' % x] = (metadata_value, + normalize_timestamp(1)) + x += 1 + if MAX_META_OVERALL_SIZE - size > 1: + metadata['X-Account-Meta-k'] = ( + 'v' * (MAX_META_OVERALL_SIZE - size - 1), + normalize_timestamp(1)) + metadata['X-Account-Meta-k2'] = ('v', normalize_timestamp(1)) + message = '' + try: + DatabaseBroker.validate_metadata(metadata) + except HTTPException as e: + message = str(e) + self.assertEqual(message, '400 Bad Request') + if __name__ == '__main__': unittest.main() -- 1.9.1 debian/patches/fix-infinite-recursion-logging.patch0000664000000000000000000001311513126623062017666 0ustar From d4e3aab260680b952684b9d390823606751ca3ea Mon Sep 17 00:00:00 2001 From: Samuel Merritt Date: Wed, 23 Mar 2016 13:51:47 -0700 Subject: [PATCH 1/1] Fix infinite recursion during logging when syslog is down Change-Id: Ia9ecffc88ce43616977e141498e5ee404f2c29c4 (cherry picked from commit 95efd3f9035ec4141e1b182516f040a59a3e5aa6) --- swift/common/utils.py | 49 ++++++++++++++++++++++++++++++++++++------ test/unit/common/test_utils.py | 42 ++++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 7 deletions(-) Forwarded: Not-Needed Bug: https://launchpad.net/bugs/1683076 Origin: backport, https://github.com/openstack/swift/commit/95efd3f9035ec4141e1b182516f040a59a3e5aa6 diff --git a/swift/common/utils.py b/swift/common/utils.py index 8a840ae0..b8996890 100644 --- a/swift/common/utils.py +++ b/swift/common/utils.py @@ -721,19 +721,54 @@ class NullLogger(object): class LoggerFileObject(object): + # Note: this is greenthread-local storage + _cls_thread_local = threading.local() + def __init__(self, logger): self.logger = logger def write(self, value): - value = value.strip() - if value: - if 'Connection reset by peer' in value: - self.logger.error(_('STDOUT: Connection reset by peer')) - else: - self.logger.error(_('STDOUT: %s'), value) + # We can get into a nasty situation when logs are going to syslog + # and syslog dies. + # + # It's something like this: + # + # (A) someone logs something + # + # (B) there's an exception in sending to /dev/log since syslog is + # not working + # + # (C) logging takes that exception and writes it to stderr (see + # logging.Handler.handleError) + # + # (D) stderr was replaced with a LoggerFileObject at process start, + # so the LoggerFileObject takes the provided string and tells + # its logger to log it (to syslog, naturally). + # + # Then, steps B through D repeat until we run out of stack. + if getattr(self._cls_thread_local, 'already_called_write', False): + return + + self._cls_thread_local.already_called_write = True + try: + value = value.strip() + if value: + if 'Connection reset by peer' in value: + self.logger.error(_('STDOUT: Connection reset by peer')) + else: + self.logger.error(_('STDOUT: %s'), value) + finally: + self._cls_thread_local.already_called_write = False def writelines(self, values): - self.logger.error(_('STDOUT: %s'), '#012'.join(values)) + if getattr(self._cls_thread_local, 'already_called_writelines', False): + return + + self._cls_thread_local.already_called_writelines = True + try: + self.logger.error(_('STDOUT: %s'), '#012'.join(values)) + finally: + self._cls_thread_local.already_called_writelines = False def close(self): pass diff --git a/test/unit/common/test_utils.py b/test/unit/common/test_utils.py index 2996f355..9bfc852a 100644 --- a/test/unit/common/test_utils.py +++ b/test/unit/common/test_utils.py @@ -40,6 +40,7 @@ import unittest import fcntl import shutil from contextlib import nested +from contextlib import closing from Queue import Queue, Empty from getpass import getuser @@ -439,6 +440,47 @@ class TestUtils(unittest.TestCase): self.assertRaises(IOError, lfo.readline, 1024) lfo.tell() + def test_LoggerFileObject_recursion(self): + crashy_calls = [0] + + class CrashyLogger(logging.Handler): + def emit(self, record): + crashy_calls[0] += 1 + try: + # Pretend to be trying to send to syslog, but syslogd is + # dead. We need the raise here to set sys.exc_info. + raise socket.error(errno.ENOTCONN, "This is an ex-syslog") + except socket.error: + self.handleError(record) + + logger = logging.getLogger() + logger.addHandler(CrashyLogger()) + + # Set up some real file descriptors for stdio. If you run + # nosetests with "-s", you already have real files there, but + # otherwise they're StringIO objects. + # + # In any case, since capture_stdio() closes sys.stdin and friends, + # we'd want to set up some sacrificial files so as to not goof up + # the testrunner. + new_stdin = open(os.devnull, 'r+b') + new_stdout = open(os.devnull, 'w+b') + new_stderr = open(os.devnull, 'w+b') + + with