prometheanfire 14/06/09 04:56:40
Added: 2014.1-CVE-2014-2573-2.patch
2014.1-CVE-2014-2573-1.patch
Log:
fix for 2014.1-r1 bug 512296 CVE-2014-2573
(Portage version: 2.2.8-r1/cvs/Linux x86_64, signed Manifest commit with key
0x2471eb3e40ac5ac3)
Revision Changes Path
1.1 sys-cluster/nova/files/2014.1-CVE-2014-2573-2.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/nova/files/2014.1-CVE-2014-2573-2.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/nova/files/2014.1-CVE-2014-2573-2.patch?rev=1.1&content-type=text/plain
Index: 2014.1-CVE-2014-2573-2.patch
===================================================================
>From ffcb17678c7e5409a1f12a09945b18e8879a677d Mon Sep 17 00:00:00 2001
From: Gary Kotton <[email protected]>
Date: Thu, 13 Mar 2014 06:53:58 -0700
Subject: [PATCH] VMware: ensure rescue instance is deleted when instance is
deleted
If the user creates a rescue instance and then proceeded to delete
the original instance then the rescue instance would still be up
and running on the backend.
This patch ensures that the rescue instance is cleaned up if
necessary.
The vmops unrescue method has a new parameter indicating if
the original VM should be powered on.
Closes-bug: 1269418
(cherry picked from commit efb66531bc37ee416778a70d46c657608ca767af)
Conflicts:
nova/virt/vmwareapi/vmops.py
Change-Id: I3c1d0b1d003392b306094b80ea1ac99377441fbf
---
nova/tests/virt/vmwareapi/test_driver_api.py | 26 +++++++++++++
nova/virt/vmwareapi/vmops.py | 55 ++++++++++++++++++++--------
2 files changed, 65 insertions(+), 16 deletions(-)
diff --git a/nova/tests/virt/vmwareapi/test_driver_api.py
b/nova/tests/virt/vmwareapi/test_driver_api.py
index c1481aa..63f0c59 100644
--- a/nova/tests/virt/vmwareapi/test_driver_api.py
+++ b/nova/tests/virt/vmwareapi/test_driver_api.py
@@ -34,6 +34,7 @@
from nova.compute import api as compute_api
from nova.compute import power_state
from nova.compute import task_states
+from nova.compute import vm_states
from nova import context
from nova import exception
from nova.openstack.common import jsonutils
@@ -1191,6 +1192,31 @@ def test_get_info(self):
'node': self.instance_node})
self._check_vm_info(info, power_state.RUNNING)
+ def destroy_rescued(self, fake_method):
+ self._rescue()
+ with (
+ mock.patch.object(self.conn._volumeops, "detach_disk_from_vm",
+ fake_method)
+ ):
+ self.instance['vm_state'] = vm_states.RESCUED
+ self.conn.destroy(self.context, self.instance, self.network_info)
+ inst_path = '[%s] %s/%s.vmdk' % (self.ds, self.uuid, self.uuid)
+ self.assertFalse(vmwareapi_fake.get_file(inst_path))
+ rescue_file_path = '[%s] %s-rescue/%s-rescue.vmdk' % (self.ds,
+ self.uuid,
+ self.uuid)
+ self.assertFalse(vmwareapi_fake.get_file(rescue_file_path))
+
+ def test_destroy_rescued(self):
+ def fake_detach_disk_from_vm(*args, **kwargs):
+ pass
+ self.destroy_rescued(fake_detach_disk_from_vm)
+
+ def test_destroy_rescued_with_exception(self):
+ def fake_detach_disk_from_vm(*args, **kwargs):
+ raise exception.NovaException('Here is my fake exception')
+ self.destroy_rescued(fake_detach_disk_from_vm)
+
def test_destroy(self):
self._create_vm()
info = self.conn.get_info({'uuid': self.uuid,
diff --git a/nova/virt/vmwareapi/vmops.py b/nova/virt/vmwareapi/vmops.py
index 30f8373..831da48 100644
--- a/nova/virt/vmwareapi/vmops.py
+++ b/nova/virt/vmwareapi/vmops.py
@@ -29,6 +29,7 @@
from nova import compute
from nova.compute import power_state
from nova.compute import task_states
+from nova.compute import vm_states
from nova import context as nova_context
from nova import exception
from nova.openstack.common import excutils
@@ -985,13 +986,9 @@ def _delete(self, instance, network_info):
except Exception as exc:
LOG.exception(exc, instance=instance)
- def destroy(self, instance, network_info, destroy_disks=True,
- instance_name=None):
- """Destroy a VM instance. Steps followed are:
- 1. Power off the VM, if it is in poweredOn state.
