[Bug 1664931] Related fix merged to nova (stable/pike)
OpenStack Infra
1664931 at bugs.launchpad.net
Fri Dec 8 23:44:56 UTC 2017
Reviewed: https://review.openstack.org/523213
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=234ade29a39cf2d51e08157e149e0cbd0c5047be
Submitter: Zuul
Branch: stable/pike
commit 234ade29a39cf2d51e08157e149e0cbd0c5047be
Author: Matt Riedemann <mriedem.os at gmail.com>
Date: Fri Nov 17 13:17:16 2017 -0500
Add regression test for rebuild with new image doubling allocations
Commit 984dd8ad6add4523d93c7ce5a666a32233e02e34 makes a rebuild
with a new image go through the scheduler again to validate the
image against the instance.host (we rebuild to the same host that
the instance already lives on).
The problem is that change introduced a regression where the
FilterScheduler is going to think it's doing a resize to the same
host and double the allocations for the instance (and usage for the
compute node provider) in Placement, which is wrong since the
flavor is the same.
This adds a regression test to show the bug.
NOTE(mriedem): Due to cc833359870d3962326c35094adea2f525ec8141 not
being in Pike, we have to use the MediumFakeDriver until the bug
is fixed. Also, the ComputeManager._get_nodename method doesn't exist
in Pike so we have to just get the hypervisor uuid from the os-hypervisors
API.
Change-Id: Ie0949b4e6101f0b29ec4542146d523a07a683991
Related-Bug: #1664931
(cherry picked from commit cacfd372acb4eb056c4391db3c988bfe91c957df)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1664931
Title:
[OSSA-2017-005] nova rebuild ignores all image properties and
scheduler filters (CVE-2017-16239)
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Compute (nova) newton series:
Fix Committed
Status in OpenStack Compute (nova) ocata series:
Fix Committed
Status in OpenStack Compute (nova) pike series:
Fix Committed
Status in OpenStack Security Advisory:
Fix Released
Status in nova package in Ubuntu:
Triaged
Bug description:
Big picture: If some image has some restriction on aggregates or hosts
it can be run on, tenant may use nova rebuild command to circumvent
those restrictions. Main issue is with ImagePropertiesFilter, but it
may cause issues with combination of flavor/image (for example allows
to run license restricted OS (Windows) on host which has no such
license, or rebuild instance with cheap flavor with image which is
restricted only for high-priced flavors).
I don't know if this is a security bug or not, if you would find it
non-security issue, please remove the security flag.
Steps to reproduce:
1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
2. Boot instance with some other (non-restricted) image on 'host2'.
3. Use nova rebuild INSTANCE image1
Expected result:
nova rejects rebuild because given image ('image1') may not run on
'host2'.
Actual result:
nova happily rebuild instance with image1 on host2, violating
restrictions.
Checked affected version: mitaka.
I believe, due to the way 'rebuild' command is working, newton and
master are affected too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list