[openstack-nova] Update to Icehouse milestone 2
Xavier Queralt Mateu
xqueralt at fedoraproject.org
Fri Jan 24 09:37:25 UTC 2014
commit 680c38232c7342c91f0bc5f195ee0c6acf68d458
Author: Xavier Queralt <xqueralt at redhat.com>
Date: Thu Jan 23 10:14:13 2014 +0100
Update to Icehouse milestone 2
Resolves: CVE-2013-7130
Resolves: #909113
.gitignore | 1 +
...e-don-t-access-the-net-when-building-docs.patch | 2 +-
0002-libvirt-Fix-root-disk-leak-in-live-mig.patch | 121 ++++++++++++++++++++
0002-remove-runtime-dep-on-python-pbr.patch | 43 -------
nova-dist.conf | 1 +
openstack-nova.spec | 17 ++-
sources | 2 +-
7 files changed, 137 insertions(+), 50 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 866e235..ed17629 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,4 @@
/nova-2013.2.rc2.tar.gz
/nova-2013.2.tar.gz
/nova-2014.1.b1.tar.gz
+/nova-2014.1.b2.tar.gz
diff --git a/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch b/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
index 5b1b744..bfdafc7 100644
--- a/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
+++ b/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
@@ -1,4 +1,4 @@
-From 02749a322beb6a5ea856469e8e6a1598f1162a0c Mon Sep 17 00:00:00 2001
+From 69140200f5ea80d24ff027712247b33f33a32f6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady at redhat.com>
Date: Fri, 6 Jan 2012 12:16:34 +0000
Subject: [PATCH] Ensure we don't access the net when building docs
diff --git a/0002-libvirt-Fix-root-disk-leak-in-live-mig.patch b/0002-libvirt-Fix-root-disk-leak-in-live-mig.patch
new file mode 100644
index 0000000..7a2ba7c
--- /dev/null
+++ b/0002-libvirt-Fix-root-disk-leak-in-live-mig.patch
@@ -0,0 +1,121 @@
+From 01f5d8a22f41ae1db0a6d2ffd5504876d64dfaba Mon Sep 17 00:00:00 2001
+From: Nikola Dipanov <ndipanov at redhat.com>
+Date: Tue, 10 Dec 2013 17:43:17 +0100
+Subject: [PATCH] libvirt: Fix root disk leak in live mig
+
+This patch makes sure that i_create_images_and_backing method of the
+libvirt driver (called in several places, but most problematic one is
+the call in the pre_live_migration method) creates all the files the
+instance needs that are not present.
+
+Prioir to this patch - the method would only attempt to download the
+image, and if it did so with the path of the ephemeral drives, it could
+expose the image to other users as an ephemeral devices. See the related
+bug for more detaiis.
+
+After this patch - we properly distinguish between image, ephemeral and
+swap files, and make sure that the imagebackend does the correct thing.
+
+Closes-bug: #1251590
+
+Co-authored-by: Loganathan Parthipan <parthipan at hp.com>
+
+Change-Id: I78aa2f4243899db4f4941e77014a7e18e27fc63e
+---
+ nova/tests/virt/libvirt/test_libvirt.py | 42 +++++++++++++++++++++++++++++++++
+ nova/virt/libvirt/driver.py | 29 +++++++++++++++++------
+ 2 files changed, 64 insertions(+), 7 deletions(-)
+
+diff --git a/nova/tests/virt/libvirt/test_libvirt.py b/nova/tests/virt/libvirt/test_libvirt.py
+index 3809ce3..0808a40 100644
+--- a/nova/tests/virt/libvirt/test_libvirt.py
++++ b/nova/tests/virt/libvirt/test_libvirt.py
+@@ -3358,6 +3358,48 @@ class LibvirtConnTestCase(test.TestCase):
+ def test_create_images_and_backing_raw(self):
+ self._do_test_create_images_and_backing('raw')
+
++ def test_create_images_and_backing_ephemeral_gets_created(self):
++ conn = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
++ disk_info_json = jsonutils.dumps(
++ [{u'backing_file': u'fake_image_backing_file',
++ u'disk_size': 10747904,
++ u'path': u'disk_path',
++ u'type': u'qcow2',
++ u'virt_disk_size': 25165824},
++ {u'backing_file': u'ephemeral_1_default',
++ u'disk_size': 393216,
++ u'over_committed_disk_size': 1073348608,
++ u'path': u'disk_eph_path',
++ u'type': u'qcow2',
++ u'virt_disk_size': 1073741824}])
++
++ base_dir = os.path.join(CONF.instances_path,
++ CONF.image_cache_subdirectory_name)
++ self.test_instance.update({'name': 'fake_instance',
++ 'user_id': 'fake-user',
++ 'os_type': None,
++ 'project_id': 'fake-project'})
++
++ with contextlib.nested(
++ mock.patch.object(conn, '_fetch_instance_kernel_ramdisk'),
++ mock.patch.object(libvirt_driver.libvirt_utils, 'fetch_image'),
++ mock.patch.object(conn, '_create_ephemeral')
++ ) as (fetch_kernel_ramdisk_mock, fetch_image_mock,
++ create_ephemeral_mock):
++ conn._create_images_and_backing(self.context, self.test_instance,
++ "/fake/instance/dir",
++ disk_info_json)
