[ANNOUNCE] Gerrit 3.11.0 w/ Security Fixes
320 views
Skip to first unread message
Luca Milanesio
Dec 2, 2024, 5:51:45 PM12/2/24
to Repo and Gerrit Discussion, Luca Milanesio
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Gerrit version 3.11.0 is now available.
Includes security fixes;
please see the release notes for details.
Please note that Gerrit v3.8.x is now EOL, see more details at:
https://www.gerritcodereview.com/support.html#supported-versions
Release Notes:
https://www.gerritcodereview.com/3.11.html
Documentation:
http://gerrit-documentation.storage.googleapis.com/Documentation/3.11.0/index.html
Download:
https://gerrit-releases.storage.googleapis.com/gerrit-3.11.0.war
SHA1:
298828cd40fee5de0b4f6b60e028538ec181242d
SHA256:
c05524b38c86ccee286cf58821f0a02fefd9177ed10e05cabe538c485bd4e419
MD5:
4cb017f080641b77da9aefa1e5c12817
Maintainers' public keys:
https://www.gerritcodereview.com/releases/public-keys.md
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAmdOOZQACgkQC0731aK2
mH4tZg/9HnTSZicaT57EBqe58qpw7N6nsu37nEo3eCaO2l0Jy1vgaL6FZbyiFd3J
oV30Fo7jHUPEMPTQY+Xsqr14V3BDAp68BC6b1RqyEwDN3p9y8E6xVQqfhMMbMfIp
nud93G7uWssVabrhErb4FhcccJPXnmQrh8aX6YFhZ0pUIBYzq49iA5xr/3m+OTJV
MNCapnqBzHcKZHXi8I2bOgYxtehz7uT26XP/f4T/98+noZGIA7M8ymwJNpVPiIXs
Lh2vsSfQcyfr0tyjnpZUcFlg2hT2h25BW4Bw/nw1sZJFyxh2xDUvApbmG+n9V4eW
gOFZVj1zb35BTSyHb4EbGl6qlbtcltmdF3TRzpt3aDoufPmHlaVES0LOpJNhZrrs
Ug1YOWEQGg07F/MMFOPfdLMn4k1MYuIWNro5ktcq32Z1VFBan3hQZHvoZ2lOYzHc
EVtMIuxenByVWCoruzzQJzIdGgf/5KPfN2gk3M7aPKzTcnQjcFnFX64W7SzkizQU
Y+nRnTv7AErBNIKUcKYGdL6W4zRkhC7RwwcGyFhVqUmLFDhUeLtmHqdDuTQDHfFi
ONtHVwVy7sSKj+Te/pjQWnwc9Q6ISO+fSzmZpbBNZWhgVB+WN07mwEdDE6zqDW1z
QRK8tbo/M0niCSUrBSGMzi2s2wmiAdL+f4LOlm1YRdwNCyxiom8=
=UEEr
-----END PGP SIGNATURE-----
Hash: SHA256
Gerrit version 3.11.0 is now available.
Includes security fixes;
please see the release notes for details.
