Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.22. conga

Updated conga packages that fix a bug are now available for Red Hat Enterprise Linux 5.
Conga is an agent/server architecture for remote administration of systems. It provides a convenient method for creating and managing clusters built with Red Hat Cluster Suite. It also offers an interface for managing sophisticated storage configurations like those often built to support clusters. The agent component is called "ricci", and the server is called "luci".

Bug Fix

Prior to this update, when a new cluster was being created with luci, and luci tried to list, install or update cluster packages, the installation process could become unresponsive and could not finish. With this update, the bug has been fixed, and the creation of a new cluster now completes successfully in the described scenario.
Users of conga are advised to upgrade to these updated packages, which fix this bug.
Updated conga packages that fix multiple security issues, multiple bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
The Conga project is a management system for remote workstations. It consists of luci, which is a secure web-based front end, and ricci, which is a secure daemon that dispatches incoming messages to underlying management modules.

Security Fixes

CVE-2010-1104, CVE-2011-1948
Multiple cross-site scripting (XSS) flaws were found in luci, the conga web-based administration application. If a remote attacker could trick a user, who was logged into the luci interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's luci session.

Bug Fixes

Previously, due to incorrect permissions from libvirt, the ricci daemon failed to detect if a host was capable of running a virtual machine. As a consequence, the Add a Virtual Machine Service tab was not displayed under Services when using the luci tool. With this update, calling the virsh program is now avoided, and the Add a Virtual Machine Service tab is now displayed under Services.
If the user modified in luci the name attribute of a shared resource that was attached to an existing service, the ref attribute for the shared resource in the cluster.conf file was not updated. With this update, luci is modified so that the ref attribute in cluster.conf is correctly updated to reflect the new name of the resource.
Previously, luci did not allow users to modify the __max_restarts and __restart_expire_time attributes for independent subtrees, but only for non-critical resources. If the user tried to set values for "Maximum number of restart failures before giving up (applies only for non-critical resources)" and "Restart expire time (applies only for non-critical resources)", these values were not added for the resource in the cluster.conf file. This update modifies luci so that users are now able to modify the aforementioned values in luci.
Prior to this update, execution of external programs (such as /usr/sbin/clustat) from within the modclusterd daemon or ricci's helper program, modcluster, could make these unresponsive. In such a case, processes depending on them could also become unresponsive or indicate an error. For example, in tools like luci, the affected node could be listed as having communications problems, or the cluster creation could become unresponsive. Patches have been applied to address this issue, and deadlocks no longer occur when executing external programs.
When adding a resource to a service, luci only checked to verify that the name of the resource did not match the name of a resource in the resources stanza. The luci tool did not check to see if any resources in other services shared the same name, and therefore allowed users to create two services with the resources of the same name. This led to unique attribute collisions. With this update, luci's name validation is improved, and adding a resource to a service no longer leads to collisions. In addition, certain error messages have been modified to display more verbose information.
Previously, users were able to insert the quote character (") with NFS resources in the "resources" section of the cluster configuration in conga. The resource data submitted for this service was not properly formed and converted into the cluster.conf file. With this update, if the user inserts the quote character, the following error message appears:
The resource data submitted for this service is not properly formed
Previously, the luci_admin restore command did not fully restore a database to the original state. This was because the luci_admin script only added items contained in the previously generated backup XML file. This update adds new options, -u (--update) and -r (--replace), that are used to either keep or remove existing configuration when restoring a database.


The fence_ipmilan agent has been updated to support the "-L" option of the ipmilan daemon, thus supporting fencing with user session privileges level.
Users of conga are advised to upgrade to these updated packages, which correct these issues. After installing the updated packages, luci must be restarted (service luci restart) for the update to take effect.