closing(new_stdin), closing(new_stdout), closing(new_stderr): + # logging.raiseExceptions is set to False in test/__init__.py, but + # is True in Swift daemons, and the error doesn't manifest without + # it. + with patch('sys.stdin', new_stdin), \ + patch('sys.stdout', new_stdout), \ + patch('sys.stderr', new_stderr), \ + patch.object(logging, 'raiseExceptions', True): + # Note: since stdio is hooked up to /dev/null in here, using + # pdb is basically impossible. Sorry about that. + utils.capture_stdio(logger) + logger.info("I like ham") + self.assertTrue(crashy_calls[0], 1) + def test_parse_options(self): # Get a file that is definitely on disk with NamedTemporaryFile() as f: -- 2.11.0 debian/patches/CVE-2014-3497.patch0000664000000000000000000000730213126623062013250 0ustar From b223322ed1ef44f61490f820240aa01f1047ae2e Mon Sep 17 00:00:00 2001 From: John Dickinson Date: Fri, 6 Jun 2014 11:46:41 -0700 Subject: [PATCH] properly quote www-authenticate header value HTTP header values should be quoted. Since the WWW-Authenticate header value contains user-supplied strings, it's important to ensure it's properly quoted to ensure the integrity of the protocol. Previous to this patch, the URL was unquoted and then the unquoted value was returned in the header. This patch re-quotes the value when it is set on the response. This is filed as CVS-2014-3497 Fixes bug 1327414 Change-Id: If8bd8842f2ce821756e9b4461a18a8ac8d42fb8c --- swift/common/swob.py | 2 +- test/functional/tests.py | 13 +++++++++++++ test/unit/common/test_swob.py | 22 ++++++++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/swift/common/swob.py b/swift/common/swob.py index 638086e..f4f38c7 100644 --- a/swift/common/swob.py +++ b/swift/common/swob.py @@ -1203,7 +1203,7 @@ class Response(object): realm = 'unknown' except (AttributeError, ValueError): realm = 'unknown' - return 'Swift realm="%s"' % realm + return 'Swift realm="%s"' % urllib2.quote(realm) @property def is_success(self): diff --git a/test/functional/tests.py b/test/functional/tests.py index ad8c398..7983815 100644 --- a/test/functional/tests.py +++ b/test/functional/tests.py @@ -333,6 +333,19 @@ class TestAccount(Base): self.assertEqual(sorted(containers, cmp=locale.strcoll), containers) + def testQuotedWWWAuthenticateHeader(self): + conn = Connection(config) + conn.authenticate() + inserted_html = 'Hello World' + hax = 'AUTH_haxx"\nContent-Length: %d\n\n%s' % (len(inserted_html), + inserted_html) + quoted_hax = urllib.quote(hax) + conn.connection.request('GET', '/v1/' + quoted_hax, None, {}) + resp = conn.connection.getresponse() + resp_headers = resp.getheaders() + expected = ('www-authenticate', 'Swift realm="%s"' % quoted_hax) + self.assert_(expected in resp_headers) + class TestAccountUTF8(Base2, TestAccount): set_up = False diff --git a/test/unit/common/test_swob.py b/test/unit/common/test_swob.py index 7cc5439..b0452b9 100644 --- a/test/unit/common/test_swob.py +++ b/test/unit/common/test_swob.py @@ -601,6 +601,28 @@ class TestRequest(unittest.TestCase): self.assertEquals('Me realm="whatever"', resp.headers['Www-Authenticate']) + def test_401_www_authenticate_is_quoted(self): + + def test_app(environ, start_response): + start_response('401 Unauthorized', []) + return ['hi'] + + hacker = 'account-name\n\nfoo
' # url injection test + quoted_hacker = quote(hacker) + req = swift.common.swob.Request.blank('/v1/' + hacker) + resp = req.get_response(test_app) + self.assertEquals(resp.status_int, 401) + self.assert_('Www-Authenticate' in resp.headers) + self.assertEquals('Swift realm="%s"' % quoted_hacker, + resp.headers['Www-Authenticate']) + + req = swift.common.swob.Request.blank('/v1/' + quoted_hacker) + resp = req.get_response(test_app) + self.assertEquals(resp.status_int, 401) + self.assert_('Www-Authenticate' in resp.headers) + self.assertEquals('Swift realm="%s"' % quoted_hacker, + resp.headers['Www-Authenticate']) + def test_not_401(self): # Other status codes should not have WWW-Authenticate in response -- 1.7.9.5 debian/swift-container.swift-container-updater.upstart0000664000000000000000000000070013126623062020503 0ustar # swift-container-updater - SWIFT Container Updater # # The swift container updater. description "SWIFT Container Updater" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/container-server.conf" ]; then exec /usr/bin/swift-init container-updater start else exit 1 fi end script post-stop exec /usr/bin/swift-init container-updater stop debian/python-swift.docs0000664000000000000000000000000013126623062012504 0ustar debian/swift-object-expirer.manpages0000664000000000000000000000010713126623062014760 0ustar doc/manpages/object-expirer.conf.5 