Released September 20, 2022
pScheduler Disk-to-Disk Fixes
This release introduces a breaking change to the disk-to-disk test and tool plugins.
We apologize for doing this in a bugfix release. The team was made aware of a couple of security vulnerabilities that were severe-enough that we thought they should be fixed immediately. The changes described below were the best way to do it without causing side effects that would have gone on for years.*
This is what has changed:
- The curl tool plugin, which was used for the http and disk-to-disk tests has been split into two plugins called curl and curl-d2d. The curl tool plugin will continue to service http tests as it always has but will no longer service disk-to-disk tests.
- A new tool plugin called curl-d2d has been added to service disk-to-disk tests and continues to be the default for disk-to-disk tests that do not explicitly specify a tool. The package containing this plugin (pscheduler-tool-curl-d2d) must be installed manually or will be installed automatically if the pscheduler-bundle-extras package is installed. Any disk-to-disk tests that explicitly specify the curl tool will need to be changed to use curl-d2d instead.
- Additionally, the disk-to-disk test was not supposed to be installed by default but, because of a mistake in the original curl tool plugin, it was pulled in as a dependency. The new plugin no longer has that dependency. Existing systems will still have the test plugin installed but no tool capable of running them, so the test is effectively disabled on those systems.
- We’ve tightened up some file ownership and permissions to prevent possible abuse. These changes should be invisible other than requiring that any modifications be made by the superuser rather than the pScheduler account.
- The graphData.cgi script has been updated to force URLs to the path /esmond/perfsonar/archive to prevent potential abuses.