Closed
Bug 1313958
Opened 8 years ago
Closed 8 years ago
Provide clamav >= v0.98 in our yum repos
Categories
(Infrastructure & Operations Graveyard :: CIDuty, task)
Infrastructure & Operations Graveyard
CIDuty
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: nthomas, Assigned: aselagea)
References
Details
Attachments
(2 files)
554.46 KB,
application/x-zip-compressed
|
Details | |
58 bytes,
text/x-review-board-request
|
nthomas
:
review+
aselagea
:
checked-in+
|
Details |
Bug 1313954 boiled down to using an older version of clamav, which is no longer supported and can't load the current virus definitions. This breaks antivirus checks for Thunderbird releases (no longer used for Firefox). Please provide a yum repo/update our repos with >= v0.98 so that we can generate valid golden AMI av checks. Three packages are needed - clamav, clamav-db, and clamd - and I found v0.99.2 from EPEL6 worked fine.
Comment 1•8 years ago
|
||
We don't have cycles to work on this, but buildduty has been working on package updates and might.
Flags: needinfo?(coop)
Comment 2•8 years ago
|
||
We can add it to their queue. Amy: are there docs for buildduty on updating our yum setup?
Assignee: relops → nobody
Component: RelOps: Puppet → Buildduty
Flags: needinfo?(coop) → needinfo?(arich)
Product: Infrastructure & Operations → Release Engineering
QA Contact: mcornmesser → bugspam.Callek
Comment 3•8 years ago
|
||
https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Packages
Flags: needinfo?(arich)
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → aselagea
Assignee | ||
Comment 4•8 years ago
|
||
It is true that we updated packages placed on the custom repos (which are not mirrored from anywhere). But it seems that the 3 clam* packages mentioned by Nick can be found on EPEL repo: - "clam*-0.97.3-3.el6.x86_64.rpm" => repos/yum/mirrors/epel/6/2012-03-07/* - "clam*-0.98.1-1.el6.x86_64.rpm" => repos/yum/mirrors/epel/6/2014-05-06/* One note here would be that the "latest" symlink points to the older folder (2012-03-07/). Grabing an AWS loaner revealed that we indeed have the "0.97" version of those packages installed. https://wiki.mozilla.org/ReleaseEngineering/PuppetAgain/Packages provides instructions on how to sync the mirrors and my understanding is that it would result in another folder (like 2016-11-15) containing all the latest packages. Given the note above, I would tend to believe that upgrading all the packages is not a good thing since it would cause package version conflicts. So I'm wondering how to to the upgrade - two solutions came to my mind (may be far from the real solution though): - either copy 2012-03-07/ into a new folder and only replace the intended packages with the upgraded version, then switch the symlink to point to that folder - create a custom repo and then upgrade puppet manifests ni-ing Callek here for some suggestions.
Flags: needinfo?(bugspam.Callek)
Comment 5•8 years ago
|
||
I suggest you follow the example of things like openssl and create a custom repo.
Comment 6•8 years ago
|
||
(In reply to Amy Rich [:arr] [:arich] from comment #5) > I suggest you follow the example of things like openssl and create a custom > repo. ++
Flags: needinfo?(bugspam.Callek)
Assignee | ||
Comment 7•8 years ago
|
||
At this point, I created a custom repo at /repo/yum/custom/clamav and included the following rpms: - clamav-db-0.99.2-1.el6 - clamd-0.99.2-1.el6 - clamav-0.99.2-1.el6 - clamav-devel-0.99.2-1.el6 However, we don't seem to install them by default on our linux builders. @Nick: do you know how to test if this really works so that we don't encounter the same issues as in bug 1313954?
