--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Dear Stable release team,
I'd like to upload an update of Swift through s-p-u, in order to fix a
number of issues listed below:
- User creation was done in a non-OpenStack package standard way, namely
missing the --disabled-login option.
- On removal, the package was calling userdel, which I consider dangerous
(potential reuse of the UUID).
- On purge, /var/cache/swift wasn't removed.
- The swift-container-sync init script wasn't installed.
More importantly, there's 2 CVEs which needs to be fixed:
- CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift
object.
- CVE-2015-5223: Information leak via Swift tempurls.
The above CVEs were considered not critical enough by the security team
to deserve a DSA, though they still deserve fixing.
I have attached a debdiff with all of the above problems corrected. The
pre-built package is also available here:
http://sid.gplhost.com/jessie-proposed-updates/swift/
Please allow me to upload swift/2.2.0-1+deb8u1 to jessie-proposed-updates.
Cheers,
Thomas Goirand (zigo)
diff -Nru swift-2.2.0/debian/changelog swift-2.2.0/debian/changelog
--- swift-2.2.0/debian/changelog 2014-10-16 12:48:43.000000000 +0000
+++ swift-2.2.0/debian/changelog 2015-09-15 19:29:22.000000000 +0000
@@ -1,3 +1,20 @@
+swift (2.2.0-1+deb8u1) jessie-proposed-updates; urgency=medium
+
+ [ Thomas Goirand ]
+ * Fixed swift user creation (standardized on pkgos way).
+ * CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift
+ object. Applied upstream patch: Prevent unauthorized delete in versioned
+ container (Closes: #783163).
+
+ [ Ondřej Nový ]
+ * Fixed service name of object-expirer.
+ * Added container-sync init script.
+ * CVE-2015-5223: Information leak via Swift tempurls.
+ Applied upstream patch: Disallow unsafe tempurl operations to point
+ to unauthorized data (Closes: #797032).
+
+ -- Thomas Goirand <z...@debian.org> Tue, 15 Sep 2015 21:28:14 +0200
+
swift (2.2.0-1) unstable; urgency=medium
* New upstream release.
diff -Nru swift-2.2.0/debian/patches/CVE-2015-1856_Prevent-unauthorized-delete-in-versioned-container.patch swift-2.2.0/debian/patches/CVE-2015-1856_Prevent-unauthorized-delete-in-versioned-container.patch
--- swift-2.2.0/debian/patches/CVE-2015-1856_Prevent-unauthorized-delete-in-versioned-container.patch 1970-01-01 00:00:00.000000000 +0000
+++ swift-2.2.0/debian/patches/CVE-2015-1856_Prevent-unauthorized-delete-in-versioned-container.patch 2015-09-15 19:29:22.000000000 +0000
@@ -0,0 +1,242 @@
+Description: CVE-2015-1856: Prevent unauthorized delete in versioned container
+ An authenticated user can delete the most recent version of any versioned
+ object who's name is known if the user has listing access to the
+ x-versions-location container. Only Swift setups with allow_version setting
+ are affected.
+ .
+ This patch closes this bug, tracked as CVE-2015-1856.