- 2. Un-register a VM.
- 3. Delete the contents of the folder holding the VM related data.
- """
+ def _destroy_instance(self, instance, network_info, destroy_disks=True,
+ instance_name=None):
+ # Destroy a VM instance
# Get the instance name. In some cases this may differ from the 'uuid',
# for example when the spawn of a rescue instance takes place.
if not instance_name:
@@ -1029,8 +1026,9 @@ def destroy(self, instance, network_info,
destroy_disks=True,
"UnregisterVM", vm_ref)
LOG.debug(_("Unregistered the VM"), instance=instance)
except Exception as excep:
- LOG.warn(_("In vmwareapi:vmops:destroy, got this exception"
- " while un-registering the VM: %s") % str(excep))
+ LOG.warn(_("In vmwareapi:vmops:_destroy_instance, got this "
+ "exception while un-registering the VM: %s"),
+ excep)
# Delete the folder holding the VM related content on
# the datastore.
if destroy_disks and datastore_name:
@@ -1053,15 +1051,39 @@ def destroy(self, instance, network_info,
destroy_disks=True,
{'datastore_name': datastore_name},
instance=instance)
except Exception as excep:
- LOG.warn(_("In vmwareapi:vmops:destroy, "
- "got this exception while deleting"
- " the VM contents from the disk: %s")
- % str(excep))
+ LOG.warn(_("In vmwareapi:vmops:_destroy_instance, "
+ "got this exception while deleting "
+ "the VM contents from the disk: %s"),
+ excep)
except Exception as exc:
LOG.exception(exc, instance=instance)
finally:
vm_util.vm_ref_cache_delete(instance_name)
+ def destroy(self, instance, network_info, destroy_disks=True):
+ """Destroy a VM instance.
+
+ Steps followed for each VM are:
+ 1. Power off, if it is in poweredOn state.
+ 2. Un-register.
+ 3. Delete the contents of the folder holding the VM related data.
+ """
+ # If there is a rescue VM then we need to destroy that one too.
+ LOG.debug(_("Destroying instance"), instance=instance)
+ if instance['vm_state'] == vm_states.RESCUED:
+ LOG.debug(_("Rescue VM configured"), instance=instance)
+ try:
+ self.unrescue(instance, power_on=False)
+ LOG.debug(_("Rescue VM destroyed"), instance=instance)
+ except Exception:
+ rescue_name = instance['uuid'] + self._rescue_suffix
+ self._destroy_instance(instance, network_info,
+ destroy_disks=destroy_disks,
+ instance_name=rescue_name)
+ self._destroy_instance(instance, network_info,
+ destroy_disks=destroy_disks)
+ LOG.debug(_("Instance destroyed"), instance=instance)
+
def pause(self, instance):
msg = _("pause not supported for vmwareapi")
raise NotImplementedError(msg)
@@ -1139,7 +1161,7 @@ def rescue(self, context, instance, network_info,
image_meta):
adapter_type, disk_type, vmdk_path)
self._power_on(instance, vm_ref=rescue_vm_ref)
- def unrescue(self, instance):
+ def unrescue(self, instance, power_on=True):
"""Unrescue the specified instance."""
# Get the original vmdk_path
vm_ref = vm_util.get_vm_ref(self._session, instance)
@@ -1161,8 +1183,9 @@ def unrescue(self, instance):
device = vm_util.get_vmdk_volume_disk(hardware_devices, path=vmdk_path)
self._power_off_vm_ref(vm_rescue_ref)
self._volumeops.detach_disk_from_vm(vm_rescue_ref, r_instance, device)
- self.destroy(r_instance, None, instance_name=instance_name)
- self._power_on(instance)
+ self._destroy_instance(r_instance, None, instance_name=instance_name)
+ if power_on:
+ self._power_on(instance)
def _power_off_vm_ref(self, vm_ref):
"""Power off the specifed vm.
--
1.9.3
1.1 sys-cluster/nova/files/2014.1-CVE-2014-2573-1.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/nova/files/2014.1-CVE-2014-2573-1.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-cluster/nova/files/2014.1-CVE-2014-2573-1.patch?rev=1.1&content-type=text/plain
Index: 2014.1-CVE-2014-2573-1.patch
===================================================================
>From fb030283bed9e41a0343581fa21b81b2ebb07f15 Mon Sep 17 00:00:00 2001
From: Xiaoyan Ding <[email protected]>
Date: Mon, 24 Feb 2014 16:17:46 +0800
Subject: [PATCH] VMWare: add power off vm before detach disk during unrescue
Non Hot Plug type disk like IDE can only be detached when the VM is power off.