Please note that Gerrit v3.8.x is now EOL, see more details at:
https://www.gerritcodereview.com/support.html#supported-versions
Release Notes:
https://www.gerritcodereview.com/3.11.html
Documentation:
http://gerrit-documentation.storage.googleapis.com/Documentation/3.11.0/index.html
Download:
https://gerrit-releases.storage.googleapis.com/gerrit-3.11.0.war
SHA1:
298828cd40fee5de0b4f6b60e028538ec181242d
SHA256:
c05524b38c86ccee286cf58821f0a02fefd9177ed10e05cabe538c485bd4e419
MD5:
4cb017f080641b77da9aefa1e5c12817
Maintainers' public keys:
https://www.gerritcodereview.com/releases/public-keys.md
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAmdOOZQACgkQC0731aK2
mH4tZg/9HnTSZicaT57EBqe58qpw7N6nsu37nEo3eCaO2l0Jy1vgaL6FZbyiFd3J
oV30Fo7jHUPEMPTQY+Xsqr14V3BDAp68BC6b1RqyEwDN3p9y8E6xVQqfhMMbMfIp
nud93G7uWssVabrhErb4FhcccJPXnmQrh8aX6YFhZ0pUIBYzq49iA5xr/3m+OTJV
MNCapnqBzHcKZHXi8I2bOgYxtehz7uT26XP/f4T/98+noZGIA7M8ymwJNpVPiIXs
Lh2vsSfQcyfr0tyjnpZUcFlg2hT2h25BW4Bw/nw1sZJFyxh2xDUvApbmG+n9V4eW
gOFZVj1zb35BTSyHb4EbGl6qlbtcltmdF3TRzpt3aDoufPmHlaVES0LOpJNhZrrs
Ug1YOWEQGg07F/MMFOPfdLMn4k1MYuIWNro5ktcq32Z1VFBan3hQZHvoZ2lOYzHc
EVtMIuxenByVWCoruzzQJzIdGgf/5KPfN2gk3M7aPKzTcnQjcFnFX64W7SzkizQU
Y+nRnTv7AErBNIKUcKYGdL6W4zRkhC7RwwcGyFhVqUmLFDhUeLtmHqdDuTQDHfFi
ONtHVwVy7sSKj+Te/pjQWnwc9Q6ISO+fSzmZpbBNZWhgVB+WN07mwEdDE6zqDW1z
QRK8tbo/M0niCSUrBSGMzi2s2wmiAdL+f4LOlm1YRdwNCyxiom8=
=UEEr
-----END PGP SIGNATURE-----
Luca Milanesio
Dec 2, 2024, 5:58:05 PM12/2/24
to Repo and Gerrit Discussion, Luca Milanesio
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Binary packages (Deb / Rpm) of Gerrit version 3.11.0 are now available
Hash: SHA256
==========================================================================
How to install/upgrade: 3.11.0
**********************************
(on Debian / Ubuntu)
apt-get update && apt-get install gerrit=3.11.0-1
(on AlmaLinux / RedHat)
yum clean all && yum install gerrit-3.11.0-1
(on Fedora)
dnf clean all && dnf install gerrit-3.11.0-1
If it is a new installation and you don't have the GerritForge repositories
configured, or if you are upgrading to ARM-64, please follow the instructions at:
https://gitenterprise.me/2022/11/23/arm-64-welcomes-gerrit-code-review/
Docker images
*************
Gerrit is distributed on DockerHub at:
https://hub.docker.com/r/gerritcodereview/gerrit/
The following tags have been published
latest => 3.11.0
3.11.0 => 3.11.0-almalinux9
3.11.0-almalinux9
3.11.0-ubuntu24
More information on how to use Gerrit Docker image for testing, staging, and production at:
https://gerrit.googlesource.com/docker-gerrit
MacOS native package
********************
Gerrit is now available as Homebrew tap:
https://github.com/GerritCodeReview/homebrew-gerrit
To install or update the tap:
brew tap GerritCodeReview/gerrit
OR
brew update
To install Gerrit with Homebrew:
brew install ger...@3.11.0
MacOS Gerrit native installer is available for download at:
https://gerritforge.com/gerrit/mac/gerrit-installer-3.11.0.pkg
SHA1:
ee53d6adbe99833fe8c7adbb8c3b8e1bdeebd087
SHA256:
066119f84c9a3450db280a4c890b8ac1f9259f0a06ce8ca541930cfbd1eee21c