+Author: Alistair Coles <alistair.co...@hp.com>
+Date: Fri, 3 Apr 2015 16:05:36 +0000 (+0100)
+X-Git-Url: https://review.openstack.org/gitweb?p=openstack%2Fswift.git;a=commitdiff_plain;h=85afe9316570855c87ea731d0627f6f8f2b73264
+Co-Authored-By: Clay Gerrard <clay.gerr...@gmail.com>
+Co-Authored-By: Christian Schwede <i...@cschwede.de>
+Co-Authored-By: Alistair Coles <alistair.co...@hp.com>
+Bug-Ubuntu: https://bugs.launchpad.net/swift/+bug/1430645
+Change-Id: I74448c12bc4d4cd07d4300f452cf3dd6f66ca70a
+Bug-Debian: https://bugs.debian.org/783163
+
+diff --git a/swift/proxy/controllers/obj.py b/swift/proxy/controllers/obj.py
+index abd4cc2..36c1058 100644
+--- a/swift/proxy/controllers/obj.py
++++ b/swift/proxy/controllers/obj.py
+@@ -783,6 +783,10 @@ class ObjectController(Controller):
+ req.acl = container_info['write_acl']
+ req.environ['swift_sync_key'] = container_info['sync_key']
+ object_versions = container_info['versions']
++ if 'swift.authorize' in req.environ:
++ aresp = req.environ['swift.authorize'](req)
++ if aresp:
++ return aresp
+ if object_versions:
+ # this is a version manifest and needs to be handled differently
+ object_versions = unquote(object_versions)
+@@ -853,11 +857,11 @@ class ObjectController(Controller):
+ # remove 'X-If-Delete-At', since it is not for the older copy
+ if 'X-If-Delete-At' in req.headers:
+ del req.headers['X-If-Delete-At']
++ if 'swift.authorize' in req.environ:
++ aresp = req.environ['swift.authorize'](req)
++ if aresp:
++ return aresp
+ break
+- if 'swift.authorize' in req.environ:
+- aresp = req.environ['swift.authorize'](req)
+- if aresp:
+- return aresp
+ if not containers:
+ return HTTPNotFound(request=req)
+ partition, nodes = obj_ring.get_nodes(
+diff --git a/test/functional/tests.py b/test/functional/tests.py
+index d6b0b70..e57f22b 100644
+--- a/test/functional/tests.py
++++ b/test/functional/tests.py
+@@ -2397,6 +2397,14 @@ class TestObjectVersioningEnv(object):
+ cls.account = Account(cls.conn, tf.config.get('account',
+ tf.config['username']))
+
++ # Second connection for ACL tests
++ config2 = deepcopy(tf.config)
++ config2['account'] = tf.config['account2']
++ config2['username'] = tf.config['username2']
++ config2['password'] = tf.config['password2']
++ cls.conn2 = Connection(config2)
++ cls.conn2.authenticate()
++
+ # avoid getting a prefix that stops halfway through an encoded
+ # character
+ prefix = Utils.create_name().decode("utf-8")[:10].encode("utf-8")
+@@ -2450,6 +2458,14 @@ class TestCrossPolicyObjectVersioningEnv(object):
+ cls.account = Account(cls.conn, tf.config.get('account',
+ tf.config['username']))
+
++ # Second connection for ACL tests
++ config2 = deepcopy(tf.config)
++ config2['account'] = tf.config['account2']
++ config2['username'] = tf.config['username2']
++ config2['password'] = tf.config['password2']
++ cls.conn2 = Connection(config2)
++ cls.conn2.authenticate()
++
+ # avoid getting a prefix that stops halfway through an encoded
+ # character
+ prefix = Utils.create_name().decode("utf-8")[:10].encode("utf-8")
+@@ -2484,6 +2500,15 @@ class TestObjectVersioning(Base):
+ "Expected versioning_enabled to be True/False, got %r" %
+ (self.env.versioning_enabled,))
+
++ def tearDown(self):
++ super(TestObjectVersioning, self).tearDown()
++ try:
++ # delete versions first!
++ self.env.versions_container.delete_files()
++ self.env.container.delete_files()
++ except ResponseError:
++ pass
++
+ def test_overwriting(self):
+ container = self.env.container
+ versions_container = self.env.versions_container
+@@ -2515,6 +2540,33 @@ class TestObjectVersioning(Base):
+ versioned_obj.delete()
+ self.assertRaises(ResponseError, versioned_obj.read)
+
++ def test_versioning_check_acl(self):
++ container = self.env.container
++ versions_container = self.env.versions_container
++ versions_container.create(hdrs={'X-Container-Read': '.r:*,.rlistings'})
++
++ obj_name = Utils.create_name()
