[Bug 1664931] Fix merged to nova (stable/newton)
OpenStack Infra
1664931 at bugs.launchpad.net
Fri Dec 1 19:58:37 UTC 2017
Reviewed: https://review.openstack.org/523434
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=4cbfcc590c17134fd14e3aab90ffbb7c17006a95
Submitter: Zuul
Branch: stable/newton
commit 4cbfcc590c17134fd14e3aab90ffbb7c17006a95
Author: Dan Smith <dansmith at redhat.com>
Date: Fri Nov 17 12:27:34 2017 -0800
Refined fix for validating image on rebuild
This aims to fix the issue described in bug 1664931 where a rebuild
fails to validate the existing host with the scheduler when a new
image is provided. The previous attempt to do this could cause rebuilds
to fail unnecessarily because we ran _all_ of the filters during a
rebuild, which could cause usage/resource filters to prevent an otherwise
valid rebuild from succeeding.
This aims to classify filters as useful for rebuild or not, and only apply
the former during a rebuild scheduler check. We do this by using an internal
scheduler hint, indicating our intent. This should (a) filter out
all hosts other than the one we're running on and (b) be detectable by
the filtering infrastructure as an internally-generated scheduling request
in order to trigger the correct filtering behavior.
Conflicts:
nova/scheduler/utils.py
nova/tests/unit/compute/test_compute_api.py
NOTE(mriedem): The conflicts are due to not having
7d0381c91a6ba8a45ae6527f046f382166eb158d or
4a7502a5c9e84a8c8cef7f355d72425b26b8c379 in Newton.
Closes-Bug: #1664931
Change-Id: I1a46ef1503be2febcd20f4594f44344d05525446
(cherry picked from commit f7c688b8ef88a7390f5b09719a2b3e80368438c0)
(cherry picked from commit b29a461a8bc05c9b171c0574abb2e7e5b62a2ed7)
(cherry picked from commit bbfc4230efe3299fa51f9451f54062f32590ed3d)
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1664931
Title:
[OSSA-2017-005] nova rebuild ignores all image properties and
scheduler filters (CVE-2017-16239)
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Compute (nova) newton series:
Fix Committed
Status in OpenStack Compute (nova) ocata series:
Fix Committed
Status in OpenStack Compute (nova) pike series:
Fix Committed
Status in OpenStack Security Advisory:
Fix Released
Status in nova package in Ubuntu:
New
Bug description:
Big picture: If some image has some restriction on aggregates or hosts
it can be run on, tenant may use nova rebuild command to circumvent
those restrictions. Main issue is with ImagePropertiesFilter, but it
may cause issues with combination of flavor/image (for example allows
to run license restricted OS (Windows) on host which has no such
license, or rebuild instance with cheap flavor with image which is
restricted only for high-priced flavors).
I don't know if this is a security bug or not, if you would find it
non-security issue, please remove the security flag.
Steps to reproduce:
1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
2. Boot instance with some other (non-restricted) image on 'host2'.
3. Use nova rebuild INSTANCE image1
Expected result:
nova rejects rebuild because given image ('image1') may not run on
'host2'.
Actual result:
nova happily rebuild instance with image1 on host2, violating
restrictions.
Checked affected version: mitaka.
I believe, due to the way 'rebuild' command is working, newton and
master are affected too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list