[Group.of.nepali.translators] [Bug 1880959] Re: Rules from the policy directory files are not reapplied after changes to the primary policy file
Reviewed: https://review.opendev.org/731218 Committed: https://git.openstack.org/cgit/openstack/oslo.policy/commit/?id=75677a31108243e0adddc89f1fbf669053f9573b Submitter: Zuul Branch:master commit 75677a31108243e0adddc89f1fbf669053f9573b Author: Dmitrii Shcherbakov Date: Wed May 27 17:06:25 2020 +0300 Reload files in policy_dirs on primary file change It was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc//policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change. This change introduces additional behavior to make sure the rules from policy_dirs are reapplied if there is a change to the primary policy file. Change-Id: I8a6f8e971d881365c41ea409966723319d5b239a Closes-Bug: #1880959 Related-Bug: #1880847 ** Changed in: oslo.policy Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1880959 Title: Rules from the policy directory files are not reapplied after changes to the primary policy file Status in Ubuntu Cloud Archive: Triaged Status in Ubuntu Cloud Archive mitaka series: Triaged Status in Ubuntu Cloud Archive queens series: Triaged Status in Ubuntu Cloud Archive rocky series: Triaged Status in Ubuntu Cloud Archive stein series: Triaged Status in Ubuntu Cloud Archive train series: Triaged Status in Ubuntu Cloud Archive ussuri series: Triaged Status in oslo.policy: Fix Released Status in python-oslo.policy package in Ubuntu: Triaged Status in python-oslo.policy source package in Xenial: Triaged Status in python-oslo.policy source package in Bionic: Triaged Status in python-oslo.policy source package in Eoan: Triaged Status in python-oslo.policy source package in Groovy: Triaged Bug description: [Impact] Based on the investigation here https://bugs.launchpad.net/charm-keystone/+bug/1880847 it was determined that rules from policy files located in the directory specified in the policy_dirs option (/etc//policy.d by default) are not re-applied after the rules from the primary policy file is re-applied due to a change. This leads to scenarios where incorrect rule combinations are active. Example from the test case in 1880847: * policy.json gets read with the following rule; "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s", * rule.yaml from policy.d is read with the following rule; {'identity:list_credentials': '!'} * policy.json's mtime gets updated (with or without a content change) and overrides the rule to be "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s", * rule.yaml doesn't get reapplied since it hasn't changed. [Test Case] For a particular version of oslo.policy: * put the attached test (https://bugs.launchpad.net/ubuntu/+source /python- oslo.policy/+bug/1880959/+attachment/5377753/+files/test_1880959.py) under oslo_policy/tests/test_1880959.py; * run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest; * observe the failure; # ... testtools.matchers._impl.MismatchError: 'role:fakeA' != 'rule:admin' Ran 1 tests in 0.005s (+0.001s) FAILED (id=1, failures=1) * apply the patch; * run tox -e cover -- oslo_policy.tests.test_1880959.EnforcerTest * observe that the failure is no longer there. [Regression Potential] The regression potential is low given that there is test coverage in the olso.policy unit tests. To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1880959/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1813007] Re: Unable to install new flows on compute nodes when having broken security group rules
Reviewed: https://review.openstack.org/640252 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=18c578aa10c19a6befdf1f1510645200f173eb44 Submitter: Zuul Branch:master commit 18c578aa10c19a6befdf1f1510645200f173eb44 Author: Brian Haley Date: Thu Feb 28 22:19:16 2019 -0500 Fix KeyError in OVS firewall When merging port ranges, the code never assumed the conjunction ID might not be present in the set due to already being removed. In this case there were two security groups, both using the same remote security group, but the first security group does not define a port range and the second one does. Or more generally, the first SG port range is a subset of the second, as no port-range means the full range. Change-Id: I17ab643abbd2ec21eda4ae1dfb9abf2d4b0657f2 Closes-bug: #1813007 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1813007 Title: Unable to install new flows on compute nodes when having broken security group rules Status in Ubuntu Cloud Archive: Triaged Status in Ubuntu Cloud Archive pike series: Triaged Status in Ubuntu Cloud Archive queens series: Triaged Status in Ubuntu Cloud Archive rocky series: Triaged Status in Ubuntu Cloud Archive stein series: Triaged Status in neutron: Fix Released Status in OpenStack Security Advisory: Incomplete Status in neutron package in Ubuntu: Triaged Status in neutron source package in Xenial: Triaged Status in neutron source package in Bionic: Triaged Status in neutron source package in Cosmic: Triaged Status in neutron source package in Disco: Triaged Bug description: It appears that we have found that neutron-openvswitch-agent appears to have a bug where two security group rules that have two different port ranges that overlap tied to the same parent security group will cause neutron to not be able to configure networks on the compute nodes where those security groups are present. Those are the broken security rules: https://pastebin.canonical.com/p/wSy8RSXt85/ Here is the log when we discovered the issue: https://pastebin.canonical.com/p/wvFKjNWydr/ To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1813007/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1559072] Re: [SRU] exceptions.from_response with webob 1.6.0 results in "AttributeError: 'unicode' object has no attribute 'get'"
Reviewed: https://review.openstack.org/541170 Committed: https://git.openstack.org/cgit/openstack/python-troveclient/commit/?id=0b28b04ebbfaed981f4e00e69e4c7a8e0ed75395 Submitter: Zuul Branch:master commit 0b28b04ebbfaed981f4e00e69e4c7a8e0ed75395 Author: Zhao ChaoDate: Tue Feb 6 15:31:42 2018 +0800 Handle error response for webob>=1.6.0 WebOb change https://github.com/Pylons/webob/pull/230 changed the way in which the error response body is formatted such that it's no longer a nested dict. So we have to handle both the old convention of an error message key to the response body error dict and the new way with just the error body dict. This was reported upstream: https://github.com/Pylons/webob/issues/235 But given this was apparently implemented as a long-overdue change in WebOb the behavior is not likely to change. Change-Id: Id8bfde6277640de48768bbe5a5e4252b97253ed2 Closes-Bug: #1559072 Co-Authored-By: Matt Riedemann Signed-off-by: Zhao Chao ** Changed in: python-troveclient Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1559072 Title: [SRU] exceptions.from_response with webob 1.6.0 results in "AttributeError: 'unicode' object has no attribute 'get'" Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive mitaka series: Fix Released Status in Ubuntu Cloud Archive newton series: Fix Released Status in Ubuntu Cloud Archive ocata series: Fix Released Status in Ubuntu Cloud Archive pike series: Fix Released Status in networking-midonet: Fix Released Status in python-cinderclient: Fix Released Status in python-novaclient: Fix Released Status in python-openstackclient: Invalid Status in python-troveclient: Fix Released Status in python-cinderclient package in Ubuntu: Fix Released Status in python-novaclient package in Ubuntu: Fix Released Status in python-cinderclient source package in Xenial: Fix Released Status in python-novaclient source package in Xenial: Fix Released Status in python-cinderclient source package in Yakkety: Won't Fix Status in python-novaclient source package in Yakkety: Fix Released Status in python-cinderclient source package in Zesty: Fix Released Status in python-novaclient source package in Zesty: Fix Released Bug description: [Impact] [Testcase] Running on Ubuntu 14.04. After installing nova from source in either the Liberty release or Mitaka, with WebOb 1.6.0, running any nova command generated this error: root@openstack-ubu-controller:~# nova service-list ERROR (AttributeError): 'unicode' object has no attribute 'get' The equivalent openstack commands work correctly. After downgrading WebOb to 1.5.1 AND restarting the nova-api service everything works. Detailed output from nova -debug service-list with the error: root@openstack-ubu-controller:~# nova --debug service-list DEBUG (extension:157) found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token') DEBUG (extension:157) found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken') DEBUG (extension:157) found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode') DEBUG (extension:157) found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password') DEBUG (extension:157) found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password') DEBUG (extension:157) found extension EntryPoint.parse('v3oidcpassword = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectPassword') DEBUG (extension:157) found extension EntryPoint.parse('token = keystoneauth1.loading._plugins.identity.generic:Token') DEBUG (extension:157) found extension EntryPoint.parse('v3token = keystoneauth1.loading._plugins.identity.v3:Token') DEBUG (extension:157) found extension EntryPoint.parse('password = keystoneauth1.loading._plugins.identity.generic:Password') DEBUG (session:248) REQ: curl -g -i -X GET http://10.0.1.3:5000/v2.0 -H "Accept: application/json" -H "User-Agent: keystoneauth1/2.3.0 python-requests/2.9.1 CPython/2.7.6" INFO (connectionpool:207) Starting new HTTP connection (1): 10.0.1.3 DEBUG (connectionpool:387) "GET /v2.0 HTTP/1.1" 200 334 DEBUG (session:277) RESP: [200] Content-Length: 334 Vary: X-Auth-Token Keep-Alive: timeout=5, max=100 Server: Apache/2.4.7 (Ubuntu) Connection: Keep-Alive Date: Fri, 18 Mar 2016 12:41:58 GMT Content-Type: application/json x-openstack-request-id: req-a0c68cd5-ea29-4391-942f-130cc69d15f8 RESP BODY: {"version": {"status":
[Group.of.nepali.translators] [Bug 1642679] Re: The OpenStack network_config.json implementation fails on Hyper-V compute nodes
Reviewed: https://review.openstack.org/400883 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f559be35a03f5801f527355895a97c89cdc3c336 Submitter: Jenkins Branch:master commit f559be35a03f5801f527355895a97c89cdc3c336 Author: Scott MoserDate: Fri Mar 31 17:01:33 2017 -0400 Limit exposure of network device types to the guest. Previously, the 'type' of the hypervisor network device, was exposed to the guest directly. That does not make sense, as a.) this leaks needless information into the guest b.) the guest cannot be reasonably expected to make decisions based on a type of link that is present underneath the virtual device that is presented to the guest. c.) guests then are forced to either continuously track these types or to assume that unknown type is "phy". This limits the exposure of types to a specific list. Any other type will be shown to the guest as 'phy'. Change-Id: Iea458fba29596cd2773d8d3565451af60b02bcca Closes-Bug: #1642679 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1642679 Title: The OpenStack network_config.json implementation fails on Hyper-V compute nodes Status in cloud-init: Fix Released Status in OpenStack Compute (nova): Fix Released Status in cloud-init package in Ubuntu: Fix Released Status in cloud-init source package in Xenial: Fix Released Status in cloud-init source package in Yakkety: Fix Released Bug description: === Begin SRU Template === [Impact] When a config drive provides network_data.json on Azure OpenStack, cloud-init will fail to configure networking. Console log and /var/log/cloud-init.log will show: ValueError: Unknown network_data link type: hyperv This woudl also occur when the type of the network device as declared to cloud-init was 'hw_veb', 'hyperv', or 'vhostuser'. [Test Case] Launch an instance with config drive on hyperv cloud. [Regression Potential] Low to none. cloud-init is relaxing requirements and will accept things now that it previously complained were invalid. === End SRU Template === We have discovered an issue when booting Xenial instances on OpenStack environments (Liberty or newer) and Hyper-V compute nodes using config drive as metadata source. When applying the network_config.json, cloud-init fails with this error: http://paste.openstack.org/show/RvHZJqn48JBb0TO9QznL/ The fix would be to add 'hyperv' as a link type here: /usr/lib/python3/dist-packages/cloudinit/sources/helpers/openstack.py, line 587 Related bugs: * bug 1674946: cloud-init fails with "Unknown network_data link type: dvs * bug 1642679: OpenStack network_config.json implementation fails on Hyper-V compute nodes To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-init/+bug/1642679/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1627656] Re: missing alembic migrations due to use of git based workflows