Change-Id: Ib1f387a41abe2b52357854e90c2535ebb7b43f18
Close-bug: #1279199
(cherry picked from commit 1e1915aaaca38b5691794e0e052a42b9d95dd3c2)
---
nova/tests/virt/vmwareapi/test_driver_api.py | 27 ++++++++++++++++++++++-----
nova/virt/vmwareapi/vmops.py | 21 ++++++++++++++++-----
2 files changed, 38 insertions(+), 10 deletions(-)
diff --git a/nova/tests/virt/vmwareapi/test_driver_api.py
b/nova/tests/virt/vmwareapi/test_driver_api.py
index fb60335..c1481aa 100644
--- a/nova/tests/virt/vmwareapi/test_driver_api.py
+++ b/nova/tests/virt/vmwareapi/test_driver_api.py
@@ -1273,14 +1273,31 @@ def test_rescue_with_config_drive(self):
def test_unrescue(self):
self._rescue()
+ self.test_vm_ref = None
+ self.test_device_name = None
- def fake_detach_disk_from_vm(*args, **kwargs):
- pass
+ def fake_power_off_vm_ref(vm_ref):
+ self.test_vm_ref = vm_ref
+ self.assertIsNotNone(vm_ref)
- self.stubs.Set(self.conn._volumeops, "detach_disk_from_vm",
- fake_detach_disk_from_vm)
+ def fake_detach_disk_from_vm(vm_ref, instance,
+ device_name, destroy_disk=False):
+ self.test_device_name = device_name
+ info = self.conn.get_info(instance)
+ self._check_vm_info(info, power_state.SHUTDOWN)
- self.conn.unrescue(self.instance, None)
+ with contextlib.nested(
+ mock.patch.object(self.conn._vmops, "_power_off_vm_ref",
+ side_effect=fake_power_off_vm_ref),
+ mock.patch.object(self.conn._volumeops, "detach_disk_from_vm",
+ side_effect=fake_detach_disk_from_vm),
+ ) as (poweroff, detach):
+ self.conn.unrescue(self.instance, None)
+ poweroff.assert_called_once_with(self.test_vm_ref)
+ detach.assert_called_once_with(self.test_vm_ref, mock.ANY,
+ self.test_device_name)
+ self.test_vm_ref = None
+ self.test_device_name = None
info = self.conn.get_info({'name': 1, 'uuid': self.uuid,
'node': self.instance_node})
self._check_vm_info(info, power_state.RUNNING)
diff --git a/nova/virt/vmwareapi/vmops.py b/nova/virt/vmwareapi/vmops.py
index 0c28a29..30f8373 100644
--- a/nova/virt/vmwareapi/vmops.py
+++ b/nova/virt/vmwareapi/vmops.py
@@ -1159,12 +1159,26 @@ def unrescue(self, instance):
"get_dynamic_property", vm_rescue_ref,
"VirtualMachine", "config.hardware.device")
device = vm_util.get_vmdk_volume_disk(hardware_devices, path=vmdk_path)
+ self._power_off_vm_ref(vm_rescue_ref)
self._volumeops.detach_disk_from_vm(vm_rescue_ref, r_instance, device)
self.destroy(r_instance, None, instance_name=instance_name)
self._power_on(instance)
+ def _power_off_vm_ref(self, vm_ref):
+ """Power off the specifed vm.
+
+ :param vm_ref: a reference object to the VM.
+ """
+ poweroff_task = self._session._call_method(
+ self._session._get_vim(),
+ "PowerOffVM_Task", vm_ref)
+ self._session._wait_for_task(poweroff_task)
+
def power_off(self, instance):
- """Power off the specified instance."""
+ """Power off the specified instance.
+
+ :param instance: nova.objects.instance.Instance
+ """
vm_ref = vm_util.get_vm_ref(self._session, instance)
pwr_state = self._session._call_method(vim_util,
@@ -1173,10 +1187,7 @@ def power_off(self, instance):
# Only PoweredOn VMs can be powered off.
if pwr_state == "poweredOn":
LOG.debug(_("Powering off the VM"), instance=instance)
- poweroff_task = self._session._call_method(
- self._session._get_vim(),
- "PowerOffVM_Task", vm_ref)
- self._session._wait_for_task(poweroff_task)
+ self._power_off_vm_ref(vm_ref)
LOG.debug(_("Powered off the VM"), instance=instance)
# Raise Exception if VM is suspended
elif pwr_state == "suspended":
--
1.9.3
