[openstack-nova/el6-icehouse] Update to Icehouse milestone 2
Xavier Queralt Mateu
xqueralt at fedoraproject.org
Fri Jan 24 10:34:13 UTC 2014
commit c6a106dcbe78f38aca5e4110914659ec311a8b5d
Author: Xavier Queralt <xqueralt at redhat.com>
Date: Thu Jan 23 10:14:13 2014 +0100
Update to Icehouse milestone 2
Resolves: CVE-2013-7130
Resolves: #909113
.gitignore | 1 +
...e-don-t-access-the-net-when-building-docs.patch | 2 +-
0002-remove-runtime-dep-on-python-pbr.patch | 10 +-
...-parallel-install-versions-of-epel-packag.patch | 2 +-
0004-libvirt-Fix-root-disk-leak-in-live-mig.patch | 121 ++++++++++++++++++++
nova-dist.conf | 1 +
openstack-nova.spec | 16 ++-
sources | 2 +-
8 files changed, 144 insertions(+), 11 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 2c47572..452dd7d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,3 +19,4 @@
/nova-2013.2.rc2.tar.gz
/nova-2013.2.tar.gz
/nova-2014.1.b1.tar.gz
+/nova-2014.1.b2.tar.gz
diff --git a/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch b/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
index 3ccba55..2dda7a9 100644
--- a/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
+++ b/0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
@@ -1,4 +1,4 @@
-From 408ff3f40f27ef80c0be889bb799ee64122572b9 Mon Sep 17 00:00:00 2001
+From 4c62c0e1d7704fd1e5db1a01da3bcf9d8b96a440 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <pbrady at redhat.com>
Date: Fri, 6 Jan 2012 12:16:34 +0000
Subject: [PATCH] Ensure we don't access the net when building docs
diff --git a/0002-remove-runtime-dep-on-python-pbr.patch b/0002-remove-runtime-dep-on-python-pbr.patch
index 61f69eb..3a2912c 100644
--- a/0002-remove-runtime-dep-on-python-pbr.patch
+++ b/0002-remove-runtime-dep-on-python-pbr.patch
@@ -1,4 +1,4 @@
-From c2234c879aaa9dfd3153f369c74ddcae623f030a Mon Sep 17 00:00:00 2001
+From 9cb69f6873094c5903d65ccd050a4f353c291c2f Mon Sep 17 00:00:00 2001
From: Nikola Dipanov <ndipanov at redhat.com>
Date: Fri, 14 Jun 2013 11:29:50 +0200
Subject: [PATCH] remove runtime dep on python-pbr
@@ -9,17 +9,19 @@ Change-Id: I6f247f64c561d49c13e3c2f67401fe150b6d47b6
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/nova/version.py b/nova/version.py
-index 9a4c33c..100c7a5 100644
+index 01b6b47..25ea4dc 100644
--- a/nova/version.py
+++ b/nova/version.py
-@@ -14,14 +14,25 @@
+@@ -14,8 +14,6 @@
# License for the specific language governing permissions and limitations
# under the License.
-import pbr.version
-
+ from nova.openstack.common.gettextutils import _
+
NOVA_VENDOR = "OpenStack Foundation"
- NOVA_PRODUCT = "OpenStack Nova"
+@@ -23,7 +21,20 @@ NOVA_PRODUCT = "OpenStack Nova"
NOVA_PACKAGE = None # OS distro package version suffix
loaded = False
diff --git a/0003-Use-updated-parallel-install-versions-of-epel-packag.patch b/0003-Use-updated-parallel-install-versions-of-epel-packag.patch
index 5c56286..9e4e9cf 100644
--- a/0003-Use-updated-parallel-install-versions-of-epel-packag.patch
+++ b/0003-Use-updated-parallel-install-versions-of-epel-packag.patch
@@ -1,4 +1,4 @@
-From c3a4968f03462e0ac3c61ed2e2e7d42194b76bb7 Mon Sep 17 00:00:00 2001
+From d5a4761396b4ff32bd8ae824e952ca0e88566c34 Mon Sep 17 00:00:00 2001
From: Xavier Queralt <xqueralt at redhat.com>
Date: Mon, 16 Dec 2013 12:33:13 +0100
Subject: [PATCH] Use updated parallel install versions of epel package
diff --git a/0004-libvirt-Fix-root-disk-leak-in-live-mig.patch b/0004-libvirt-Fix-root-disk-leak-in-live-mig.patch
new file mode 100644
index 0000000..c528697
--- /dev/null
+++ b/0004-libvirt-Fix-root-disk-leak-in-live-mig.patch
@@ -0,0 +1,121 @@
+From 28049b37ab90422c4ef23d46f195c44a9cfd800d Mon Sep 17 00:00:00 2001
+From: Nikola Dipanov <ndipanov at redhat.com>
+Date: Tue, 10 Dec 2013 17:43:17 +0100
+Subject: [PATCH] libvirt: Fix root disk leak in live mig
+
+This patch makes sure that i_create_images_and_backing method of the
+libvirt driver (called in several places, but most problematic one is
+the call in the pre_live_migration method) creates all the files the
+instance needs that are not present.