doc/manpages/swift-object-expirer.1 debian/object-server.conf0000664000000000000000000000026713126623062012617 0ustar [DEFAULT] bind_ip = 0.0.0.0 workers = 2 [pipeline:main] pipeline = object-server [app:object-server] use = egg:swift#object [object-replicator] [object-updater] [object-auditor] debian/swift.install0000664000000000000000000000050313126623062011713 0ustar usr/bin/swift-config usr/bin/swift-dispersion-populate usr/bin/swift-dispersion-report usr/bin/swift-form-signature usr/bin/swift-get-nodes usr/bin/swift-oldies usr/bin/swift-orphans usr/bin/swift-recon usr/bin/swift-recon usr/bin/swift-recon-cron usr/bin/swift-recon-cron usr/bin/swift-ring-builder usr/bin/swift-temp-url debian/swift-container.swift-container-sync.upstart0000664000000000000000000000054013126623062020015 0ustar description "SWIFT Container Sync" author "James Page " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/container-server.conf" ]; then exec /usr/bin/swift-init container-sync start else exit 1 fi end script post-stop exec /usr/bin/swift-init container-sync stop debian/swift-account.swift-account-replicator.upstart0000664000000000000000000000070413126623062020333 0ustar # swift-account-replicator - SWIFT Account Replicator # # The swift account replicator. description "SWIFT Account Replicator" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/account-server.conf" ]; then exec /usr/bin/swift-init account-replicator start else exit 1 fi end script post-stop exec /usr/bin/swift-init account-replicator stop debian/swift-container.swift-container-auditor.upstart0000664000000000000000000000070013126623062020506 0ustar # swift-container-auditor - SWIFT Container Auditor # # The swift container auditor. description "SWIFT Container Auditor" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/container-server.conf" ]; then exec /usr/bin/swift-init container-auditor start else exit 1 fi end script post-stop exec /usr/bin/swift-init container-auditor stop debian/swift-object-expirer.upstart0000664000000000000000000000052713126623062014675 0ustar description "SWIFT Object Expirer" author "Will Kelly " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/object-expirer.conf" ]; then exec /usr/bin/swift-init object-expirer start else exit 1 fi end script post-stop exec /usr/bin/swift-init object-expirer stop debian/swift.manpages0000664000000000000000000000035013126623062012040 0ustar doc/manpages/swift-ring-builder.1 doc/manpages/swift-recon.1 doc/manpages/swift-orphans.1 doc/manpages/swift-get-nodes.1 doc/manpages/swift-dispersion-populate.1 doc/manpages/swift-dispersion-report.1 doc/manpages/dispersion.conf.5 debian/swift-doc.doc-base0000664000000000000000000000035613126623062012473 0ustar Document: swift-doc Title: Swift Documentation Author: OpenStack Abstract: Sphinx documentation for Swift Section: Network/File Transfer Format: HTML Index: /usr/share/doc/swift-doc/html/index.html Files: /usr/share/doc/swift-doc/html/* debian/copyright0000664000000000000000000000150013126623062011120 0ustar Format: http://dep.debian.net/deps/dep5 Upstream-Name: swift Source: https://code.launchpad.net/swift Files: * Copyright: 2010 OpenStack, LLC. License: Apache-2 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at . http://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. . On Debian-based systems the full text of the Apache version 2.0 license can be found in `/usr/share/common-licenses/Apache-2.0'. debian/watch0000664000000000000000000000030113126623062010214 0ustar version=3 opts="uversionmangle=s/%7E/~/" https://launchpad.net/swift/+download https://launchpad.net/swift/.*/.*/.*/swift-(.*)\.tar\.gz http://tarballs.openstack.org/swift/ swift-(\d.*).tar.gz debian/object-expirer.conf0000664000000000000000000000043413126623062012763 0ustar [DEFAULT] [object-expirer] interval = 300 [pipeline:main] pipeline = catch_errors cache proxy-server [app:proxy-server] use = egg:swift#proxy [filter:cache] use = egg:swift#memcache [filter:catch_errors] use = egg:swift#catch_errors # See object-expirer.conf-sample for options debian/swift-proxy.docs0000664000000000000000000000011413126623062012352 0ustar etc/proxy-server.conf-sample etc/mime.types-sample etc/memcache.conf-sample debian/swift-container.manpages0000664000000000000000000000006613126623062014024 0ustar doc/manpages/container* doc/manpages/swift-container* debian/swift-container.install0000664000000000000000000000027413126623062013700 0ustar usr/bin/swift-container-auditor usr/bin/swift-container-info usr/bin/swift-container-replicator usr/bin/swift-container-server usr/bin/swift-container-sync usr/bin/swift-container-updater