++ versioned_obj = container.file(obj_name)
++ versioned_obj.write("aaaaa")
++ self.assertEqual("aaaaa", versioned_obj.read())
++
++ versioned_obj.write("bbbbb")
++ self.assertEqual("bbbbb", versioned_obj.read())
++
++ # Use token from second account and try to delete the object
++ org_token = self.env.account.conn.storage_token
++ self.env.account.conn.storage_token = self.env.conn2.storage_token
++ try:
++ self.assertRaises(ResponseError, versioned_obj.delete)
++ finally:
++ self.env.account.conn.storage_token = org_token
++
++ # Verify with token from first account
++ self.assertEqual("bbbbb", versioned_obj.read())
++
++ versioned_obj.delete()
++ self.assertEqual("aaaaa", versioned_obj.read())
++
+
+ class TestObjectVersioningUTF8(Base2, TestObjectVersioning):
+ set_up = False
+diff --git a/test/unit/proxy/test_server.py b/test/unit/proxy/test_server.py
+index b3b18a7..85ca553 100644
+--- a/test/unit/proxy/test_server.py
++++ b/test/unit/proxy/test_server.py
+@@ -56,7 +56,7 @@ from swift.proxy.controllers.base import get_container_memcache_key, \
+ get_account_memcache_key, cors_validation
+ import swift.proxy.controllers
+ from swift.common.swob import Request, Response, HTTPUnauthorized, \
+- HTTPException
++ HTTPException, HTTPForbidden
+ from swift.common import storage_policy
+ from swift.common.storage_policy import StoragePolicy, \
+ StoragePolicyCollection, POLICIES
+@@ -1566,6 +1566,7 @@ class TestObjectController(unittest.TestCase):
+ ])
+ def test_DELETE_on_expired_versioned_object(self):
+ methods = set()
++ authorize_call_count = [0]
+
+ def test_connect(ipaddr, port, device, partition, method, path,
+ headers=None, query_string=None):
+@@ -1591,6 +1592,10 @@ class TestObjectController(unittest.TestCase):
+ for obj in object_list:
+ yield obj
+
++ def fake_authorize(req):
++ authorize_call_count[0] += 1
++ return None # allow the request
++
+ with save_globals():
+ controller = proxy_server.ObjectController(self.app,
+ 'a', 'c', 'o')
+@@ -1602,7 +1607,8 @@ class TestObjectController(unittest.TestCase):
+ 204, 204, 204, # delete for the pre-previous
+ give_connect=test_connect)
+ req = Request.blank('/v1/a/c/o',
+- environ={'REQUEST_METHOD': 'DELETE'})
++ environ={'REQUEST_METHOD': 'DELETE',
++ 'swift.authorize': fake_authorize})
+
+ self.app.memcache.store = {}
+ self.app.update_request(req)
+@@ -1612,6 +1618,67 @@ class TestObjectController(unittest.TestCase):
+ ('PUT', '/a/c/o'),
+ ('DELETE', '/a/foo/2')]
+ self.assertEquals(set(exp_methods), (methods))
++ self.assertEquals(authorize_call_count[0], 2)
++
++ @patch_policies([
++ StoragePolicy(0, 'zero', False, object_ring=FakeRing()),
++ StoragePolicy(1, 'one', True, object_ring=FakeRing())
++ ])
++ def test_denied_DELETE_of_versioned_object(self):
++ """
++ Verify that a request with read access to a versions container
++ is unable to cause any write operations on the versioned container.
++ """
++ methods = set()
++ authorize_call_count = [0]
++
++ def test_connect(ipaddr, port, device, partition, method, path,
++ headers=None, query_string=None):
++ methods.add((method, path))
++
++ def fake_container_info(account, container, req):
++ return {'status': 200, 'sync_key': None,
++ 'meta': {}, 'cors': {'allow_origin': None,
++ 'expose_headers': None,
++ 'max_age': None},
++ 'sysmeta': {}, 'read_acl': None, 'object_count': None,
++ 'write_acl': None, 'versions': 'foo',
++ 'partition': 1, 'bytes': None, 'storage_policy': '1',
++ 'nodes': [{'zone': 0, 'ip': '10.0.0.0', 'region': 0,
++ 'id': 0, 'device': 'sda', 'port': 1000},
++ {'zone': 1, 'ip': '10.0.0.1', 'region': 1,
++ 'id': 1, 'device': 'sdb', 'port': 1001},
++ {'zone': 2, 'ip': '10.0.0.2', 'region': 0,
++ 'id': 2, 'device': 'sdc', 'port': 1002}]}
++
++ def fake_list_iter(container, prefix, env):
++ object_list = [{'name': '1'}, {'name': '2'}, {'name': '3'}]
++ for obj in object_list:
++ yield obj
++
++ def fake_authorize(req):
