[nova] Heads up on default policy change for zero-disk flavors
Matt Riedemann
mriedemos at gmail.com
Thu Nov 29 00:05:51 UTC 2018
Coming back to a security bug there is a change in nova [1] in Stein to
change the value on the "os_compute_api:servers:create:zero_disk_flavor"
policy rule to make it admin-only by default.
This makes server create fail for non-admins users who are using flavors
with root_gb=0 *unless* they are booting from volume.
If you already have this configuration set before upgrading to stein
then your deployment tooling shouldn't overwrite the configured policy
and you won't notice any changes, but if you have an empty policy file
and upgrade and have 0 root_gb flavors, your users could see server
create failures.
Let us know if you have any issues with this, or would like to see
something done in the way of further documentation/communication and/or
a nova-status upgrade check.
[1] https://review.openstack.org/#/c/603910/
--
Thanks,
Matt
More information about the openstack-discuss
mailing list