debian/swift-account.install0000664000000000000000000000026013126623062013345 0ustar usr/bin/swift-account-audit usr/bin/swift-account-auditor usr/bin/swift-account-info usr/bin/swift-account-reaper usr/bin/swift-account-replicator usr/bin/swift-account-server debian/swift-account.upstart0000664000000000000000000000065413126623062013410 0ustar # swift-account-server - SWIFT Account Server # # The swift account server. description "SWIFT Account Server" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/account-server.conf" ]; then exec /usr/bin/swift-init account-server start else exit 1 fi end script post-stop exec /usr/bin/swift-init account-server stop debian/swift-object.install0000664000000000000000000000022013126623062013153 0ustar usr/bin/swift-object-auditor usr/bin/swift-object-info usr/bin/swift-object-replicator usr/bin/swift-object-server usr/bin/swift-object-updater debian/swift-proxy.manpages0000664000000000000000000000010313126623062013213 0ustar doc/manpages/swift-proxy-server.1 doc/manpages/proxy-server.conf.5 debian/swift-object.swift-object-auditor.upstart0000664000000000000000000000065313126623062017265 0ustar # swift-object-auditor - SWIFT Object Auditor # # The swift object auditor. description "SWIFT Object Auditor" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/object-server.conf" ]; then exec /usr/bin/swift-init object-auditor start else exit 1 fi end script post-stop exec /usr/bin/swift-init object-auditor stop debian/swift-object-expirer.install0000664000000000000000000000003513126623062014633 0ustar usr/bin/swift-object-expirer debian/README.Source0000664000000000000000000000021413126623062011305 0ustar To do a release to the ubuntu archive: 1. dch --release && debcommit --release 2. bzr bd -S 3. dput 4. Once it has been accepted: bzr push debian/swift-account.swift-account-auditor.upstart0000664000000000000000000000066213126623062017641 0ustar # swift-account-auditor - SWIFT Account Auditor # # The swift account auditor. description "SWIFT Account Auditor" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/account-server.conf" ]; then exec /usr/bin/swift-init account-auditor start else exit 1 fi end script post-stop exec /usr/bin/swift-init account-auditor stop debian/python-swift.manpages0000664000000000000000000000003213126623062013354 0ustar doc/manpages/swift-init.1 debian/swift-object.upstart0000664000000000000000000000064513126623062013222 0ustar # swift-object-server - SWIFT Object Server # # The swift object server. description "SWIFT Object Server" author "Marc Cluet " start on runlevel [2345] stop on runlevel [016] pre-start script if [ -f "/etc/swift/object-server.conf" ]; then exec /usr/bin/swift-init object-server start else exit 1 fi end script post-stop exec /usr/bin/swift-init object-server stop debian/tests/0000775000000000000000000000000013126623062010333 5ustar debian/tests/control0000664000000000000000000000022313126623062011733 0ustar Tests: python-swift swift-daemons Depends: python-swift, swift, swift-proxy, swift-object, swift-container, swift-account Restrictions: needs-root debian/tests/proxy-server.conf0000664000000000000000000003742313126623062013700 0ustar [DEFAULT] # bind_ip = 0.0.0.0 # bind_port = 80 # bind_timeout = 30 # backlog = 4096 # swift_dir = /etc/swift # workers = 1 # user = swift # # Set the following two lines to enable SSL. This is for testing only. # cert_file = /etc/swift/proxy.crt # key_file = /etc/swift/proxy.key # # expiring_objects_container_divisor = 86400 # # You can specify default log routing here if you want: # log_name = swift # log_facility = LOG_LOCAL0 # log_level = INFO # log_headers = False # log_address = /dev/log # # This optional suffix (default is empty) that would be appended to the swift transaction # id allows one to easily figure out from which cluster that X-Trans-Id belongs to. # This is very useful when one is managing more than one swift cluster. # trans_id_suffix = # # comma separated list of functions to call to setup custom log handlers. # functions get passed: conf, name, log_to_console, log_route, fmt, logger, # adapted_logger # log_custom_handlers = # # If set, log_udp_host will override log_address # log_udp_host = # log_udp_port = 514 # # You can enable StatsD logging here: # log_statsd_host = localhost # log_statsd_port = 8125 # log_statsd_default_sample_rate = 1.0 # log_statsd_sample_rate_factor = 1.0 # log_statsd_metric_prefix = # # Use a comma separated list of full url (http://foo.bar:1234,https://foo.bar) # cors_allow_origin = # # client_timeout = 60 # eventlet_debug = false # max_clients = 1024 [pipeline:main] pipeline = catch_errors healthcheck proxy-logging cache slo ratelimit tempauth container-quotas account-quotas proxy-logging proxy-server [app:proxy-server] use = egg:swift#proxy # You can override the default log routing for this app here: # set log_name = proxy-server # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_address = /dev/log # # log_handoffs = True # recheck_account_existence = 60 # recheck_container_existence = 60 # object_chunk_size = 8192 # client_chunk_size = 8192 # node_timeout = 10 # conn_timeout = 0.5 # # How long without an error before a node's error count is reset. This will # also be how long before a node is reenabled after suppression is triggered. # error_suppression_interval = 60 # # How many errors can accumulate before a node is temporarily ignored. # error_suppression_limit = 10 # # If set to 'true' any authorized user may create and delete accounts; if # 'false' no one, even authorized, can. # allow_account_management = false # # Set object_post_as_copy = false to turn on fast posts where only the metadata # changes are stored anew and the original data file is kept in place. This # makes for quicker posts; but since the container metadata isn't updated in # this mode, features like container sync won't be able to sync posts. # object_post_as_copy = true # # If set to 'true' authorized accounts that do not yet exist within the Swift # cluster will be automatically created. # account_autocreate = false # # If set to a positive value, trying to create a container when the account # already has at least this maximum containers will result in a 403 Forbidden. # Note: This is a soft limit, meaning a user might exceed the cap for # recheck_account_existence before the 403s kick in. # max_containers_per_account = 0 # # This is a comma separated list of account hashes that ignore the # max_containers_per_account cap. # max_containers_whitelist = # # Comma separated list of Host headers to which the proxy will deny requests. # deny_host_headers = # # Prefix used when automatically creating accounts. # auto_create_account_prefix = . # # Depth of the proxy put queue. # put_queue_depth = 10 # # Start rate-limiting object segment serving after the Nth segment of a # segmented object. # rate_limit_after_segment = 10 # # Once segment rate-limiting kicks in for an object, limit segments served # to N per second. # rate_limit_segments_per_sec = 1 # # Storage nodes can be chosen at random (shuffle), by using timing # measurements (timing), or by using an explicit match (affinity). # Using timing measurements may allow for lower overall latency, while # using affinity allows for finer control. In both the timing and # affinity cases, equally-sorting nodes are still randomly chosen to # spread load. # The valid values for sorting_method are "affinity", "shuffle", and "timing". # sorting_method = shuffle # # If the "timing" sorting_method is used, the timings will only be valid for # the number of seconds configured by timing_expiry. # timing_expiry = 300 # # If set to false will treat objects with X-Static-Large-Object header set # as a regular object on GETs, i.e. will return that object's contents. Should # be set to false if slo is not used in pipeline. # allow_static_large_object = true # # Set to the number of nodes to contact for a normal request. You can use # '* replicas' at the end to have it use the number given times the number of # replicas for the ring being used for the request. # request_node_count = 2 * replicas # # Which backend servers to prefer on reads. Format is r for region # N or rz for region N, zone M. The value after the equals is # the priority; lower numbers are higher priority. # # Example: first read from region 1 zone 1, then region 1 zone 2, then # anything in region 2, then everything else: # read_affinity = r1z1=100, r1z2=200, r2=300 # Default is empty, meaning no preference. # read_affinity = [filter:tempauth] use = egg:swift#tempauth # You can override the default log routing for this filter here: # set log_name = tempauth # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False # set log_address = /dev/log # # The reseller prefix will verify a token begins with this prefix before even # attempting to validate it. Also, with authorization, only Swift storage # accounts with this prefix will be authorized by this middleware. Useful if # multiple auth systems are in use for one Swift cluster. # reseller_prefix = AUTH # # The auth prefix will cause requests beginning with this prefix to be routed # to the auth subsystem, for granting tokens, etc. # auth_prefix = /auth/ # token_life = 86400 # # This allows middleware higher