++ # deny write access
++ authorize_call_count[0] += 1
++ return HTTPForbidden(req) # allow the request
++
++ with save_globals():
++ controller = proxy_server.ObjectController(self.app,
++ 'a', 'c', 'o')
++ controller.container_info = fake_container_info
++ # patching _listing_iter simulates request being authorized
++ # to list versions container
++ controller._listing_iter = fake_list_iter
++ set_http_connect(give_connect=test_connect)
++ req = Request.blank('/v1/a/c/o',
++ environ={'REQUEST_METHOD': 'DELETE',
++ 'swift.authorize': fake_authorize})
++
++ self.app.memcache.store = {}
++ self.app.update_request(req)
++ resp = controller.DELETE(req)
++ self.assertEqual(403, resp.status_int)
++ self.assertFalse(methods, methods)
++ self.assertEquals(authorize_call_count[0], 1)
+
+ def test_PUT_auto_content_type(self):
+ with save_globals():
diff -Nru swift-2.2.0/debian/patches/CVE-2015-5223_Disallow-unsafe-tempurl-operations-to-point-to-unauthorized-data.patch swift-2.2.0/debian/patches/CVE-2015-5223_Disallow-unsafe-tempurl-operations-to-point-to-unauthorized-data.patch
--- swift-2.2.0/debian/patches/CVE-2015-5223_Disallow-unsafe-tempurl-operations-to-point-to-unauthorized-data.patch 1970-01-01 00:00:00.000000000 +0000
+++ swift-2.2.0/debian/patches/CVE-2015-5223_Disallow-unsafe-tempurl-operations-to-point-to-unauthorized-data.patch 2015-09-15 19:29:22.000000000 +0000
@@ -0,0 +1,182 @@
+From 0694e1911d10a18075ff99462c96781372422b2c Mon Sep 17 00:00:00 2001
+From: Clay Gerrard <clay.gerr...@gmail.com>
+Date: Thu, 23 Jul 2015 22:36:21 -0700
+Origin: upstream, https://review.openstack.org/#/c/217253/
+Subject: [PATCH] Disallow unsafe tempurl operations to point to unauthorized
+ data
+
+Do not allow PUT tempurls to create pointers to other data. Specifically
+disallow the creation of DLO object manifests by returning an error if a
+non-safe tempurl request includes an X-Object-Manifest header regardless of
+the value of the header.
+
+This prevents discoverability attacks which can use any PUT tempurl to probe
+for private data by creating a DLO object manifest and then using the PUT
+tempurl to head the object which would 404 if the prefix does not match any
+object data or form a valid DLO HEAD response if it does.
+
+This also prevents a tricky and potentially unexpected consequence of PUT
+tempurls which would make it unsafe to allow a user to download objects
+created by tempurl (even if they just created them) because the result of
+reading the object created via tempurl may not be the data which was uploaded.
+
+[CVE-2015-5223]
+
+Co-Authored-By: Kota Tsuyuzaki <tsuyuzaki.k...@lab.ntt.co.jp>
+
+Closes-Bug: 1453948
+
+Change-Id: I91161dfb0f089c3990aca1b4255b520299ef73c8
+---
+ swift/common/middleware/tempurl.py | 31 ++++++++++++++++++++++++-
+ test/functional/tests.py | 36 +++++++++++++++++++++++++++++
+ test/unit/common/middleware/test_tempurl.py | 19 +++++++++++++++
+ 3 files changed, 85 insertions(+), 1 deletion(-)
+
+diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py
+index c2381b3..1f94e8d 100644
+--- a/swift/common/middleware/tempurl.py
++++ b/swift/common/middleware/tempurl.py
+@@ -119,11 +119,13 @@ from urllib import urlencode
+ from urlparse import parse_qs
+
+ from swift.proxy.controllers.base import get_account_info
+-from swift.common.swob import HeaderKeyDict, HTTPUnauthorized
++from swift.common.swob import HeaderKeyDict, HTTPUnauthorized, HTTPBadRequest
+ from swift.common.utils import split_path, get_valid_utf8_str, \
+ register_swift_info, get_hmac, streq_const_time, quote
+
+
++DISALLOWED_INCOMING_HEADERS = 'x-object-manifest'
++
+ #: Default headers to remove from incoming requests. Simply a whitespace
+ #: delimited list of header names and names can optionally end with '*' to
+ #: indicate a prefix match. DEFAULT_INCOMING_ALLOW_HEADERS is a list of
+@@ -227,6 +229,10 @@ class TempURL(object):
+ #: The methods allowed with Temp URLs.
