https://blueprints.launchpad.net/fuel/+spec/plugins-security-fixes-delivery
Fuel user should be able to get security fixes for plugin’s packages.
Each Fuel plugin can provide a set of repositories with packages, currently there is no easy way to update the packages in the repositories
When plugin developer builds the plugin i.e. runs command fpb –build plugin_name, fpb builds RPM with all of the repositories, deployment scripts and required metadata. The package has version in metadata.yaml 1.0.2, name of RPM package is plugin_name-1.0 and RPM version is 1.0.2.
Major version of the plugin is included into the name because, we can have several major plugin versions in a single installation.
We do not want to break backward compatibility, hence fuel client should be able to install both package formats, the old fp and the new rpm. Fuel client will define installation method by plugin extension plugin_name-1.0.2.fp and plugin_name-1.0-1.0.2.noarch.rpm.
When new plugin with security fixes is released, minor version of the plugin should be increased to 1.0.3, version in the name will be unchanged i.e. 1.0, but RPM version is going to be 1.0.3, after that user can run yum update plugin_name-1.0-1.0.3.noarch.rpm which updates plugin’s repositories, and user can performs packages updates.
If user uses fuel client to install rpm, it performs installation with yum, and registers the plugins in Nailgun, if user uses yum to install the plugin he should manually register the plugin with register command, e.g. fuel plugins –register plugin_name==1.0.3.
Installation:
For update fuel client should provide a new command fuel plugins –update plugin_name-1.0.0.rpm
Removal:
Downgrade:
Backward compatibility matrix for different Fuel releases:
|-----+-------------+---------------|
| | .fp (1.0.0) | .rpm (2.0.0) |
|-----+-------------+---------------|
| 6.0 | Supported | Not supported |
| 6.1 | Supported | Supported |
|-----+-------------+---------------|
Lets consider several cases. User has the next plugins
|-------------+---------+------------------|
| Name | Version | Package version* |
|-------------+---------+------------------|
| plugin_name | 2.0.0 | 1.0.0 |
| plugin_name | 2.0.1 | 1.0.0 |
| new_plugin | 1.0.1 | 2.0.0 |
|-------------+---------+------------------|
* Package version is a version which identifies
plugin format, in 6.0 we had 1.0.0 format,
in the next release we will get 2.0.0 plugin
format
User gets new version 2.0.2 with security fixes, also he has upgraded Fuel from 6.0 to 6.1.
Package version 1.0.0 -> 1.0.0, plugin name is plugin_name
If user tries to run update error should be shown, that he cannot perform update with old (1.0.0) version of package, also we can provide a manual instruction, how to perform update. But in this case we will not be able to get consistent information about the plugin from the database, which version is used on the environment.
/var/www/nailgun/plugins/plugin_name-2.0.2 ->
/var/www/nailgun/plugins/plugin_name-2.0.1
/var/www/nailgun/plugins/plugin_name-2.0.2 ->
/var/www/nailgun/plugins/plugin_name-2.0.0
Package version 1.0.0 -> 2.0.0, plugin name is plugin_name
The same as for case from above, user has to perform manual actions to get repositories updated.
Package version 2.0.0 -> 2.0.0, plugin name is new_plugin
Should work fine, no manual actions required.
If we leave it as is user won’t be able to get patches with existing tools, like yum, which is a huge problem, because in this case many things should be reimplemented in fuel client.
None
None
Plugins which are installed in old format cannot be updated as rpm packages, but it’s possible to deliver manual fixes.
User will have easy way to apply security fixes.
None
None
None
None
None
Unit and System tests are required.
None