Public bug reported:
During the implementation of enabling hypervisor hiding for windows guests
it became apparent that a latent bug exits that allows non privaldges users
to override the policy set by the admin in the flavor by uploading a custom
image.
by convention back in the havan/icehouse days we used to allow the flavor to
take precendece
over the image if there was a conflcit and log a warning. sometime aound
liberty/mitaka we decided
that was a bad user experence for endusers as they did not recive what they
asked for and started to convert all confict into a hard error. The only case
where we intentionally allow the image to take prescedece over the flavor is
hw:mem_page_size where it is allows if an only if the adming has set
hw:mem_p[age_size to large or any expcltly. in other words unless the admin has
opted in to allowing ther image to take precendece by not setting a value in
the flavor or setint it to a value that allows the image to refine the choice
we do not support image overriding flavors.
the current code does exactly that by the use of a logical or
flavor_hide_kvm = strutils.bool_from_string(
flavor.get('extra_specs', {}).get('hide_hypervisor_id'))
if (virt_type in ("qemu", "kvm") and
(image_meta.properties.get('img_hide_hypervisor_id') or
flavor_hide_kvm)):
and the new code
hide_hypervisor_id = (strutils.bool_from_string(
flavor.extra_specs.get('hide_hypervisor_id')) or
image_meta.properties.get('img_hide_hypervisor_id'))
exibits the same behavior.
in both cases if img_hide_hypervisor_id=true and hide_hypervisor_id=false
hypervior hiding will be enabled.
in this specific case the side-effects of this are safe but it may not be in all
cases of this pattern.
** Affects: nova
Importance: Undecided
Status: New
** Tags: libvirt
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1831723
Title:
The flavor hide_hypervisor_id value can be overridden by the image
img_hide_hypervisor_id
Status in OpenStack Compute (nova):
New
Bug description:
During the implementation of enabling hypervisor hiding for windows guests
it became apparent that a latent bug exits that allows non privaldges users
to override the policy set by the admin in the flavor by uploading a custom
image.
by convention back in the havan/icehouse days we used to allow the flavor to
take precendece
over the image if there was a conflcit and log a warning. sometime aound
liberty/mitaka we decided
that was a bad user experence for endusers as they did not recive what they
asked for and started to convert all confict into a hard error. The only case
where we intentionally allow the image to take prescedece over the flavor is
hw:mem_page_size where it is allows if an only if the adming has set
hw:mem_p[age_size to large or any expcltly. in other words unless the admin has
opted in to allowing ther image to take precendece by not setting a value in
the flavor or setint it to a value that allows the image to refine the choice
we do not support image overriding flavors.
the current code does exactly that by the use of a logical or
flavor_hide_kvm = strutils.bool_from_string(
flavor.get('extra_specs', {}).get('hide_hypervisor_id'))
if (virt_type in ("qemu", "kvm") and
(image_meta.properties.get('img_hide_hypervisor_id') or
flavor_hide_kvm)):
and the new code
hide_hypervisor_id = (strutils.bool_from_string(
flavor.extra_specs.get('hide_hypervisor_id')) or
image_meta.properties.get('img_hide_hypervisor_id'))
exibits the same behavior.
in both cases if img_hide_hypervisor_id=true and hide_hypervisor_id=false
hypervior hiding will be enabled.
in this specific case the side-effects of this are safe but it may not be in
all
cases of this pattern.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1831723/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