Reviewed: https://review.openstack.org/376381 Committed: https://git.openstack.org/cgit/openstack/tap-as-a-service/commit/?id=55a387744dacb837b92556d714d2b6b5bb6c0e4f Submitter: Jenkins Branch:master commit 55a387744dacb837b92556d714d2b6b5bb6c0e4f Author: James PageDate: Mon Sep 26 11:45:35 2016 +0100 Include alembic migrations in module Explicitly include all alembic data in installed python module, ensuring that installations directly from git repositories are fully functional when compared to use of sdist generated tarballs from tarballs.openstack.org or pypi. Closes-Bug: 1627656 Change-Id: I445481445b6b5c0649a95f775042ba4067e83aa3 ** Changed in: tap-as-a-service Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1627656 Title: missing alembic migrations due to use of git based workflows Status in networking-l2gw: New Status in networking-odl: Fix Released Status in networking-sfc: Fix Released Status in tap-as-a-service: Fix Released Status in networking-l2gw package in Ubuntu: Fix Released Status in networking-odl package in Ubuntu: Fix Released Status in neutron-taas package in Ubuntu: Fix Released Status in networking-l2gw source package in Xenial: New Status in networking-odl source package in Xenial: Triaged Status in neutron-taas source package in Xenial: Invalid Status in networking-l2gw source package in Yakkety: Fix Released Status in networking-odl source package in Yakkety: Fix Released Status in neutron-taas source package in Yakkety: Fix Released Bug description: Various openstack related packages are missing required neutron database migrations due to the direct use of a git based workflow of merging upstream tags and generating orig.tar.xz directly from the git tree for packaging. This is *not* the same process as generated a sdist tarball, and as a result, files that need to reside in the python module get missed - this includes alembic migrations. Known impacts: networking-odl vmware-nsx (bug 1574610) A simple fix is to switch to using the upstream published release artefacts, rather than directly using git. To manage notifications about this bug go to: https://bugs.launchpad.net/networking-l2gw/+bug/1627656/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1559072] Re: [SRU] exceptions.from_response with webob 1.6.0 results in "AttributeError: 'unicode' object has no attribute 'get'"
Reviewed: https://review.openstack.org/407422 Committed: https://git.openstack.org/cgit/openstack/python-cinderclient/commit/?id=19befa69651a41534c7d25b1a0d3a0cd407afb44 Submitter: Jenkins Branch:master commit 19befa69651a41534c7d25b1a0d3a0cd407afb44 Author: Akira KAMIODate: Tue Dec 6 14:10:38 2016 +0900 Handle error response for webob>=1.6.0 WebOb change https://github.com/Pylons/webob/pull/230 changed the way in which the error response body is formatted such that it's no longer a nested dict. So we have to handle both the old convention of an error message key to the response body error dict and the new way with just the error body dict. This was reported upstream: https://github.com/Pylons/webob/issues/235 But given this was apparently implemented as a long-overdue change in WebOb the behavior is not likely to change.Handle error response for webob>=1.6.0 Change-Id: I7d589415aa024588faf77c8234ac026110f6c3cd Closes-Bug: #1559072 ** Changed in: python-cinderclient Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1559072 Title: [SRU] exceptions.from_response with webob 1.6.0 results in "AttributeError: 'unicode' object has no attribute 'get'" Status in networking-midonet: Fix Released Status in python-cinderclient: Fix Released Status in python-novaclient: Fix Released Status in python-openstackclient: Invalid Status in python-novaclient package in Ubuntu: Fix Released Status in python-novaclient source package in Xenial: Fix Released Status in python-novaclient source package in Yakkety: Fix Released Bug description: [Impact] [Testcase] Running on Ubuntu 14.04. After installing nova from source in either the Liberty release or Mitaka, with WebOb 1.6.0, running any nova command generated this error: root@openstack-ubu-controller:~# nova service-list ERROR (AttributeError): 'unicode' object has no attribute 'get' The equivalent openstack commands work correctly. After downgrading WebOb to 1.5.1 AND restarting the nova-api service everything works. Detailed output from nova -debug service-list with the error: root@openstack-ubu-controller:~# nova --debug service-list DEBUG (extension:157) found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token') DEBUG (extension:157) found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken') DEBUG (extension:157) found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode') DEBUG (extension:157) found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password') DEBUG (extension:157) found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password') DEBUG (extension:157) found extension EntryPoint.parse('v3oidcpassword = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectPassword') DEBUG (extension:157) found extension EntryPoint.parse('token = keystoneauth1.loading._plugins.identity.generic:Token') DEBUG (extension:157) found extension EntryPoint.parse('v3token = keystoneauth1.loading._plugins.identity.v3:Token') DEBUG (extension:157) found extension EntryPoint.parse('password = keystoneauth1.loading._plugins.identity.generic:Password') DEBUG (session:248) REQ: curl -g -i -X GET http://10.0.1.3:5000/v2.0 -H "Accept: application/json" -H "User-Agent: keystoneauth1/2.3.0 python-requests/2.9.1 CPython/2.7.6" INFO (connectionpool:207) Starting new HTTP connection (1): 10.0.1.3 DEBUG (connectionpool:387) "GET /v2.0 HTTP/1.1" 200 334 DEBUG (session:277) RESP: [200] Content-Length: 334 Vary: X-Auth-Token Keep-Alive: timeout=5, max=100 Server: Apache/2.4.7 (Ubuntu) Connection: Keep-Alive Date: Fri, 18 Mar 2016 12:41:58 GMT Content-Type: application/json x-openstack-request-id: req-a0c68cd5-ea29-4391-942f-130cc69d15f8 RESP BODY: {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://10.0.1.3:5000/v2.0/;, "rel": "self"}, {"href": "http://docs.openstack.org/;, "type": "text/html", "rel": "describedby"}]}} DEBUG (v2:63) Making authentication request to http://10.0.1.3:5000/v2.0/tokens DEBUG (connectionpool:387) "POST /v2.0/tokens HTTP/1.1" 200 2465 DEBUG (session:248) REQ: curl -g -i -X GET http://10.0.1.3:8774/v1.1/b77d640e127e488fb42a7c0716ba53a5 -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}381893576ad46c62b587f4963d769b89441b919a" INFO (connectionpool:207)
[Group.of.nepali.translators] [Bug 1559072] Re: [SRU] exceptions.from_response with webob 1.6.0 results in "AttributeError: 'unicode' object has no attribute 'get'"
** Changed in: python-cinderclient Status: Invalid => In Progress -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1559072 Title: [SRU] exceptions.from_response with webob 1.6.0 results in "AttributeError: 'unicode' object has no attribute 'get'" Status in networking-midonet: Fix Released Status in python-cinderclient: In Progress Status in python-novaclient: Fix Released Status in python-openstackclient: Invalid Status in python-novaclient package in Ubuntu: Fix Released Status in python-novaclient source package in Xenial: Fix Released Status in python-novaclient source package in Yakkety: Fix Released Bug description: [Impact] [Testcase] Running on Ubuntu 14.04. After installing nova from source in either the Liberty release or Mitaka, with WebOb 1.6.0, running any nova command generated this error: root@openstack-ubu-controller:~# nova service-list ERROR (AttributeError): 'unicode' object has no attribute 'get' The equivalent openstack commands work correctly. After downgrading WebOb to 1.5.1 AND restarting the nova-api service everything works. Detailed output from nova -debug service-list with the error: root@openstack-ubu-controller:~# nova --debug service-list DEBUG (extension:157) found extension EntryPoint.parse('v2token = keystoneauth1.loading._plugins.identity.v2:Token') DEBUG (extension:157) found extension EntryPoint.parse('admin_token = keystoneauth1.loading._plugins.admin_token:AdminToken') DEBUG (extension:157) found extension EntryPoint.parse('v3oidcauthcode = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectAuthorizationCode') DEBUG (extension:157) found extension EntryPoint.parse('v2password = keystoneauth1.loading._plugins.identity.v2:Password') DEBUG (extension:157) found extension EntryPoint.parse('v3password = keystoneauth1.loading._plugins.identity.v3:Password') DEBUG (extension:157) found extension EntryPoint.parse('v3oidcpassword = keystoneauth1.loading._plugins.identity.v3:OpenIDConnectPassword') DEBUG (extension:157) found extension EntryPoint.parse('token = keystoneauth1.loading._plugins.identity.generic:Token') DEBUG (extension:157) found extension EntryPoint.parse('v3token = keystoneauth1.loading._plugins.identity.v3:Token') DEBUG (extension:157) found extension EntryPoint.parse('password = keystoneauth1.loading._plugins.identity.generic:Password') DEBUG (session:248) REQ: curl -g -i -X GET http://10.0.1.3:5000/v2.0 -H "Accept: application/json" -H "User-Agent: keystoneauth1/2.3.0 python-requests/2.9.1 CPython/2.7.6" INFO (connectionpool:207) Starting new HTTP connection (1): 10.0.1.3 DEBUG (connectionpool:387) "GET /v2.0 HTTP/1.1" 200 334 DEBUG (session:277) RESP: [200] Content-Length: 334 Vary: X-Auth-Token Keep-Alive: timeout=5, max=100 Server: Apache/2.4.7 (Ubuntu) Connection: Keep-Alive Date: Fri, 18 Mar 2016 12:41:58 GMT Content-Type: application/json x-openstack-request-id: req-a0c68cd5-ea29-4391-942f-130cc69d15f8 RESP BODY: {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://10.0.1.3:5000/v2.0/;, "rel": "self"}, {"href": "http://docs.openstack.org/;, "type": "text/html", "rel": "describedby"}]}} DEBUG (v2:63) Making authentication request to http://10.0.1.3:5000/v2.0/tokens DEBUG (connectionpool:387) "POST /v2.0/tokens HTTP/1.1" 200 2465 DEBUG (session:248) REQ: curl -g -i -X GET http://10.0.1.3:8774/v1.1/b77d640e127e488fb42a7c0716ba53a5 -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}381893576ad46c62b587f4963d769b89441b919a" INFO (connectionpool:207) Starting new HTTP connection (1): 10.0.1.3 DEBUG (connectionpool:387) "GET /v1.1/b77d640e127e488fb42a7c0716ba53a5 HTTP/1.1" 404 112 DEBUG (session:277) RESP: [404] Date: Fri, 18 Mar 2016 12:41:59 GMT Connection: keep-alive Content-Type: application/json; charset=UTF-8 Content-Length: 112 X-Compute-Request-Id: req-f10a2016-9a88-48fd-af1d-5f800fc9e11a RESP BODY: {"message": "The resource could not be found.\n\n\n", "code": "404 Not Found", "title": "Not Found"} DEBUG (shell:894) 'unicode' object has no attribute 'get' Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/novaclient/shell.py", line 892, in main OpenStackComputeShell().main(argv) File "/usr/local/lib/python2.7/dist-packages/novaclient/shell.py", line 726, in main api_version = api_versions.discover_version(self.cs, api_version) File "/usr/local/lib/python2.7/dist-packages/novaclient/api_versions.py", line 267, in discover_version client) File "/usr/local/lib/python2.7/dist-packages/novaclient/api_versions.py", line
[Group.of.nepali.translators] [Bug 1627656] Re: missing alembic migrations due to use of git based workflows
Reviewed: https://review.openstack.org/376378 Committed: https://git.openstack.org/cgit/openstack/networking-sfc/commit/?id=a640a99527ee2c51179278823b50661bc6038278 Submitter: Jenkins Branch:master commit a640a99527ee2c51179278823b50661bc6038278 Author: James PageDate: Mon Sep 26 11:23:11 2016 +0100 Include alembic migrations in module Explicitly include all alembic data in installed python module, ensuring that installations direct from git repositories are fully functional when compared to use of sdist generated tarballs from tarballs.openstack.org or pypi. Closes-Bug: 1627656 Change-Id: I246672cd6a343583daa96720e433c8c0a62086fc ** Changed in: networking-sfc Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1627656 Title: missing alembic migrations due to use of git based workflows Status in networking-l2gw: New Status in networking-odl: Fix Released Status in networking-sfc: Fix Released Status in tap-as-a-service: New Status in networking-l2gw package in Ubuntu: Fix Released Status in networking-odl package in Ubuntu: Fix Released Status in neutron-taas package in Ubuntu: Fix Released Status in networking-l2gw source package in Xenial: New Status in networking-odl source package in Xenial: Triaged Status in neutron-taas source package in Xenial: Invalid Status in networking-l2gw source package in Yakkety: Fix Released Status in networking-odl source package in Yakkety: Fix Released Status in neutron-taas source package in Yakkety: Fix Released Bug description: Various openstack related packages are missing required neutron database migrations due to the direct use of a git based workflow of merging upstream tags and generating orig.tar.xz directly from the git tree for packaging. This is *not* the same process as generated a sdist tarball, and as a result, files that need to reside in the python module get missed - this includes alembic migrations. Known impacts: networking-odl vmware-nsx (bug 1574610) A simple fix is to switch to using the upstream published release artefacts, rather than directly using git. To manage notifications about this bug go to: https://bugs.launchpad.net/networking-l2gw/+bug/1627656/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1623871] Re: Nova hugepage support does not include aarch64