++ self.assertEqual(len(create_ephemeral_mock.call_args_list), 1)
++ m_args, m_kwargs = create_ephemeral_mock.call_args_list[0]
++ self.assertEqual(
++ os.path.join(base_dir, 'ephemeral_1_default'),
++ m_kwargs['target'])
++ self.assertEqual(len(fetch_image_mock.call_args_list), 1)
++ m_args, m_kwargs = fetch_image_mock.call_args_list[0]
++ self.assertEqual(
++ os.path.join(base_dir, 'fake_image_backing_file'),
++ m_kwargs['target'])
++
+ def test_create_images_and_backing_disk_info_none(self):
+ conn = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
+ self.mox.StubOutWithMock(conn, '_fetch_instance_kernel_ramdisk')
+diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
+index a707256..d8acfe1 100644
+--- a/nova/virt/libvirt/driver.py
++++ b/nova/virt/libvirt/driver.py
+@@ -4387,13 +4387,28 @@ class LibvirtDriver(driver.ComputeDriver):
+ image = self.image_backend.image(instance,
+ instance_disk,
+ CONF.libvirt.images_type)
+- image.cache(fetch_func=libvirt_utils.fetch_image,
+- context=context,
+- filename=cache_name,
+- image_id=instance['image_ref'],
+- user_id=instance['user_id'],
+- project_id=instance['project_id'],
+- size=info['virt_disk_size'])
++ if cache_name.startswith('ephemeral'):
++ image.cache(fetch_func=self._create_ephemeral,
++ fs_label=cache_name,
++ os_type=instance["os_type"],
++ filename=cache_name,
++ size=info['virt_disk_size'],
++ ephemeral_size=instance['ephemeral_gb'])
++ elif cache_name.startswith('swap'):
++ inst_type = flavors.extract_flavor(instance)
++ swap_mb = inst_type['swap']
++ image.cache(fetch_func=self._create_swap,
++ filename="swap_%s" % swap_mb,
++ size=swap_mb * unit.Mi,
++ swap_mb=swap_mb)
++ else:
++ image.cache(fetch_func=libvirt_utils.fetch_image,
++ context=context,
++ filename=cache_name,
++ image_id=instance['image_ref'],
++ user_id=instance['user_id'],
++ project_id=instance['project_id'],
++ size=info['virt_disk_size'])
+
+ # if image has kernel and ramdisk, just download
+ # following normal way.
diff --git a/nova-dist.conf b/nova-dist.conf
index f863d88..4059cb6 100644
--- a/nova-dist.conf
+++ b/nova-dist.conf
@@ -14,6 +14,7 @@ compute_driver = libvirt.LibvirtDriver
firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
rpc_backend = nova.openstack.common.rpc.impl_qpid
rootwrap_config = /etc/nova/rootwrap.conf
+qpid_topology_version = 2
[database]
connection = mysql://nova:nova@localhost/nova
diff --git a/openstack-nova.spec b/openstack-nova.spec
index b5b0028..7ee95db 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -2,13 +2,13 @@
Name: openstack-nova
Version: 2014.1
-Release: 0.5.b1%{?dist}
+Release: 0.6.b2%{?dist}
Summary: OpenStack Compute (nova)
Group: Applications/System
License: ASL 2.0
URL: http://openstack.org/projects/compute/
-Source0: https://launchpad.net/nova/icehouse/icehouse-1/+download/nova-%{version}.b1.tar.gz
+Source0: https://launchpad.net/nova/icehouse/icehouse-2/+download/nova-%{version}.b2.tar.gz
Source1: nova-dist.conf
Source6: nova.logrotate
@@ -35,10 +35,10 @@ Source24: nova-sudoers
Source30: openstack-nova-novncproxy.sysconfig
#
-# patches_base=2014.1.b1
+# patches_base=2014.1.b2
#
Patch0001: 0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
-Patch0002: 0002-remove-runtime-dep-on-python-pbr.patch
+Patch0002: 0002-libvirt-Fix-root-disk-leak-in-live-mig.patch
BuildArch: noarch
BuildRequires: intltool
@@ -77,6 +77,8 @@ Summary: Components common to all OpenStack Nova services
Group: Applications/System
Requires: python-nova = %{version}-%{release}
+Requires: python-keystoneclient
+Requires: python-oslo-rootwrap
Requires(post): systemd-units
Requires(preun): systemd-units
@@ -391,7 +393,7 @@ This package contains documentation files for nova.
%endif
%prep
-%setup -q -n nova-%{version}.b1
+%setup -q -n nova-%{version}.b2
%patch0001 -p1
%patch0002 -p1
@@ -863,6 +865,11 @@ fi
%endif
%changelog
+* Fri Jan 24 2014 Xavier Queralt <xqueralt at redhat.com> - 2014.1-0.6.b2
+- Update to Icehouse milestone 2
+- Require python-keystoneclient for api-paste - rhbz#909113
+- Fix root disk leak in live migration - CVE-2013-7130
+
* Mon Jan 06 2014 Pádraig Brady <pbrady at redhat.com> - 2014.1-0.5.b1
- Avoid [keystone_authtoken] config corruption in nova.conf
diff --git a/sources b/sources
index e68993e..9fc70ac 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-51afb966884fa690db567600453a2131 nova-2014.1.b1.tar.gz
+fe9de293724bede1613f57283c70e65b nova-2014.1.b2.tar.gz
More information about the scm-commits
mailing list