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAmdOOzgACgkQC0731aK2
mH7zdRAAiP5Ep8nGGhD7ygqsCqBYhvreYa1+jHPNt+go/IBeOFiEriTEDhTNBLoE
KXiOE7img+ZU37VppD/ZI4lQkd6yFhJRPZqeA6cHtobayeoJvHtGrr5CEzy3tpLb
dsBTCzN/o2u6ASoupZgJtr01g1AbIHMFgs5FTuS6B76OHI9/ds+kwpbvJaKEZADH
9ADxJu+84NcztgLqmM7oOuQB8GYOQaQO4ie4ROxiyzyCz+s2qiMhqPqK59EJYmyx
0eumvnC9kfRZ0E6ogaGYLugcv860e2b9232A7qJZL8j0jZ9PPk5nhXbS3x8uU/mb
upgJfr3Kw48NhTtAZEEgHAj+qQV8egs9FASeRhm4x07oXWw+hzKdRC7hUkC0RqTp
0M5yL1B6d/7L8G15sJKZG+dyD7L/jPN0EjpGnvFwpQnNBGUFl9ipT+At0G9pYNw+
kup69Pq2+1eo4WiCr9Au17/v4GSYdHvSSMOIKdWZfwWQaZ+sx+FroZ6/k+JCQWh9
SYFXSDbqynNDuiu/w+MdT2/8nnsUMrhBCtMVGe1SdRrtZcHTDJm0A8Xa6g3PB3pq
Oqh2DV+qkk8ETsX7a3Z5IdzbwJQNYmlUJDkd6gkdbB5hliH8coM9tGgY5D10blN4
cJnsRsxsJ5m4VWkmgw4K8A6esrw/lxVSyyg/usxXF7a3sgD9W5A=
=9M1K
-----END PGP SIGNATURE-----
Aaron Smith
Dec 5, 2024, 2:48:58 PM12/5/24
to Repo and Gerrit Discussion
I tried the published docker container on my sandbox server. Gerrit can't initialize because the UID for the gerrit user in the container changed from 1000 to 1001, so ownership on persistent volumes does not match up.
I ran `/entrypoint.sh init` and got a couple thousand lines of error output, but the first few lines correctly point to ownership/permission problems:
fatal: InitInjector failed
fatal: Unable to create injector, see the following errors:
fatal:
fatal: 1) [Guice/ErrorInjectingConstructor]: RuntimeException: Cannot load secure.config
fatal: at InitContainer.<init>(InitContainer.java:44)
fatal: at InitContainer.class(InitContainer.java:44)
fatal: while locating InitContainer
fatal: while locating InitStep annotated with @UniqueAnnotations.Internal(10)
fatal:
fatal: Learn more:
fatal: https://github.com/google/guice/wiki/ERROR_INJECTING_CONSTRUCTOR
fatal: Caused by: RuntimeException: Cannot load secure.config
fatal: Unable to create injector, see the following errors:
fatal:
fatal: 1) [Guice/ErrorInjectingConstructor]: RuntimeException: Cannot load secure.config
fatal: at InitContainer.<init>(InitContainer.java:44)
fatal: at InitContainer.class(InitContainer.java:44)
fatal: while locating InitContainer
fatal: while locating InitStep annotated with @UniqueAnnotations.Internal(10)
fatal:
fatal: Learn more:
fatal: https://github.com/google/guice/wiki/ERROR_INJECTING_CONSTRUCTOR
fatal: Caused by: RuntimeException: Cannot load secure.config
...
Is 1001 going to be the new container UID from here on out, or was this unintentional? Is there a better workaround than just chown'ing all the volumes?
Luca Milanesio
Dec 5, 2024, 4:02:24 PM12/5/24
to Repo and Gerrit Discussion, Luca Milanesio
I just ran gerritcodereview/gerrit:3.11.0 and:
a) It starts and works as expected
$ docker run -ti -p 80:8080 -h localhost gerritcodereview/gerrit:3.11.0
...
[2024-12-05T20:56:04.029Z] [main] INFO com.google.gerrit.pgm.Daemon : Gerrit Code Review 3.11.0 ready
b) I see the Gerrit UI on http://localhost <http://localhost/>
c) The gerrit user UID is 1000 as before
$ docker exec -ti fda1e6360363 bash -c 'echo $UID'
1000
Can you repeat the above steps and confirm what you see?