+
+Prioir to this patch - the method would only attempt to download the
+image, and if it did so with the path of the ephemeral drives, it could
+expose the image to other users as an ephemeral devices. See the related
+bug for more detaiis.
+
+After this patch - we properly distinguish between image, ephemeral and
+swap files, and make sure that the imagebackend does the correct thing.
+
+Closes-bug: #1251590
+
+Co-authored-by: Loganathan Parthipan <parthipan at hp.com>
+
+Change-Id: I78aa2f4243899db4f4941e77014a7e18e27fc63e
+---
+ nova/tests/virt/libvirt/test_libvirt.py | 42 +++++++++++++++++++++++++++++++++
+ nova/virt/libvirt/driver.py | 29 +++++++++++++++++------
+ 2 files changed, 64 insertions(+), 7 deletions(-)
+
+diff --git a/nova/tests/virt/libvirt/test_libvirt.py b/nova/tests/virt/libvirt/test_libvirt.py
+index 3809ce3..0808a40 100644
+--- a/nova/tests/virt/libvirt/test_libvirt.py
++++ b/nova/tests/virt/libvirt/test_libvirt.py
+@@ -3358,6 +3358,48 @@ class LibvirtConnTestCase(test.TestCase):
+ def test_create_images_and_backing_raw(self):
+ self._do_test_create_images_and_backing('raw')
+
++ def test_create_images_and_backing_ephemeral_gets_created(self):
++ conn = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
++ disk_info_json = jsonutils.dumps(
++ [{u'backing_file': u'fake_image_backing_file',
++ u'disk_size': 10747904,
++ u'path': u'disk_path',
++ u'type': u'qcow2',
++ u'virt_disk_size': 25165824},
++ {u'backing_file': u'ephemeral_1_default',
++ u'disk_size': 393216,
++ u'over_committed_disk_size': 1073348608,
++ u'path': u'disk_eph_path',
++ u'type': u'qcow2',
++ u'virt_disk_size': 1073741824}])
++
++ base_dir = os.path.join(CONF.instances_path,
++ CONF.image_cache_subdirectory_name)
++ self.test_instance.update({'name': 'fake_instance',
++ 'user_id': 'fake-user',
++ 'os_type': None,
++ 'project_id': 'fake-project'})
++
++ with contextlib.nested(
++ mock.patch.object(conn, '_fetch_instance_kernel_ramdisk'),
++ mock.patch.object(libvirt_driver.libvirt_utils, 'fetch_image'),
++ mock.patch.object(conn, '_create_ephemeral')
++ ) as (fetch_kernel_ramdisk_mock, fetch_image_mock,
++ create_ephemeral_mock):
++ conn._create_images_and_backing(self.context, self.test_instance,
++ "/fake/instance/dir",
++ disk_info_json)
++ self.assertEqual(len(create_ephemeral_mock.call_args_list), 1)
++ m_args, m_kwargs = create_ephemeral_mock.call_args_list[0]
++ self.assertEqual(
++ os.path.join(base_dir, 'ephemeral_1_default'),
++ m_kwargs['target'])
++ self.assertEqual(len(fetch_image_mock.call_args_list), 1)
++ m_args, m_kwargs = fetch_image_mock.call_args_list[0]
++ self.assertEqual(
++ os.path.join(base_dir, 'fake_image_backing_file'),
++ m_kwargs['target'])
++
+ def test_create_images_and_backing_disk_info_none(self):
+ conn = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
+ self.mox.StubOutWithMock(conn, '_fetch_instance_kernel_ramdisk')
+diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
+index a707256..d8acfe1 100644
+--- a/nova/virt/libvirt/driver.py
++++ b/nova/virt/libvirt/driver.py
+@@ -4387,13 +4387,28 @@ class LibvirtDriver(driver.ComputeDriver):
+ image = self.image_backend.image(instance,
+ instance_disk,
+ CONF.libvirt.images_type)
+- image.cache(fetch_func=libvirt_utils.fetch_image,
+- context=context,
+- filename=cache_name,
+- image_id=instance['image_ref'],
+- user_id=instance['user_id'],
+- project_id=instance['project_id'],
+- size=info['virt_disk_size'])
++ if cache_name.startswith('ephemeral'):
++ image.cache(fetch_func=self._create_ephemeral,
++ fs_label=cache_name,
++ os_type=instance["os_type"],
++ filename=cache_name,
++ size=info['virt_disk_size'],
++ ephemeral_size=instance['ephemeral_gb'])
++ elif cache_name.startswith('swap'):
++ inst_type = flavors.extract_flavor(instance)
++ swap_mb = inst_type['swap']
++ image.cache(fetch_func=self._create_swap,
++ filename="swap_%s" % swap_mb,
++ size=swap_mb * unit.Mi,
++ swap_mb=swap_mb)
++ else:
++ image.cache(fetch_func=libvirt_utils.fetch_image,
++ context=context,
++ filename=cache_name,
++ image_id=instance['image_ref'],
++ user_id=instance['user_id'],
++ project_id=instance['project_id'],
++ size=info['virt_disk_size'])
+
+ # if image has kernel and ramdisk, just download
+ # following normal way.
