I'm at a tad late (5+ years after the last comment), but in case it
helps, we just ran into a situation where a user (not cloud admin)
exhausted their IP allocations in a user-defined subnet, which caused an
error in the nova-compute.log:
NoMoreFixedIps: No fixed IP addresses available for
Since this has come up again in bug 1581977 as representing a security-
related concern, I'm adding the security bugtag to it for increased
visibility. Note this is not the same as treating it as a security
vulnerability, and I don't have the impression that any CVE assignment
or security advisory
** Changed in: charm-nova-cloud-controller
Milestone: None => 19.04
** Changed in: charm-nova-cloud-controller
Status: Fix Committed => Confirmed
** Changed in: charm-nova-cloud-controller
Status: Confirmed => Fix Released
--
You received this bug notification because you are
With the weigher, you shouldn't be able to "take down" anything. You may
stack a lot more instances on the non-error-reporting hosts, but once
those are full, the scheduler will try one fo the hosts reporting
errors, and as soon as one succeeds there, the score resets to zero. So
can you clarify
Chris: I don't doubt that this could be a crippling incident, but you
say you took down your own cloud and did so accidentally... can you
provide a similar scenario where a non-admin user is able to
intentionally bring about the same result? That's mostly what I'm
looking for to be able to
Matt, What is your opinion on nova disabling the build failure weigher
by default. It would then be secure by default, without any exposure to
degradation of service attacks, and folks can opt in to it if they want.
Btw, did you mean to triage as won't fix or incomplete? I think we have
enough
@mriedem - yeah that was my hack but I see you beat me to raising a
review...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1818239
Title:
scheduler: build failure high negative weighting
To
@fungi - we accidentally took down 9/12 of the hypervisors in our QA
cloud with this; 75% isn't quite a complete denial of service but
definitely degraded the capacity significantly
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I've marked this as incomplete for nova since I'm not aware of any
changes being asked to make here. The build failure weigher was added
because of bug 1742102 and in response to operator feedback from the
Boston summit to auto-disable computes if they experienced a build
failure. So the
@James: per comment 2, see bug 1816360 :) Easy fix for that.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1818239
Title:
scheduler: build failure high negative weighting
To manage notifications
On Tue, 2019-03-05 at 18:30 +, Corey Bryant wrote:
> @Jeremy, I think it's more of limited denial of service (if we can
> call
> it that) where a certain amount of computes could get negative weight
> and not considered for scheduling. I don't think it's a complete
> denial
> of service.
I
Thanks! I'm mostly looking for an exploit scenario whereby a malicious
actor can intentionally cause harm/deny access to the operating
environment for other users. Absent this, we'd probably not bother to
issue a security advisory about it.
--
You received this bug notification because you are a
@Jeremy, I think it's more of limited denial of service (if we can call
it that) where a certain amount of computes could get negative weight
and not considered for scheduling. I don't think it's a complete denial
of service. For example, in the case you've mentioned the failure weight
would
Is the denial of service concern that an authenticated user could
engineer a build failure (perhaps by attempting to boot an intentionally
corrupt image they uploaded) and perform that action repeatedly to cause
the environment to no longer to be able to schedule instances to any of
the hypervisor
Opening this back up against the package and adding upstream as well. I
may be missing something, but I think this is still an issue upstream.
** Also affects: nova
Importance: Undecided
Status: New
** Changed in: nova (Ubuntu)
Status: Won't Fix => Triaged
** Changed in: nova
Reviewed: https://review.openstack.org/640698
Committed:
https://git.openstack.org/cgit/openstack/charm-nova-cloud-controller/commit/?id=c5029e9831ab5063485877213987d6827c4d86f1
Submitter: Zuul
Branch:master
commit c5029e9831ab5063485877213987d6827c4d86f1
Author: James Page
Date: Mon Mar
** Tags added: sts
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1818239
Title:
scheduler: build failure high negative weighting
To manage notifications about this bug go to:
** Changed in: nova (Ubuntu)
Status: New => Won't Fix
** Also affects: charm-nova-cloud-controller
Importance: Undecided
Status: New
** Information type changed from Private Security to Public Security
** Changed in: charm-nova-cloud-controller
Status: New => In Progress
18 matches
Mail list logo