+ self.methods = methods
+
++ self.disallowed_headers = set(
++ 'HTTP_' + h.upper().replace('-', '_')
++ for h in DISALLOWED_INCOMING_HEADERS.split())
++
+ headers = DEFAULT_INCOMING_REMOVE_HEADERS
+ if 'incoming_remove_headers' in conf:
+ headers = conf['incoming_remove_headers']
+@@ -320,6 +326,13 @@ class TempURL(object):
+ for hmac in hmac_vals)
+ if not is_valid_hmac:
+ return self._invalid(env, start_response)
++ # disallowed headers prevent accidently allowing upload of a pointer
++ # to data that the PUT tempurl would not otherwise allow access for.
++ # It should be safe to provide a GET tempurl for data that an
++ # untrusted client just uploaded with a PUT tempurl.
++ resp = self._clean_disallowed_headers(env, start_response)
++ if resp:
++ return resp
+ self._clean_incoming_headers(env)
+ env['swift.authorize'] = lambda req: None
+ env['swift.authorize_override'] = True
+@@ -456,6 +469,22 @@ class TempURL(object):
+ body = '401 Unauthorized: Temp URL invalid\n'
+ return HTTPUnauthorized(body=body)(env, start_response)
+
++ def _clean_disallowed_headers(self, env, start_response):
++ """
++ Validate the absense of disallowed headers for "unsafe" operations.
++
++ :returns: None for safe operations or swob.HTTPBadResponse if the
++ request includes disallowed headers.
++ """
++ if env['REQUEST_METHOD'] in ('GET', 'HEAD', 'OPTIONS'):
++ return
++ for h in env:
++ if h in self.disallowed_headers:
++ return HTTPBadRequest(
++ body='The header %r is not allowed in this tempurl' %
++ h[len('HTTP_'):].title().replace('_', '-'))(
++ env, start_response)
++
+ def _clean_incoming_headers(self, env):
+ """
+ Removes any headers from the WSGI environment as per the
+diff --git a/test/functional/tests.py b/test/functional/tests.py
+index e57f22b..654949f 100644
+--- a/test/functional/tests.py
++++ b/test/functional/tests.py
+@@ -2687,6 +2687,42 @@ class TestTempurl(Base):
+ self.assert_(new_obj.info(parms=put_parms,
+ cfg={'no_auth_token': True}))
+
++ def test_PUT_manifest_access(self):
++ new_obj = self.env.container.file(Utils.create_name())
++
++ # give out a signature which allows a PUT to new_obj
++ expires = int(time.time()) + 86400
++ sig = self.tempurl_sig(
++ 'PUT', expires, self.env.conn.make_path(new_obj.path),
++ self.env.tempurl_key)
++ put_parms = {'temp_url_sig': sig,
++ 'temp_url_expires': str(expires)}
++
++ # try to create manifest pointing to some random container
++ try:
++ new_obj.write('', {
++ 'x-object-manifest': '%s/foo' % 'some_random_container'
++ }, parms=put_parms, cfg={'no_auth_token': True})
++ except ResponseError as e:
++ self.assertEqual(e.status, 400)
++ else:
++ self.fail('request did not error')
++
++ # create some other container
++ other_container = self.env.account.container(Utils.create_name())
++ if not other_container.create():
++ raise ResponseError(self.conn.response)
++
++ # try to create manifest pointing to new container
++ try:
++ new_obj.write('', {
++ 'x-object-manifest': '%s/foo' % other_container
++ }, parms=put_parms, cfg={'no_auth_token': True})
++ except ResponseError as e:
++ self.assertEqual(e.status, 400)
++ else:
++ self.fail('request did not error')
++
+ def test_HEAD(self):
+ expires = int(time.time()) + 86400
+ sig = self.tempurl_sig(
+diff --git a/test/unit/common/middleware/test_tempurl.py b/test/unit/common/middleware/test_tempurl.py
+index 0581077..ffb3b98 100644
+--- a/test/unit/common/middleware/test_tempurl.py
++++ b/test/unit/common/middleware/test_tempurl.py
+@@ -623,6 +623,25 @@ class TestTempURL(unittest.TestCase):
+ self.assertTrue('Temp URL invalid' in resp.body)
+ self.assertTrue('Www-Authenticate' in resp.headers)
+
++ def test_disallowed_header_object_manifest(self):
++ self.tempurl = tempurl.filter_factory({})(self.auth)
++ method = 'PUT'
++ expires = int(time() + 86400)
++ path = '/v1/a/c/o'
++ key = 'abc'
++ hmac_body = '%s\n%s\n%s' % (method, expires, path)
++ sig = hmac.new(key, hmac_body, sha1).hexdigest()
++ req = self._make_request(
++ path, method='PUT', keys=[key],