diff --git a/nova-dist.conf b/nova-dist.conf
index ee98ff8..03ac0a7 100644
--- a/nova-dist.conf
+++ b/nova-dist.conf
@@ -14,6 +14,7 @@ compute_driver = libvirt.LibvirtDriver
firewall_driver = nova.virt.libvirt.firewall.IptablesFirewallDriver
rpc_backend = nova.openstack.common.rpc.impl_qpid
rootwrap_config = /etc/nova/rootwrap.conf
+qpid_topology_version = 2
[database]
connection = mysql://nova:nova@localhost/nova
diff --git a/openstack-nova.spec b/openstack-nova.spec
index 54ddc7e..6e061b7 100644
--- a/openstack-nova.spec
+++ b/openstack-nova.spec
@@ -2,13 +2,13 @@
Name: openstack-nova
Version: 2014.1
-Release: 0.5.b1%{?dist}
+Release: 0.6.b2%{?dist}
Summary: OpenStack Compute (nova)
Group: Applications/System
License: ASL 2.0
URL: http://openstack.org/projects/compute/
-Source0: https://launchpad.net/nova/icehouse/icehouse-1/+download/nova-%{version}.b1.tar.gz
+Source0: https://launchpad.net/nova/icehouse/icehouse-2/+download/nova-%{version}.b2.tar.gz
Source1: nova-dist.conf
Source6: nova.logrotate
@@ -50,11 +50,12 @@ Source22: nova-ifc-template
Source30: openstack-nova-novncproxy.sysconfig
#
-# patches_base=2014.1.b1
+# patches_base=2014.1.b2
#
Patch0001: 0001-Ensure-we-don-t-access-the-net-when-building-docs.patch
Patch0002: 0002-remove-runtime-dep-on-python-pbr.patch
Patch0003: 0003-Use-updated-parallel-install-versions-of-epel-packag.patch
+Patch0004: 0004-libvirt-Fix-root-disk-leak-in-live-mig.patch
# This is EPEL specific and not upstream
@@ -102,6 +103,7 @@ Group: Applications/System
Requires: python-nova = %{version}-%{release}
Requires: python-keystoneclient
+Requires: python-oslo-rootwrap
Requires(post): chkconfig
Requires(postun): initscripts
@@ -422,11 +424,12 @@ This package contains documentation files for nova.
%endif
%prep
-%setup -q -n nova-%{version}.b1
+%setup -q -n nova-%{version}.b2
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
+%patch0004 -p1
# Apply EPEL patch
@@ -889,6 +892,11 @@ fi
%endif
%changelog
+* Fri Jan 24 2014 Xavier Queralt <xqueralt at redhat.com> - 2014.1-0.6.b2
+- Update to Icehouse milestone 2
+- Require python-keystoneclient for api-paste - rhbz#909113
+- Fix root disk leak in live migration - CVE-2013-7130
+
* Mon Jan 06 2014 Pádraig Brady <pbrady at redhat.com> - 2014.1-0.5.b1
- Avoid [keystone_authtoken] config corruption in nova.conf
diff --git a/sources b/sources
index e68993e..9fc70ac 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-51afb966884fa690db567600453a2131 nova-2014.1.b1.tar.gz
+fe9de293724bede1613f57283c70e65b nova-2014.1.b2.tar.gz
More information about the scm-commits
mailing list