in the WSGI pipeline to override auth # processing, useful for middleware such as tempurl and formpost. If you know # you're not going to use such middleware and you want a bit of extra security, # you can set this to false. # allow_overrides = true # # This specifies what scheme to return with storage urls: # http, https, or default (chooses based on what the server is running as) # This can be useful with an SSL load balancer in front of a non-SSL server. # storage_url_scheme = default # # Lastly, you need to list all the accounts/users you want here. The format is: # user__ = [group] [group] [...] [storage_url] # or if you want underscores in or , you can base64 encode them # (with no equal signs) and use this format: # user64__ = [group] [group] [...] [storage_url] # There are special groups of: # .reseller_admin = can do anything to any account for this auth # .admin = can do anything within the account # If neither of these groups are specified, the user can only access containers # that have been explicitly allowed for them by a .admin or .reseller_admin. # The trailing optional storage_url allows you to specify an alternate url to # hand back to the user upon authentication. If not specified, this defaults to # $HOST/v1/_ where $HOST will do its best to resolve # to what the requester would need to use to reach this host. # Here are example entries, required for running the tests: user_admin_admin = admin .admin .reseller_admin user_test_tester = testing .admin user_test2_tester2 = testing2 .admin user_test_tester3 = testing3 # To enable Keystone authentication you need to have the auth token # middleware first to be configured. Here is an example below, please # refer to the keystone's documentation for details about the # different settings. # # You'll need to have as well the keystoneauth middleware enabled # and have it in your main pipeline so instead of having tempauth in # there you can change it to: authtoken keystoneauth # # [filter:authtoken] # paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory # auth_host = keystonehost # auth_port = 35357 # auth_protocol = http # auth_uri = http://keystonehost:5000/ # admin_tenant_name = service # admin_user = swift # admin_password = password # delay_auth_decision = 1 # cache = swift.cache # # [filter:keystoneauth] # use = egg:swift#keystoneauth # Operator roles is the role which user would be allowed to manage a # tenant and be able to create container or give ACL to others. # operator_roles = admin, swiftoperator [filter:healthcheck] use = egg:swift#healthcheck # An optional filesystem path, which if present, will cause the healthcheck # URL to return "503 Service Unavailable" with a body of "DISABLED BY FILE". # This facility may be used to temporarily remove a Swift node from a load # balancer pool during maintenance or upgrade (remove the file to allow the # node back into the load balancer pool). # disable_path = [filter:cache] use = egg:swift#memcache # You can override the default log routing for this filter here: # set log_name = cache # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False # set log_address = /dev/log # # If not set here, the value for memcache_servers will be read from # memcache.conf (see memcache.conf-sample) or lacking that file, it will # default to the value below. You can specify multiple servers separated with # commas, as in: 10.1.2.3:11211,10.1.2.4:11211 # memcache_servers = 127.0.0.1:11211 # # Sets how memcache values are serialized and deserialized: # 0 = older, insecure pickle serialization # 1 = json serialization but pickles can still be read (still insecure) # 2 = json serialization only (secure and the default) # If not set here, the value for memcache_serialization_support will be read # from /etc/swift/memcache.conf (see memcache.conf-sample). # To avoid an instant full cache flush, existing installations should # upgrade with 0, then set to 1 and reload, then after some time (24 hours) # set to 2 and reload. # In the future, the ability to use pickle serialization will be removed. # memcache_serialization_support = 2 [filter:ratelimit] use = egg:swift#ratelimit # You can override the default log routing for this filter here: # set log_name = ratelimit # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False # set log_address = /dev/log # # clock_accuracy should represent how accurate the proxy servers' system clocks # are with each other. 