++ headers={'x-object-manifest': 'private/secret'},
++ environ={'QUERY_STRING': 'temp_url_sig=%s&temp_url_expires=%s' % (
++ sig, expires)})
++ resp = req.get_response(self.tempurl)
++ self.assertEquals(resp.status_int, 400)
++ self.assertTrue('header' in resp.body)
++ self.assertTrue('not allowed' in resp.body)
++ self.assertTrue('X-Object-Manifest' in resp.body)
++
+ def test_removed_incoming_header(self):
+ self.tempurl = tempurl.filter_factory({
+ 'incoming_remove_headers': 'x-remove-this'})(self.auth)
+--
+2.3.2 (Apple Git-55)
+
diff -Nru swift-2.2.0/debian/patches/series swift-2.2.0/debian/patches/series
--- swift-2.2.0/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ swift-2.2.0/debian/patches/series 2015-09-15 19:29:22.000000000 +0000
@@ -0,0 +1,2 @@
+CVE-2015-1856_Prevent-unauthorized-delete-in-versioned-container.patch
+CVE-2015-5223_Disallow-unsafe-tempurl-operations-to-point-to-unauthorized-data.patch
diff -Nru swift-2.2.0/debian/python-swift.postinst swift-2.2.0/debian/python-swift.postinst
--- swift-2.2.0/debian/python-swift.postinst 2014-10-16 12:48:43.000000000 +0000
+++ swift-2.2.0/debian/python-swift.postinst 2015-09-15 19:29:22.000000000 +0000
@@ -2,14 +2,34 @@
set -e
-#DEBHELPER#
+pkgos_adduser () {
+ local VAR_UG_PKG_NAME
+ VAR_UG_PKG_NAME=${1}
+
+ # Create user and groups if they don't exist
+ if ! getent group ${VAR_UG_PKG_NAME} > /dev/null 2>&1 ; then
+ addgroup --quiet --system ${VAR_UG_PKG_NAME}
+ fi
+ if ! getent passwd ${VAR_UG_PKG_NAME} > /dev/null 2>&1 ; then
+ adduser --system \
+ --home /var/lib/${VAR_UG_PKG_NAME} \
+ --no-create-home \
+ --quiet \
+ --disabled-password \
+ --shell /bin/bash \
+ --group ${VAR_UG_PKG_NAME}
+ fi
+ usermod -G adm ${VAR_UG_PKG_NAME}
+}
-if ! getent passwd swift > /dev/null ; then
- adduser --system --quiet --disabled-login --disabled-password --no-create-home --group --shell /bin/false swift
-fi
-usermod -G adm swift
+if [ "$1" = "configure" ] || [ "$1" = "reconfigure" ] ; then
+ pkgos_adduser swift
-chown swift:swift /var/cache/swift
+ mkdir -p /var/cache/swift
+ chown swift:swift /var/cache/swift
+fi
+
+#DEBHELPER#
exit 0
diff -Nru swift-2.2.0/debian/python-swift.postrm swift-2.2.0/debian/python-swift.postrm
--- swift-2.2.0/debian/python-swift.postrm 2014-10-16 12:48:43.000000000 +0000
+++ swift-2.2.0/debian/python-swift.postrm 2015-09-15 19:29:22.000000000 +0000
@@ -2,18 +2,9 @@
set -e
-case "$1" in
- purge)
- # Remove swift user if possible
- userdel swift || true
- ;;
- remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
- ;;
- *)
- echo "postrm called with unknown argument \`$1'" >&2
- exit 1
- ;;
-esac
+if [ "${1}" = "purge" ] ; then
+ rm -rf /var/cache/swift
+fi
#DEBHELPER#
diff -Nru swift-2.2.0/debian/rules swift-2.2.0/debian/rules
--- swift-2.2.0/debian/rules 2014-10-16 12:48:43.000000000 +0000
+++ swift-2.2.0/debian/rules 2015-09-15 19:29:22.000000000 +0000
@@ -56,6 +56,7 @@
dh_installinit --no-start -pswift-container --name=swift-container-replicator
dh_installinit --no-start -pswift-container --name=swift-container-auditor
dh_installinit --no-start -pswift-container --name=swift-container-updater
+ dh_installinit --no-start -pswift-container --name=swift-container-sync
dh_installinit --no-start -pswift-account --name=swift-account-replicator
dh_installinit --no-start -pswift-account --name=swift-account-auditor
dh_installinit --no-start -pswift-account --name=swift-account-reaper
diff -Nru swift-2.2.0/debian/swift-container.swift-container-sync.init swift-2.2.0/debian/swift-container.swift-container-sync.init
--- swift-2.2.0/debian/swift-container.swift-container-sync.init 1970-01-01 00:00:00.000000000 +0000
+++ swift-2.2.0/debian/swift-container.swift-container-sync.init 2015-09-15 19:29:22.000000000 +0000
@@ -0,0 +1,57 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: swift-container-sync
+# Required-Start: $remote_fs
+# Required-Stop: $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Swift container sync server
+# Description: Container sync server for Swift.
