On reporting CPU flags that provide mitiation (to CVE flaws) as Nova 'traits'

Eric Fried openstack at fried.cc
Thu May 16 15:42:47 UTC 2019


> I've added a link to this thread on the agenda for tomorrow's
> Security SIG meeting

This happened [1]. TL;DR: it does more potential good than harm to
expose these traits ("scheduler roulette is not a security measure"
--fungi).

> Others have said this (at least Dan): This seems like something
> where something other than nova ought to handle it. A host which
> shouldn't be scheduled to should be disabled (as a service).

WFM. Scrap strawman.

Given that it's not considered a security issue, we could expose the
(low-level, CPU flag) traits so that "other than nova" can use them. If
we think there's demand.

> How do people feel about the idea of forming a core group for those
> two repos that includes placement cores but has additions from nova
> (Dan, Kashyap and Sean would make good candidates) and other projects
> that consume them?

++

efried

[1]
http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2019-05-16.log.html#t2019-05-16T15:06:24




More information about the openstack-discuss mailing list