1000 means that all the proxies' clock are accurate to # each other within 1 millisecond. No ratelimit should be higher than the # clock accuracy. # clock_accuracy = 1000 # # max_sleep_time_seconds = 60 # # log_sleep_time_seconds of 0 means disabled # log_sleep_time_seconds = 0 # # allows for slow rates (e.g. running up to 5 sec's behind) to catch up. # rate_buffer_seconds = 5 # # account_ratelimit of 0 means disabled # account_ratelimit = 0 # these are comma separated lists of account names # account_whitelist = a,b # account_blacklist = c,d # with container_limit_x = r # for containers of size x limit requests per second to r. The container # rate will be linearly interpolated from the values given. With the values # below, a container of size 5 will get a rate of 75. # container_ratelimit_0 = 100 # container_ratelimit_10 = 50 # container_ratelimit_50 = 20 [filter:domain_remap] use = egg:swift#domain_remap # You can override the default log routing for this filter here: # set log_name = domain_remap # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False # set log_address = /dev/log # # storage_domain = example.com # path_root = v1 # reseller_prefixes = AUTH [filter:catch_errors] use = egg:swift#catch_errors # You can override the default log routing for this filter here: # set log_name = catch_errors # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False # set log_address = /dev/log [filter:cname_lookup] # Note: this middleware requires python-dnspython use = egg:swift#cname_lookup # You can override the default log routing for this filter here: # set log_name = cname_lookup # set log_facility = LOG_LOCAL0 # set log_level = INFO # set log_headers = False # set log_address = /dev/log # # storage_domain = example.com # lookup_depth = 1 # Note: Put staticweb just after your auth filter(s) in the pipeline [filter:staticweb] use = egg:swift#staticweb # Seconds to cache container x-container-meta-web-* header values. # cache_timeout = 300 # Note: Put tempurl just before your auth filter(s) in the pipeline [filter:tempurl] use = egg:swift#tempurl # The methods allowed with Temp URLs. # methods = GET HEAD PUT # # The headers to remove from incoming requests. Simply a whitespace delimited # list of header names and names can optionally end with '*' to indicate a # prefix match. incoming_allow_headers is a list of exceptions to these # removals. # incoming_remove_headers = x-timestamp # # The headers allowed as exceptions to incoming_remove_headers. Simply a # whitespace delimited list of header names and names can optionally end with # '*' to indicate a prefix match. # incoming_allow_headers = # # The headers to remove from outgoing responses. Simply a whitespace delimited # list of header names and names can optionally end with '*' to indicate a # prefix match. outgoing_allow_headers is a list of exceptions to these # removals. # outgoing_remove_headers = x-object-meta-* # # The headers allowed as exceptions to outgoing_remove_headers. Simply a # whitespace delimited list of header names and names can optionally end with # '*' to indicate a prefix match. # outgoing_allow_headers = x-object-meta-public-* # Note: Put formpost just before your auth filter(s) in the pipeline [filter:formpost] use = egg:swift#formpost # Note: Just needs to be placed before the proxy-server in the pipeline. [filter:name_check] use = egg:swift#name_check # forbidden_chars = '"`<> # maximum_length = 255 # forbidden_regexp = /\./|/\.\./|/\.$|/\.\.$ [filter:list-endpoints] use = egg:swift#list_endpoints # list_endpoints_path = /endpoints/ [filter:proxy-logging] use = egg:swift#proxy_logging # If not set, logging directives from [DEFAULT] without "access_" will be used # access_log_name = swift # access_log_facility = LOG_LOCAL0 # access_log_level = INFO # access_log_address = /dev/log # # If set, access_log_udp_host will override access_log_address # access_log_udp_host = # access_log_udp_port = 514 # # You can use log_statsd_* from [DEFAULT] or override them here: # access_log_statsd_host = localhost # access_log_statsd_port = 8125 # access_log_statsd_default_sample_rate = 1.0 # access_log_statsd_sample_rate_factor = 1.0 # access_log_statsd_metric_prefix = # access_log_headers = False # # What HTTP methods are allowed for StatsD logging (comma-sep); request methods # not in this list will have "BAD_METHOD" for the portion of the metric. # log_statsd_valid_http_methods = GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS # # Note: The double proxy-logging in the pipeline is not a mistake. The # left-most proxy-logging is there to log requests that were handled in # middleware and never made it through to the right-most middleware (and # proxy server). Double logging is prevented for normal requests. See # proxy-logging docs. # Note: Put before both ratelimit and auth in the