[openstack-nova/f19] Updated patches from f19-patches
Xavier Queralt Mateu
xqueralt at fedoraproject.org
Fri Jan 24 09:53:35 UTC 2014
commit 9b7a3f229eee515bcc6cb3c81dd7a71ab45533df
Author: Xavier Queralt <xqueralt at redhat.com>
Date: Fri Jan 24 10:52:55 2014 +0100
Updated patches from f19-patches
Resolves: CVE-2013-7130
Resolves: #909113
0007-libvirt-Fix-root-disk-leak-in-live-mig.patch | 158 +++++++++++++++++++++
openstack-nova.spec | 9 +-
2 files changed, 166 insertions(+), 1 deletions(-)
---
diff --git a/0007-libvirt-Fix-root-disk-leak-in-live-mig.patch b/0007-libvirt-Fix-root-disk-leak-in-live-mig.patch
new file mode 100644
index 0000000..accc2a9
--- /dev/null
+++ b/0007-libvirt-Fix-root-disk-leak-in-live-mig.patch
@@ -0,0 +1,158 @@
+From 42fb07f7705498c1cc4687d7cc32f2829f693dc8 Mon Sep 17 00:00:00 2001
+From: Nikola Dipanov <ndipanov at redhat.com>
+Date: Tue, 10 Dec 2013 17:43:17 +0100
+Subject: [PATCH] libvirt: Fix root disk leak in live mig
+
+This patch makes sure that i_create_images_and_backing method of the
+libvirt driver (called in several places, but most problematic one is
+the call in the pre_live_migration method) creates all the files the
+instance needs that are not present.
+
+Prioir to this patch - the method would only attempt to download the
+image, and if it did so with the path of the ephemeral drives, it could
+expose the image to other users as an ephemeral devices. See the related
+bug for more detaiis.
+
+After this patch - we properly distinguish between image, ephemeral and
+swap files, and make sure that the imagebackend does the correct thing.
+
+Closes-bug: #1251590
+
+Co-authored-by: Loganathan Parthipan <parthipan at hp.com>
+
+This patch also includes part of commit
+65386c91910ee03d947c2b8bcc226a53c30e060a, not cherry-picked as a whole
+due to the fact that it is a trivial change, and to avoud the
+proliferation of patches needed to fix this bug.
+
+Change-Id: I78aa2f4243899db4f4941e77014a7e18e27fc63e
+(cherry picked from commit c69a619668b5f44e94a8fe1a23f3d887ba2834d7)
+
+Conflicts:
+ nova/tests/test_libvirt.py
+ nova/virt/libvirt/driver.py
+---
+ nova/tests/test_libvirt.py | 63 +++++++++++++++++++++++++++++++++++++++++++++
+ nova/virt/libvirt/driver.py | 31 +++++++++++++++-------
+ 2 files changed, 85 insertions(+), 9 deletions(-)
+
+diff --git a/nova/tests/test_libvirt.py b/nova/tests/test_libvirt.py
+index 4b07d65..75f9936 100644
+--- a/nova/tests/test_libvirt.py
++++ b/nova/tests/test_libvirt.py
+@@ -2346,6 +2346,69 @@ class LibvirtConnTestCase(test.TestCase):
+
+ db.instance_destroy(self.context, instance_ref['uuid'])
+
++ def test_create_images_and_backing(self):
++ conn = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
++ self.mox.StubOutWithMock(conn, '_fetch_instance_kernel_ramdisk')
++ self.mox.StubOutWithMock(libvirt_driver.libvirt_utils, 'create_image')
++
++ libvirt_driver.libvirt_utils.create_image(mox.IgnoreArg(),
++ mox.IgnoreArg(),
++ mox.IgnoreArg())
++ conn._fetch_instance_kernel_ramdisk(self.context, self.test_instance)
++ self.mox.ReplayAll()
++
++ self.stubs.Set(os.path, 'exists', lambda *args: False)
++ disk_info_json = jsonutils.dumps([{'path': 'foo', 'type': None,
++ 'disk_size': 0,
++ 'backing_file': None}])
++ conn._create_images_and_backing(self.context, self.test_instance,
++ "/fake/instance/dir", disk_info_json)
++
++ def test_create_images_and_backing_ephemeral_gets_created(self):
++ conn = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
++ disk_info_json = jsonutils.dumps(
++ [{u'backing_file': u'fake_image_backing_file',
++ u'disk_size': 10747904,
++ u'path': u'disk_path',
++ u'type': u'qcow2',
++ u'virt_disk_size': 25165824},
++ {u'backing_file': u'ephemeral_1_default',
++ u'disk_size': 393216,
++ u'over_committed_disk_size': 1073348608,
++ u'path': u'disk_eph_path',
++ u'type': u'qcow2',
++ u'virt_disk_size': 1073741824}])
++
++ base_dir = os.path.join(CONF.instances_path, '_base')
++ ephemeral_target = os.path.join(base_dir, 'ephemeral_1_default')
++ image_target = os.path.join(base_dir, 'fake_image_backing_file')
++ self.test_instance.update({'name': 'fake_instance',