> I ran `/entrypoint.sh init` and got a couple thousand lines of error output, but the first few lines correctly point to ownership/permission problems:
> fatal: InitInjector failed
> fatal: Unable to create injector, see the following errors:
> fatal:
> fatal: 1) [Guice/ErrorInjectingConstructor]: RuntimeException: Cannot load secure.config
> fatal: at InitContainer.<init>(InitContainer.java:44)
> fatal: at InitContainer.class(InitContainer.java:44)
> fatal: while locating InitContainer
> fatal: while locating InitStep annotated with @UniqueAnnotations.Internal(10)
> fatal:
> fatal: Learn more:
> fatal: https://github.com/google/guice/wiki/ERROR_INJECTING_CONSTRUCTOR
> fatal: Caused by: RuntimeException: Cannot load secure.config
> ...
>
> Is 1001 going to be the new container UID from here on out, or was this unintentional? Is there a better workaround than just chown'ing all the volumes?
The UID is the same, as shown in the above output.
If you are not using a vanilla image, are you sure that what you see isn’t related to the bump on the OS versions?
HTH
Luca.
Aaron Smith
Dec 5, 2024, 6:43:37 PM12/5/24
to Repo and Gerrit Discussion
I see the same thing as you when running the 3.11.0 tagged container directly.
> I ran `/entrypoint.sh init` and got a couple thousand lines of error output, but the first few lines correctly point to ownership/permission problems:
> fatal: InitInjector failed
> fatal: Unable to create injector, see the following errors:
> fatal:
> fatal: 1) [Guice/ErrorInjectingConstructor]: RuntimeException: Cannot load secure.config
> fatal: at InitContainer.<init>(InitContainer.java:44)
> fatal: at InitContainer.class(InitContainer.java:44)
> fatal: while locating InitContainer
> fatal: while locating InitStep annotated with @UniqueAnnotations.Internal(10)
> fatal:
> fatal: Learn more:
> fatal: https://github.com/google/guice/wiki/ERROR_INJECTING_CONSTRUCTOR
> fatal: Caused by: RuntimeException: Cannot load secure.config
> ...
>
> Is 1001 going to be the new container UID from here on out, or was this unintentional? Is there a better workaround than just chown'ing all the volumes?
Are you using a vanilla image or you have a derived one with more steps?
I'm using the vanilla Ubuntu image. The UID is 1001 regardless of whether I use the published container or build it from https://gerrit.googlesource.com/docker-gerrit.
The UID is the same, as shown in the above output.
If you are not using a vanilla image, are you sure that what you see isn’t related to the bump on the OS versions?
The significant difference is Ubuntu vs. Alma Linux:
$ docker run -ti -h localhost gerritcodereview/gerrit:3.11.0
$ sudo docker exec -it zealous_torvalds head -n2 /etc/os-release; sudo docker exec -it zealous_torvalds id
NAME="AlmaLinux"
VERSION="9.4 (Seafoam Ocelot)"
uid=1000(gerrit) gid=1000(gerrit) groups=1000(gerrit)
NAME="AlmaLinux"
VERSION="9.4 (Seafoam Ocelot)"
uid=1000(gerrit) gid=1000(gerrit) groups=1000(gerrit)
$ sudo docker run -ti -h localhost gerritcodereview/gerrit:3.11.0-ubuntu24
$ sudo docker exec -it xenodochial_bhabha head -n2 /etc/os-release; sudo docker exec -it xenodochial_bhabha id
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
uid=1001(gerrit) gid=1001(gerrit) groups=1001(gerrit)
PRETTY_NAME="Ubuntu 24.04.1 LTS"
NAME="Ubuntu"
uid=1001(gerrit) gid=1001(gerrit) groups=1001(gerrit)
My apologies for not mentioning the tag I'm using in my first message.
HTH
Luca.
Aaron Smith
Dec 5, 2024, 8:10:01 PM12/5/24
to Repo and Gerrit Discussion
Out of curiosity, I tried it with the latest Ubuntu 3.10 container:
$ sudo docker run -ti -h localhost gerritcodereview/gerrit:3.10.3-ubuntu22
$ sudo docker exec -it elegant_kirch head -n2 /etc/os-release; sudo docker exec -it elegant_kirch id
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
uid=1000(gerrit) gid=1000(gerrit) groups=1000(gerrit)
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
uid=1000(gerrit) gid=1000(gerrit) groups=1000(gerrit)
I don't see anything in the changes to `docker-gerrit/ubuntu/24/Dockerfile` that would directly cause the UID to change, so something must have changed in the parent `eclipse-temurin` container when it updated to Ubuntu 24.