pipeline. [filter:bulk] use = egg:swift#bulk # max_containers_per_extraction = 10000 # max_failed_extractions = 1000 # max_deletes_per_request = 10000 # yield_frequency = 60 # Note: Put after auth in the pipeline. [filter:container-quotas] use = egg:swift#container_quotas # Note: Put before both ratelimit and auth in the pipeline. [filter:slo] use = egg:swift#slo # max_manifest_segments = 1000 # max_manifest_size = 2097152 # min_segment_size = 1048576 [filter:account-quotas] use = egg:swift#account_quotas debian/tests/test_import_swift.py0000664000000000000000000000012013126623062014463 0ustar try: import swift except ImportError, e: print "ERROR IMPORTING MODULE" debian/tests/python-swift0000775000000000000000000000043113126623062012732 0ustar #!/bin/bash #------------------------- # Testing client utilities #------------------------- set -e result=$(python `dirname $0`/test_import_swift.py 2>&1) if [ "$result" ]; then echo "ERROR: PYTHON-SWIFT MODULE CANNOT BE IMPORTED" exit 1 else echo "OK" exit 0 fi debian/tests/swift-daemons0000775000000000000000000000242513126623062013044 0ustar #!/bin/bash #-------------------- # Testing swift-proxy #-------------------- set -e # copy config files mkdir -p /etc/swift 2>&1 > /dev/null cp /usr/share/doc/swift/swift.conf-sample /etc/swift/swift.conf 2>&1 > /dev/null cp `dirname $0`/proxy-server.conf /etc/swift/proxy-server.conf 2>&1 > /dev/null # create rings cd /etc/swift 2>&1 > /dev/null swift-ring-builder account.builder create 18 3 1 2>&1 > /dev/null swift-ring-builder container.builder create 18 3 1 2>&1 > /dev/null swift-ring-builder object.builder create 18 3 1 2>&1 > /dev/null swift-ring-builder account.builder add z1-127.0.0.1:6002/sda1 100 2>&1 > /dev/null swift-ring-builder container.builder add z1-127.0.0.1:6001/sda1 100 2>&1 > /dev/null swift-ring-builder object.builder add z1-127.0.0.1:6000/sda1 100 2>&1 > /dev/null swift-ring-builder account.builder rebalance 2>&1 > /dev/null swift-ring-builder container.builder rebalance 2>&1 > /dev/null swift-ring-builder object.builder rebalance 2>&1 > /dev/null DAEMONS=('swift-proxy' 'swift-object' 'swift-container' 'swift-account') for daemon in "${DAEMONS[@]}"; do service $daemon restart 2>&1 > /dev/null if pidof -x ${daemon}-server > /dev/null; then echo "OK" else echo "ERROR: ${daemon} IS NOT RUNNING" exit 1 fi done exit 0 debian/rules0000775000000000000000000000345113126623062010254 0ustar #!/usr/bin/make -f # Verbose mode #export DH_VERBOSE=1 %: dh $@ --with python2 # clean sphinx build output override_dh_clean: dh_clean rm -rf doc/build # build with sphinx documentation override_dh_auto_build: mkdir -p doc/build python setup.py build_sphinx python setup.py build ifeq (,$(findstring nocheck, $(DEB_BUILD_OPTIONS))) override_dh_auto_test: PYTHONPATH=. nosetests test/unit endif get-orig-source: uscan --verbose --force-download --rename --destdir=../build-area override_dh_install: dh_install --fail-missing --sourcedir=debian/tmp install -D -m 0640 $(CURDIR)/debian/account-server.conf $(CURDIR)/debian/swift-account/etc/swift/account-server.conf install -D -m 0640 $(CURDIR)/debian/container-server.conf $(CURDIR)/debian/swift-container/etc/swift/container-server.conf install -D -m 0640 $(CURDIR)/debian/object-server.conf $(CURDIR)/debian/swift-object/etc/swift/object-server.conf install -D -m 0640 $(CURDIR)/debian/object-expirer.conf $(CURDIR)/debian/swift-object-expirer/etc/swift/object-expirer.conf override_dh_installinit: dh_installinit --no-start dh_installinit --no-start -pswift-container --name=swift-container-replicator dh_installinit --no-start -pswift-container --name=swift-container-auditor dh_installinit --no-start -pswift-container --name=swift-container-updater dh_installinit --no-start -pswift-container --name=swift-container-sync dh_installinit --no-start -pswift-account --name=swift-account-replicator dh_installinit --no-start -pswift-account --name=swift-account-auditor dh_installinit --no-start -pswift-account --name=swift-account-reaper dh_installinit --no-start -pswift-object --name=swift-object-replicator dh_installinit --no-start -pswift-object --name=swift-object-auditor dh_installinit --no-start -pswift-object --name=swift-object-updater debian/python-swift.postrm0000664000000000000000000000047513126623062013120 0ustar #!/bin/sh set -e case "$1" in purge) # Remove swift user if possible userdel swift || true ;; remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *) echo "postrm called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/swift-container.docs0000664000000000000000000000004113126623062013152 0ustar etc/container-server.conf-sample