Flags: needinfo?(nthomas)
Reporter | ||
Comment 8•8 years ago
|
||
I'd suggest spinning up an instance, and pointing it a puppet environment with [1] modified to include your new repo. Then run puppet to make sure it pulls in the updated clamav. You could then reproduce the steps in the most recent log [2] to verify the whole process. It's a little tricky to spin up an instance, since we haven't implemented loaners for av-linux64. IIRC I made a dev-av-linux64 by copying from dev-linux64, and merging difference between bld-linux64 and av-linux64. [1] https://hg.mozilla.org/build/puppet/file/default/modules/packages/manifests/setup.pp [2] https://archive.mozilla.org/pub/thunderbird/candidates/50.0b3-candidates/build1/logs/release-comm-beta-thunderbird_antivirus-bm77-build1-build4.txt.gz
Flags: needinfo?(nthomas)
Assignee | ||
Comment 9•8 years ago
|
||
I used a custom config file that points to a recent spot-av-linux64 ami and managed to spin up an instance (av-linux64-ec2-aselagea). Going further, I applied the puppet changes to my environment and ran puppet on the loaner => it looks fine, the intended packages are indeed installed. [root@av-linux64-ec2-aselagea.build.releng.use1.mozilla.com ~]# yum list installed | grep clam clamav.x86_64 0.99.2-1.el6 @clamav clamav-db.x86_64 0.99.2-1.el6 @clamav clamd.x86_64 0.99.2-1.el6 @clamav I created a personal build master on dev-master2, added the entries for it in slavealloc and started it. Also added the loaner to slavealloc and locked it to my master. For some reason, it won't connect to it though.
Reporter | ||
Comment 10•8 years ago
|
||
I think that's looking pretty great already. You could avoid the "fun" of setting up a master by connecting to the instance and running: mkdir -p /builds/slave/tb-rel-c-beta-av-0000000000000/ cd /builds/slave/tb-rel-c-beta-av-0000000000000/ bash -c 'wget -Oarchiver_client.py --no-check-certificate --tries=10 --waitretry=3 https://hg.mozilla.org/build/tools/raw-file/default/buildfarm/utils/archiver_client.py' bash -c 'python archiver_client.py mozharness --repo releases/mozilla-beta --tag THUNDERBIRD_50_0b3_RELEASE --destination scripts --debug' python2.7 scripts/scripts/release/antivirus.py --product thunderbird --version 50.0b3 --build-number 1 --bucket-name net-mozaws-prod-delivery-archive --tools-revision THUNDERBIRD_50_0b3_RELEASE --tools-repo https://hg.mozilla.org/build/tools Please comment here where you got the rpms from. Was it an EPEL6 repo ?
Assignee | ||
Comment 11•8 years ago
|
||
(In reply to Nick Thomas [:nthomas] from comment #10) > Please comment here where you got the rpms from. Was it an EPEL6 repo ? Yup, I got the rpms from an EPEL6 repo - it's actually the same location you mentioned in https://bugzilla.mozilla.org/show_bug.cgi?id=1313954#c3
Assignee | ||
Comment 12•8 years ago
|
||
Used my loaner and ran the commands mentioned by Nick above. Taking a look at the logs revealed that the clam-related errors were no longer present. However, the build ended with an error as there were 3 files for which the command failed: 03:59:15 INFO - END 03:59:15 (5 seconds elapsed): /builds/slave/tb-rel-c-beta-av-0000000000000/cache/win32/gd/Thunderbird Setup 50.0b3.exe 03:59:15 INFO - Command failed for the following files: 03:59:15 INFO - /builds/slave/tb-rel-c-beta-av-0000000000000/cache/update/linux-x86_64/fr/thunderbird-50.0b1-50.0b3.partial.mar 03:59:15 INFO - /builds/slave/tb-rel-c-beta-av-0000000000000/cache/update/linux-x86_64/fr/thunderbird-50.0b3.complete.mar 03:59:15 INFO - /builds/slave/tb-rel-c-beta-av-0000000000000/cache/update/linux-x86_64/fi/thunderbird-50.0b3.complete.mar 03:59:15 ERROR - Return code: 1 That doesn't seem related to the new clam* rpms though.
Comment hidden (mozreview-request) |
Reporter | ||
Comment 14•8 years ago
|
||
mozreview-review |
Comment on attachment 8816439 [details] Bug 1313958 - Provide clamav >= v0.98 in our yum repos; https://reviewboard.mozilla.org/r/97190/#review97762 Looks good to me.
Attachment #8816439 -
Flags: review?(nthomas) → review+
Assignee | ||
Updated•8 years ago
|
Attachment #8816439 -
Flags: checked-in+
Assignee | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Product: Release Engineering → Infrastructure & Operations
Updated•4 years ago
|
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•