Aaron Smith
Dec 5, 2024, 8:30:03 PM12/5/24
to Repo and Gerrit Discussion
Indeed, the ubuntu team dug in their heels and insisted on adding the `ubuntu` user by default to the container:
If the Gerrit team wants to continue using UID 1000, a suggested fix is to use this in the Dockerfile. This frees up the first UID so that the addition of the `gerrit` user in
the debian package's `preinst` script ends up with UID 1000, as it has
been in the past.
FROM ubuntu:23.04 RUN touch /var/mail/ubuntu && chown ubuntu
/var/mail/ubuntu && userdel -r ubuntu
If the team prefers to proceed with UID 1001, I'll make the necessary adjustments in my environment.
Luca Milanesio
Dec 6, 2024, 3:58:50 AM12/6/24
to Repo and Gerrit Discussion, Luca Milanesio, Aaron Smith
Hi Aaron,
Thanks for digging into it !
Cool, would you like to create a change to amend the Gerrit v3.11 release notes and add a reference to this Ubuntu 24.04 issue?
> If the Gerrit team wants to continue using UID 1000, a suggested fix is to use this in the Dockerfile. This frees up the first UID so that the addition of the `gerrit` user in the debian package's `preinst` script ends up with UID 1000, as it has been in the past.
> FROM ubuntu:23.04 RUN touch /var/mail/ubuntu && chown ubuntu /var/mail/ubuntu && userdel -r ubuntu
I would rather NOT do it and leave the Ubuntu team to fix it.
As long as we know about it and it is documented as a workaround, then the Gerrit admins can either remove the user or leave it and chown the files.
>
> If the team prefers to proceed with UID 1001, I'll make the necessary adjustments in my environment.
Yeah, I believe that would make more sense.
>
> My apologies for not mentioning the tag I'm using in my first message.
No problem and thanks for raising it.
Luca.
Thanks for digging into it !
> If the Gerrit team wants to continue using UID 1000, a suggested fix is to use this in the Dockerfile. This frees up the first UID so that the addition of the `gerrit` user in the debian package's `preinst` script ends up with UID 1000, as it has been in the past.
> FROM ubuntu:23.04 RUN touch /var/mail/ubuntu && chown ubuntu /var/mail/ubuntu && userdel -r ubuntu
As long as we know about it and it is documented as a workaround, then the Gerrit admins can either remove the user or leave it and chown the files.
>
> If the team prefers to proceed with UID 1001, I'll make the necessary adjustments in my environment.
>
> My apologies for not mentioning the tag I'm using in my first message.
Luca.
Aaron Smith
Dec 6, 2024, 12:35:31 PM12/6/24
to Repo and Gerrit Discussion
I'd be glad to. I don't have a Contributor License Agreement in place, so I'll talk to my employer about that today.
> If the Gerrit team wants to continue using UID 1000, a suggested fix is to use this in the Dockerfile. This frees up the first UID so that the addition of the `gerrit` user in the debian package's `preinst` script ends up with UID 1000, as it has been in the past.
> FROM ubuntu:23.04 RUN touch /var/mail/ubuntu && chown ubuntu /var/mail/ubuntu && userdel -r ubuntu
I would rather NOT do it and leave the Ubuntu team to fix it.
As long as we know about it and it is documented as a workaround, then the Gerrit admins can either remove the user or leave it and chown the files.
It sounds like this is the new, intentional direction from the Ubuntu team. Time will tell whether pushback from the community will sway them, but I think we should plan on them not changing this.
>
> If the team prefers to proceed with UID 1001, I'll make the necessary adjustments in my environment.
Yeah, I believe that would make more sense.
The downside is that the two supported containers won't be interchangeable unless the admin knows about and addresses the ownership issue.
Reply all
Reply to author
Forward
0 new messages