++ 'user_id': 'fake-user',
++ 'os_type': None,
++ 'project_id': 'fake-project'})
++
++ self.mox.StubOutWithMock(libvirt_driver.libvirt_utils, 'fetch_image')
++ self.mox.StubOutWithMock(conn, '_create_ephemeral')
++ self.mox.StubOutWithMock(conn, '_fetch_instance_kernel_ramdisk')
++
++ conn._create_ephemeral(
++ target=ephemeral_target,
++ ephemeral_size=self.test_instance['ephemeral_gb'],
++ max_size=mox.IgnoreArg(), os_type=mox.IgnoreArg(),
++ fs_label=mox.IgnoreArg())
++ libvirt_driver.libvirt_utils.fetch_image(context=self.context,
++ image_id=mox.IgnoreArg(),
++ user_id=mox.IgnoreArg(), project_id=mox.IgnoreArg(),
++ max_size=mox.IgnoreArg(), target=image_target)
++ conn._fetch_instance_kernel_ramdisk(
++ self.context, self.test_instance).AndReturn(None)
++
++ self.mox.ReplayAll()
++
++ conn._create_images_and_backing(self.context, self.test_instance,
++ "/fake/instance/dir",
++ disk_info_json)
++
+ def test_pre_live_migration_works_correctly_mocked(self):
+ # Creating testdata
+ vol = {'block_device_mapping': [
+diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
+index ff1117c..2be1767 100755
+--- a/nova/virt/libvirt/driver.py
++++ b/nova/virt/libvirt/driver.py
+@@ -3305,19 +3305,32 @@ class LibvirtDriver(driver.ComputeDriver):
+ elif info['backing_file']:
+ # Creating backing file follows same way as spawning instances.
+ cache_name = os.path.basename(info['backing_file'])
+- # Remove any size tags which the cache manages
+- cache_name = cache_name.split('_')[0]
+
+ image = self.image_backend.image(instance,
+ instance_disk,
+ CONF.libvirt_images_type)
+- image.cache(fetch_func=libvirt_utils.fetch_image,
+- context=ctxt,
+- filename=cache_name,
+- image_id=instance['image_ref'],
+- user_id=instance['user_id'],
+- project_id=instance['project_id'],
+- size=info['virt_disk_size'])
++ if cache_name.startswith('ephemeral'):
++ image.cache(fetch_func=self._create_ephemeral,
++ fs_label=cache_name,
++ os_type=instance["os_type"],
++ filename=cache_name,
++ size=info['virt_disk_size'],
++ ephemeral_size=instance['ephemeral_gb'])
++ elif cache_name.startswith('swap'):
++ inst_type = flavors.extract_flavor(instance)
++ swap_mb = inst_type['swap']
++ image.cache(fetch_func=self._create_swap,
++ filename="swap_%s" % swap_mb,
++ size=swap_mb * unit.Mi,
++ swap_mb=swap_mb)
++ else:
++ image.cache(fetch_func=libvirt_utils.fetch_image,
++ context=ctxt,
++ filename=cache_name,
++ image_id=instance['image_ref'],
++ user_id=instance['user_id'],
++ project_id=instance['project_id'],
++ size=info['virt_disk_size'])
+
+ # if image has kernel and ramdisk, just download
+ # following normal way.
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 4461a1d..47d37c2 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -2,7 +2,7 @@
Name: openstack-nova
Version: 2013.1.4
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: OpenStack Compute (nova)
Group: Applications/System
@@ -43,6 +43,7 @@ Patch0003: 0003-add-conf-for-number-of-conductor-workers.patch
Patch0004: 0004-Fix-IPAddress-and-CIDR-type-decorators.patch
Patch0005: 0005-ensure-we-don-t-boot-oversized-images.patch
Patch0006: 0006-Add-missing-argument-max_size-in-libvirt-driver.patch
+Patch0007: 0007-libvirt-Fix-root-disk-leak-in-live-mig.patch
BuildArch: noarch
BuildRequires: intltool
@@ -78,6 +79,7 @@ Summary: Components common to all OpenStack Nova services
Group: Applications/System
Requires: python-nova = %{version}-%{release}
+Requires: python-keystoneclient
Requires(post): systemd-units
Requires(preun): systemd-units
@@ -396,6 +398,7 @@ This package contains documentation files for nova.
%patch0004 -p1
%patch0005 -p1
%patch0006 -p1
+%patch0007 -p1
find . \( -name .gitignore -o -name .placeholder \) -delete
@@ -850,6 +853,10 @@ fi
%endif
%changelog
+* Fri Jan 24 2014 Xavier Queralt <xqueralt at redhat.com> - 2013.1.4-5
+- Require python-keystoneclient for api-paste - rhbz#909113
+- Fix root disk leak in live migration - CVE-2013-7130
+
* Tue Dec 17 2013 Xavier Queralt <xqueralt at redhat.com> - 2013.1.4-4
- Fix booting of instances with extra ephemeral or swap disks
More information about the scm-commits
mailing list