Reviewed: https://review.openstack.org/372304 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=50e0106d35ec1a3204c18f3912b0dc6cf6632305 Submitter: Jenkins Branch:master commit 50e0106d35ec1a3204c18f3912b0dc6cf6632305 Author: VeenaSLDate: Mon Sep 19 13:36:53 2016 +0530 Adding hugepage and NUMA support check for aarch64 Nova ignores aarch64 while verifying for hugepage and NUMA support. AARCH64 also supports hugepage and NUMA on the same libvirt versions as of x86. Hence adding this chek for aarch64 also. Change-Id: I7b5ae1dbdca4fdd0aee2eefd4099c4c4953b609a Closes-bug: #1623871 ** Changed in: nova Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1623871 Title: Nova hugepage support does not include aarch64 Status in OpenStack Compute (nova): Fix Released Status in nova package in Ubuntu: Fix Released Status in nova source package in Xenial: In Progress Bug description: [Impact] Although aarch64 supports spawning a vm with hugepages, in nova code, the libvirt driver considers only x86_64 and I686. Both for NUMA and Hugepage support, AARCH64 needs to be added. Due to this bug, vm can not be launched with hugepage using OpenStack on aarch64 servers. Note: this depends on the fix for LP: #1627926. [Test Case] Steps to reproduce: On an openstack environment running on aarch64: 1. Configure compute to use hugepages. 2. Set mem_page_size="2048" for a flavor 3. Launch a VM using the above flavor. Expected result: VM should be launched with hugepages and the libvirt xml should have Actual result: VM is launched without hugepages. There are no error logs in nova-scheduler. [Regression Risk] Risk is minimized by the fact that this change is just enabling the same code for arm64 that is already enabled for Ubuntu/x86. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1623871/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
Reviewed: https://review.openstack.org/375526 Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=69a9b659fd48aa3c1f84fc7bc9ae236b6803d31f Submitter: Jenkins Branch:master commit 69a9b659fd48aa3c1f84fc7bc9ae236b6803d31f Author: Hemanth MakkapatiDate: Fri Sep 23 09:29:12 2016 -0500 Adding constraints around qemu-img calls * All "qemu-img info" calls are now run under resource limitations that limit CPU time to 2 seconds and address space usage to 1 GB. This helps avoid any DoS attacks via malicious images. * All "qemu-img convert" calls now specify the import format so that it does not have to be inferred by qemu-img. SecurityImpact Change-Id: Ib900bbc05cb9ccd90c6f56ccb4bf2006e30cdc80 Closes-Bug: #1449062 ** Changed in: glance Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: Fix Released Status in Cinder mitaka series: In Progress Status in Cinder newton series: Fix Released Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive liberty series: Fix Committed Status in Ubuntu Cloud Archive mitaka series: Fix Committed Status in Ubuntu Cloud Archive newton series: Fix Released Status in Glance: Fix Released Status in Glance liberty series: New Status in Glance mitaka series: New Status in Glance newton series: Fix Committed Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: In Progress Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1627656] Re: missing alembic migrations due to use of git based workflows
Reviewed: https://review.openstack.org/376390 Committed: https://git.openstack.org/cgit/openstack/networking-odl/commit/?id=7fd14d19106ad930f0072b45e1d3af4bd78c4b3f Submitter: Jenkins Branch:master commit 7fd14d19106ad930f0072b45e1d3af4bd78c4b3f Author: James PageDate: Mon Sep 26 11:52:32 2016 +0100 Include alembic migrations in module Explicitly include all alembic data in installed python module, ensuring that installations directly from git repositories are fully functional when compared to use of sdist generated tarballs from tarballs.openstack.org or pypi. Closes-Bug: 1627656 Change-Id: Ieb4272bdbf65e4b63a0e8d875847d29470c2 ** Changed in: networking-odl Status: New => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1627656 Title: missing alembic migrations due to use of git based workflows Status in networking-l2gw: New Status in networking-odl: Fix Released Status in networking-sfc: New Status in tap-as-a-service: New Status