[Bug 1664931] Fix merged to nova (stable/pike)
OpenStack Infra
1664931 at bugs.launchpad.net
Tue Nov 14 20:27:38 UTC 2017
Reviewed: https://review.openstack.org/519672
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=9e2d63da94db63d97bd02e373bfc53d95808b833
Submitter: Zuul
Branch: stable/pike
commit 9e2d63da94db63d97bd02e373bfc53d95808b833
Author: Matt Riedemann <mriedem.os at gmail.com>
Date: Fri Oct 27 16:03:15 2017 -0400
Validate new image via scheduler during rebuild
During a rebuild we bypass the scheduler because we are
always rebuilding the instance on the same host it's already
on. However, we allow passing a new image during rebuild
and that new image needs to be validated to work with the
instance host by running it through the scheduler filters,
like the ImagePropertiesFilter. Otherwise the new image
could violate constraints placed on the host by the admin.
This change checks to see if there is a new image provided
and if so, modifies the request spec passed to the scheduler
so that the new image is validated all while restricting
the scheduler to still pick the same host that the instance
is running on. If the image is not valid for the host, the
scheduler will raise NoValidHost and the rebuild stops.
A functional test is added to show the recreate of the bug
and that we probably stop the rebuild now in conductor by
calling the scheduler to validate the image.
Co-Authored-By: Sylvain Bauza <sbauza at redhat.com>
Closes-Bug: #1664931
NOTE(mriedem): The backport has to explicitly use the
filter scheduler in the test setup and move the start of
the compute service to after the placement fixture usage.
This is because cc833359870d3962326c35094adea2f525ec8141
is not in stable/pike.
Change-Id: I11746d1ea996a0f18b7c54b4c9c21df58cc4714b
(cherry picked from commit 984dd8ad6add4523d93c7ce5a666a32233e02e34)
** Changed in: nova/ocata
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1664931
Title:
[OSSA-2017-005] nova rebuild ignores all image properties and
scheduler filters (CVE-2017-16239)
Status in OpenStack Compute (nova):
Fix Released
Status in OpenStack Compute (nova) newton series:
In Progress
Status in OpenStack Compute (nova) ocata series:
Fix Committed
Status in OpenStack Compute (nova) pike series:
Fix Committed
Status in OpenStack Security Advisory:
Fix Committed
Status in nova package in Ubuntu:
New
Bug description:
Big picture: If some image has some restriction on aggregates or hosts
it can be run on, tenant may use nova rebuild command to circumvent
those restrictions. Main issue is with ImagePropertiesFilter, but it
may cause issues with combination of flavor/image (for example allows
to run license restricted OS (Windows) on host which has no such
license, or rebuild instance with cheap flavor with image which is
restricted only for high-priced flavors).
I don't know if this is a security bug or not, if you would find it
non-security issue, please remove the security flag.
Steps to reproduce:
1. Set up nova with ImagePropertiesFilter or IsolatedHostsFilter active. They should allows to run 'image1' only on 'host1', but never on 'host2'.
2. Boot instance with some other (non-restricted) image on 'host2'.
3. Use nova rebuild INSTANCE image1
Expected result:
nova rejects rebuild because given image ('image1') may not run on
'host2'.
Actual result:
nova happily rebuild instance with image1 on host2, violating
restrictions.
Checked affected version: mitaka.
I believe, due to the way 'rebuild' command is working, newton and
master are affected too.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list