+### END INIT INFO
+
+set -e
+
+SERVICE_NAME="container-sync"
+PRINT_NAME="container sync"
+
+. /lib/lsb/init-functions
+
+if ! [ -x /usr/bin/swift-init ] ; then
+ exit 0
+fi
+
+case "$1" in
+start)
+ log_daemon_msg "Starting Swift ${PRINT_NAME}" "swift-init ${SERVICE_NAME}"
+ /usr/bin/swift-init ${SERVICE_NAME} start
+ log_end_msg $?
+ exit $?
+;;
+stop)
+ log_daemon_msg "Stopping Swift ${PRINT_NAME}" "swift-init ${SERVICE_NAME}"
+ /usr/bin/swift-init ${SERVICE_NAME} stop
+ log_end_msg $?
+ exit $?
+;;
+restart)
+ log_daemon_msg "Restarting Swift ${PRINT_NAME}" "swift-init ${SERVICE_NAME}"
+ /usr/bin/swift-init ${SERVICE_NAME} restart
+ log_end_msg $?
+ exit $?
+;;
+reload|force-reload)
+ log_daemon_msg "Gracefully restarting Swift ${PRINT_NAME}" "swift-init ${SERVICE_NAME}"
+ /usr/bin/swift-init ${SERVICE_NAME} reload
+ log_end_msg $?
+ exit $?
+;;
+status)
+ exec /usr/bin/swift-init ${SERVICE_NAME} status
+;;
+*)
+ echo "Usage: $0 {start|stop|restart|reload}"
+ exit 1
+;;
+esac
+
+exit 0
diff -Nru swift-2.2.0/debian/swift-container.swift-container-sync.upstart.in swift-2.2.0/debian/swift-container.swift-container-sync.upstart.in
--- swift-2.2.0/debian/swift-container.swift-container-sync.upstart.in 1970-01-01 00:00:00.000000000 +0000
+++ swift-2.2.0/debian/swift-container.swift-container-sync.upstart.in 2015-09-15 19:29:22.000000000 +0000
@@ -0,0 +1,20 @@
+# swift-container-auditor - SWIFT Container Sync
+#
+# The swift container sync.
+
+description "SWIFT Container Sync"
+author "Marc Cluet <marc.cl...@ubuntu.com>"
+
+start on runlevel [2345]
+stop on runlevel [016]
+
+pre-start script
+ if [ -f "/etc/swift/container-server.conf" ]; then
+ exec /usr/bin/swift-init container-sync start
+ else
+ exit 1
+ fi
+end script
+
+post-stop exec /usr/bin/swift-init container-sync stop
+
diff -Nru swift-2.2.0/debian/swift-object-expirer.init swift-2.2.0/debian/swift-object-expirer.init
--- swift-2.2.0/debian/swift-object-expirer.init 2014-10-16 12:48:43.000000000 +0000
+++ swift-2.2.0/debian/swift-object-expirer.init 2015-09-15 19:29:22.000000000 +0000
@@ -9,7 +9,7 @@
# Description: Object expirer daemon for swift.
### END INIT INFO
-SERVICE_NAME="object-server-expirer"
+SERVICE_NAME="object-expirer"
PRINT_NAME="object expirer daemon"
. /lib/lsb/init-functions
--- End Message ---
