Re: [VOTE] Apache Pulsar 2.8.2 candidate 2

2021-12-30 Thread Enrico Olivelli 
What's the status of this VOTE?

Enrico

Il Mer 22 Dic 2021, 10:34 Nicolò Boschi  ha scritto:

> +1 (non binding)
>
> Checks:
> - Checksum and signatures
> - Apache Rat check passes
> - Compile from source w JDK8
> - Build docker image from source
> - Run Pulsar standalone and produce-consume from CLI
> - Verified Log4J inside lib/
>
> -rw-r--r-- 1 root root   208235 Jan 22  2020
> org.apache.logging.log4j-log4j-1.2-api-2.17.0.jar
>
> -rw-r--r-- 1 root root   301776 Jan 22  2020
> org.apache.logging.log4j-log4j-api-2.17.0.jar
>
> -rw-r--r-- 1 root root  1789339 Jan 22  2020
> org.apache.logging.log4j-log4j-core-2.17.0.jar
>
> -rw-r--r-- 1 root root24252 Jan 22  2020
> org.apache.logging.log4j-log4j-slf4j-impl-2.17.0.jar
>
> -rw-r--r-- 1 root root35920 Jan 22  2020
> org.apache.logging.log4j-log4j-web-2.17.0.jar
>
> Il giorno mer 22 dic 2021 alle ore 06:37 Lin Lin  ha
> scritto:
>
> >
> >
> > On 2021/12/21 10:48:41 Shivji Kumar Jha wrote:
> > > Hi LinLin,
> > >
> > > Log4j version 2.16.0 has DDoS possibilities in some cases [1] . Can we
> > move
> > > to Log4j 2.17.0 in 2.8.2?
> > >
> > > Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did
> > not
> > > > protect from uncontrolled recursion from self-referential lookups.
> This
> > > > allows an attacker with control over Thread Context Map data to
> cause a
> > > > denial of service when a crafted string is interpreted. This issue
> was
> > > > fixed in Log4j 2.17.0 and 2.12.3.
> >
> >
> > Already included
> >
>
>
> --
> Nicolò Boschi
>

Docker image docker pull apachepulsar/pulsar:2.8.2 missing from dockerhub

2021-12-30 Thread Francisc Florian Munteanu 
Hello all,
we are in the process of updating our apachepulsar docker image dependency, due 
to the log4j2 vulnerabilities.

We noticed that pulsar 2.8.2 was already released with the security fix: 
Upgrade to Log4J 2.17.0 to mitigate CVE-2021-45105 
#13392

However we are not able to find the docker image in dockerhub.

Do you have any expected date for apachepulsar/pulsar:2.8.2 (or higher version 
containing those fixes) to be released ?

Thanks & Regards
Francisc Munteanu

[Bug] Other brokers failed to acquire bundle ownership after unloading a namespace bundle

2021-12-30 Thread zhangao 
Hi, 
    Currently, I found a problem about bundle ownership acquire, 
After I unloaded a namespace bundle, I found these error log on other brokers:


```
2021-12-29 14:37:37.641 [metadata-store-6-1] WARN  
org.apache.pulsar.broker.lookup.TopicLookupBase - Failed to lookup null for 
topic persistent://public/data-channel/tet-partition-30 with error 
org.apache.pulsar.broker.PulsarServerException: Failed to acquire ownership for 
namespace bundle public/data-channel/0xebf3b108_0xf000 
java.util.concurrent.CompletionException: 
org.apache.pulsar.broker.PulsarServerException: Failed to acquire ownership for 
namespace bundle public/data-channel/0xebf3b108_0xf000 at 
java.util.concurrent.CompletableFuture.encodeRelay(CompletableFuture.java:326) 
~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.completeRelay(CompletableFuture.java:338)
 ~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.uniRelay(CompletableFuture.java:911) 
~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture$UniRelay.tryFire(CompletableFuture.java:899)
 ~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) 
~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.completeExceptionally(CompletableFuture.java:1977)
 ~[?:1.8.0_102] at 
org.apache.pulsar.broker.namespace.NamespaceService.lambda$searchForCandidateBroker$15(NamespaceService.java:577)
 ~[org.apache.pulsar-pulsar-broker-2.9.1.jar:2.9.1] at 
java.util.concurrent.CompletableFuture.uniExceptionally(CompletableFuture.java:870)
 ~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture$UniExceptionally.tryFire(CompletableFuture.java:852)
 ~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) 
~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.completeExceptionally(CompletableFuture.java:1977)
 ~[?:1.8.0_102] at 
org.apache.pulsar.metadata.coordination.impl.LockManagerImpl.lambda$acquireLock$2(LockManagerImpl.java:111)
 ~[org.apache.pulsar-pulsar-metadata-2.9.1.jar:2.9.1] at 
java.util.concurrent.CompletableFuture.uniExceptionally(CompletableFuture.java:870)
 ~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture$UniExceptionally.tryFire(CompletableFuture.java:852)
 ~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) 
~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.completeExceptionally(CompletableFuture.java:1977)
 ~[?:1.8.0_102] at 
org.apache.pulsar.metadata.coordination.impl.ResourceLockImpl.lambda$acquire$4(ResourceLockImpl.java:134)
 ~[org.apache.pulsar-pulsar-metadata-2.9.1.jar:2.9.1] at 
java.util.concurrent.CompletableFuture.uniExceptionally(CompletableFuture.java:870)
 ~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture$UniExceptionally.tryFire(CompletableFuture.java:852)
 ~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) 
~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) 
~[?:1.8.0_102] at 
org.apache.pulsar.metadata.impl.ZKMetadataStore.lambda$get$7(ZKMetadataStore.java:139)
 ~[org.apache.pulsar-pulsar-metadata-2.9.1.jar:2.9.1] at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
[?:1.8.0_102] at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
[?:1.8.0_102] at 
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
 [io.netty-netty-common-4.1.72.Final.jar:4.1.72.Final] at 
java.lang.Thread.run(Thread.java:745) [?:1.8.0_102] Caused by: 
org.apache.pulsar.broker.PulsarServerException: Failed to acquire ownership for 
namespace bundle public/data-channel/0xebf3b108_0xf000 ... 20 more 
Caused by: java.util.concurrent.CompletionException: 
org.apache.pulsar.metadata.api.MetadataStoreException$LockBusyException: 
Resource at /namespace/public/data-channel/0xebf3b108_0xf000 is already 
locked at 
java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:292)
 ~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:308)
 ~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:593) 
~[?:1.8.0_102] at 
java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577)
 ~[?:1.8.0_102] ... 17 more Caused by: 
org.apache.pulsar.metadata.api.MetadataStoreException$LockBusyException: 
Resource at /namespace/public/data-channel/0xebf3b108_0xf000 is already 
locked at 
org.apache.pulsar.metadata.coordination.impl.ResourceLockImpl.lambda$doRevalidate$20(ResourceLockImpl.java:297)
 ~[org.apache.pulsar-pulsar-metadata-2.9.1.jar:2.9.1]