Reviewed: https://review.openstack.org/519681 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=b72105c1c49fcddc94992af63fc2f8078023491a Submitter: Zuul Branch: stable/ocata
commit b72105c1c49fcddc94992af63fc2f8078023491a Author: Matt Riedemann <[email protected]> Date: Fri Oct 27 16:03:15 2017 -0400 Validate new image via scheduler during rebuild During a rebuild we bypass the scheduler because we are always rebuilding the instance on the same host it's already on. However, we allow passing a new image during rebuild and that new image needs to be validated to work with the instance host by running it through the scheduler filters, like the ImagePropertiesFilter. Otherwise the new image could violate constraints placed on the host by the admin. This change checks to see if there is a new image provided and if so, modifies the request spec passed to the scheduler so that the new image is validated all while restricting the scheduler to still pick the same host that the instance is running on. If the image is not valid for the host, the scheduler will raise NoValidHost and the rebuild stops. A functional test is added to show the recreate of the bug and that we probably stop the rebuild now in conductor by calling the scheduler to validate the image. Co-Authored-By: Sylvain Bauza <[email protected]> Closes-Bug: #1664931 Conflicts: nova/conductor/manager.py nova/tests/functional/integrated_helpers.py nova/tests/functional/test_servers.py NOTE(mriedem): There are a few changes needed for Ocata: 1. I6590f0eda4ec4996543ad40d8c2640b83fc3dd9d changed some of the conditional logic in the conductor rebuild_instance method. That refactor is not replayed here, just the necessary change for the fix. 2. The _wait_for_action_fail_completion method didn't exist in Ocata. 3. The PlacementFixture wasn't used in _IntegratedTestBase so it's done as part of the test setup. 4. The default scheduler filters were different in Ocata so the test just restricts to using ImagePropertiesFilter. 5. A few imports were needed in the test module. Change-Id: I11746d1ea996a0f18b7c54b4c9c21df58cc4714b (cherry picked from commit 984dd8ad6add4523d93c7ce5a666a32233e02e34) (cherry picked from commit 9e2d63da94db63d97bd02e373bfc53d95808b833) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1664931 Title: [OSSA-2017-005] nova rebuild ignores all image properties and scheduler filters (CVE-2017-16239) To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1664931/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