in networking-l2gw package in Ubuntu: Fix Released Status in networking-odl package in Ubuntu: Fix Released Status in neutron-taas package in Ubuntu: Fix Released Status in networking-l2gw source package in Xenial: New Status in networking-odl source package in Xenial: Triaged Status in neutron-taas source package in Xenial: Invalid Status in networking-l2gw source package in Yakkety: Fix Released Status in networking-odl source package in Yakkety: Fix Released Status in neutron-taas source package in Yakkety: Fix Released Bug description: Various openstack related packages are missing required neutron database migrations due to the direct use of a git based workflow of merging upstream tags and generating orig.tar.xz directly from the git tree for packaging. This is *not* the same process as generated a sdist tarball, and as a result, files that need to reside in the python module get missed - this includes alembic migrations. Known impacts: networking-odl vmware-nsx (bug 1574610) A simple fix is to switch to using the upstream published release artefacts, rather than directly using git. To manage notifications about this bug go to: https://bugs.launchpad.net/networking-l2gw/+bug/1627656/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1449062] Re: qemu-img calls need to be restricted by ulimit (CVE-2015-5162)
Reviewed: https://review.openstack.org/375099 Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=78f17f0ad79380ee3d9c50f2670252bcc559b62b Submitter: Jenkins Branch:master commit 78f17f0ad79380ee3d9c50f2670252bcc559b62b Author: Sean McGinnisDate: Thu Sep 22 15:31:37 2016 -0500 Limit memory & CPU when running qemu-img info It was found that a modified or corrupted image file can cause a DoS on the host when getting image info with qemu-img. This uses the newer 'prlimit' parameter for oslo.concurrency execute to set an address space limit of 1GB and CPU time limit of 2 seconds when running the qemu-img info command. Change-Id: If5b7129b266ef065642bc7898ce9dcf93722a053 Closes-bug: #1449062 ** Changed in: cinder Status: In Progress => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1449062 Title: qemu-img calls need to be restricted by ulimit (CVE-2015-5162) Status in Cinder: Fix Released Status in Cinder mitaka series: New Status in Cinder newton series: Fix Released Status in Ubuntu Cloud Archive: Fix Released Status in Ubuntu Cloud Archive liberty series: Fix Committed Status in Ubuntu Cloud Archive mitaka series: Fix Committed Status in Ubuntu Cloud Archive newton series: Fix Released Status in Glance: New Status in Glance liberty series: New Status in Glance mitaka series: New Status in Glance newton series: New Status in OpenStack Compute (nova): Fix Released Status in OpenStack Security Advisory: In Progress Status in python-oslo.concurrency package in Ubuntu: Fix Released Status in python-oslo.concurrency source package in Wily: Fix Committed Status in python-oslo.concurrency source package in Xenial: Fix Released Status in python-oslo.concurrency source package in Yakkety: Fix Released Bug description: Reported via private E-mail from Richard W.M. Jones. Turns out qemu image parser is not hardened against malicious input and can be abused to allocated an arbitrary amount of memory and/or dump a lot of information when used with "--output=json". The solution seems to be: limit qemu-img ressource using ulimit. Example of abuse: -- afl1.img -- $ /usr/bin/time qemu-img info afl1.img image: afl1.img [...] 0.13user 0.19system 0:00.36elapsed 92%CPU (0avgtext+0avgdata 642416maxresident)k 0inputs+0outputs (0major+156927minor)pagefaults 0swaps The original image is 516 bytes, but it causes qemu-img to allocate 640 MB. -- afl2.img -- $ qemu-img info --output=json afl2.img | wc -l 589843 This is a 200K image which causes qemu-img info to output half a million lines of JSON (14 MB of JSON). Glance runs the --output=json variant of the command. -- afl3.img -- $ /usr/bin/time qemu-img info afl3.img image: afl3.img [...] 0.09user 0.35system 0:00.47elapsed 94%CPU (0avgtext+0avgdata 1262388maxresident)k 0inputs+0outputs (0major+311994minor)pagefaults 0swaps qemu-img allocates 1.3 GB (actually, a bit more if you play with ulimit -v). It appears that you could change it to allocate arbitrarily large amounts of RAM. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1449062/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp