From gerrit2 at review.openstack.org Mon Jun 1 09:22:05 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 01 Jun 2015 09:22:05 +0000 Subject: [Openstack-security] [openstack/heat] SecurityImpact review request change I303d87addeed8b103eeb26dbcc48e3acce06ee6a Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/144074 Log: commit 9af4ec990815b2b29d77add409a1a3ac173fe1db Author: yangxurong Date: Mon Mar 30 14:39:17 2015 +1000 Eventlet green threads not released back to pool Presently, the wsgi server allows persist connections hence even after the response is sent to the client, it doesn't close the client socket connection. Because of this problem, the green thread is not released back to the pool. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Add a parameter to take advantage of the new(ish) eventlet socket timeout behaviour. Allows closing idle client connections after a period of time, eg: $ time nc localhost 8776 real 1m0.063s Setting 'client_socket_timeout = 0' means do not timeout. DocImpact: Added wsgi_keep_alive option (default=True). Added client_socket_timeout option (default=900). SecurityImpact Change-Id: I303d87addeed8b103eeb26dbcc48e3acce06ee6a Closes-Bug: #1361360 From 1361360 at bugs.launchpad.net Mon Jun 1 09:22:00 2015 From: 1361360 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 01 Jun 2015 09:22:00 -0000 Subject: [Openstack-security] [Bug 1361360] Re: Eventlet green threads not released back to the pool leading to choking of new requests References: <20140825203231.13086.48412.malonedeb@wampee.canonical.com> Message-ID: <20150601092203.7427.25890.launchpad@gac.canonical.com> ** Changed in: heat Assignee: Angus Salkeld (asalkeld) => Thomas Herve (therve) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1361360 Title: Eventlet green threads not released back to the pool leading to choking of new requests Status in Cinder: Fix Released Status in Cinder icehouse series: Fix Released Status in Cinder juno series: Fix Released Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance icehouse series: In Progress Status in Orchestration API (Heat): In Progress Status in OpenStack Identity (Keystone): Fix Committed Status in Keystone icehouse series: Confirmed Status in Keystone juno series: Fix Committed Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in neutron juno series: Fix Committed Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) icehouse series: In Progress Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Data Processing (Sahara): Confirmed Bug description: Currently reproduced on Juno milestone 2. but this issue should be reproducible in all releases since its inception. It is possible to choke OpenStack API controller services using wsgi+eventlet library by simply not closing the client socket connection. Whenever a request is received by any OpenStack API service for example nova api service, eventlet library creates a green thread from the pool and starts processing the request. Even after the response is sent to the caller, the green thread is not returned back to the pool until the client socket connection is closed. This way, any malicious user can send many API requests to the API controller node and determine the wsgi pool size configured for the given service and then send those many requests to the service and after receiving the response, wait there infinitely doing nothing leading to disrupting services for other tenants. Even when service providers have enabled rate limiting feature, it is possible to choke the API services with a group (many tenants) attack. Following program illustrates choking of nova-api services (but this problem is omnipresent in all other OpenStack API Services using wsgi+eventlet) Note: I have explicitly set the wsi_default_pool_size default value to 10 in order to reproduce this problem in nova/wsgi.py. After you run the below program, you should try to invoke API ============================================================================================ import time import requests from multiprocessing import Process def request(number): #Port is important here path = 'http://127.0.0.1:8774/servers' try: response = requests.get(path) print "RESPONSE %s-%d" % (response.status_code, number) #during this sleep time, check if the client socket connection is released or not on the API controller node. time.sleep(1000) print “Thread %d complete" % number except requests.exceptions.RequestException as ex: print “Exception occurred %d-%s" % (number, str(ex)) if __name__ == '__main__': processes = [] for number in range(40): p = Process(target=request, args=(number,)) p.start() processes.append(p) for p in processes: p.join() ================================================================================================ Presently, the wsgi server allows persist connections if you configure keepalive to True which is default. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Additional information: By default eventlet passes “Connection: keepalive” if keepalive is set to True when a response is sent to the client. But it doesn’t have capability to set the timeout and max parameter. For example. Keep-Alive: timeout=10, max=5 Note: After we have disabled keepalive in all the OpenStack API service using wsgi library, then it might impact all existing applications built with the assumptions that OpenStack API services uses persistent connections. They might need to modify their applications if reconnection logic is not in place and also they might experience the performance has slowed down as it will need to reestablish the http connection for every request. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1361360/+subscriptions From gerrit2 at review.openstack.org Mon Jun 1 11:37:40 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 01 Jun 2015 11:37:40 +0000 Subject: [Openstack-security] [openstack/heat] SecurityImpact review request change I303d87addeed8b103eeb26dbcc48e3acce06ee6a Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/144074 Log: commit 2be72f42f9debf9c2f186212dd27cb4f860d3399 Author: yangxurong Date: Mon Mar 30 14:39:17 2015 +1000 Eventlet green threads not released back to pool Presently, the wsgi server allows persist connections hence even after the response is sent to the client, it doesn't close the client socket connection. Because of this problem, the green thread is not released back to the pool. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Add a parameter to take advantage of the new(ish) eventlet socket timeout behaviour. Allows closing idle client connections after a period of time, eg: $ time nc localhost 8776 real 1m0.063s Setting 'client_socket_timeout = 0' means do not timeout. DocImpact: Added wsgi_keep_alive option (default=True). Added client_socket_timeout option (default=900). SecurityImpact Change-Id: I303d87addeed8b103eeb26dbcc48e3acce06ee6a Closes-Bug: #1361360 From 1455582 at bugs.launchpad.net Mon Jun 1 14:23:19 2015 From: 1455582 at bugs.launchpad.net (Launchpad Bug Tracker) Date: Mon, 01 Jun 2015 14:23:19 -0000 Subject: [Openstack-security] [Bug 1455582] [NEW] Hypervisor compromise my result in malicious trust creation References: <20150515171809.26411.43467.malonedeb@gac.canonical.com> Message-ID: <20150601142320.25663.72023.launchpad@soybean.canonical.com> *** This bug is a security vulnerability *** You have been subscribed to a private security bug by Grant Murphy (gmurphy): This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. If a hypervisor is compromised, and the hypervisor is a a Nova compute node, the end user now has access to every token that passes through that node. By default, a keystone token can be exchanged for another token. There is no restriction on scoping of the new token. A scoped token can be exchanged for an unscoped token, or a token scoped to a different project. We had set the default time limit for tokens down to 1 hour, to reduce the surface area of the attack. However, many workloads require a single token for the whole workload, and these workloads take more than one hour, so several installations have increased token lifespans back to the old value of 24 hours. A token can be used to change a password. If this is done, all tokens are revoked for the user. With the trust API, a user can set up a long term delegation that allows another user to perform an operation on their behalf. While tokens created via trusts are limited in what they can do, the limitations are only on things like change passwords or create a new token. Thus, if an attacker compromises a compute node and harvests tokens, the highest value attack for them is to automatically create a trust from the compromised user to some other account. This bypasses the time limitation of the token expiration, and will allow the attacker to perform operations on the users resources at the attackers convenience. Any site that is running a recent version of Heat would be expected to have many trusts set up from the customer user accounts to the Heat service user. Heat creates trusts using the users tokens, so we know this approach is not just theoretical, but actively used. This leaves a fairly obvious trail, in that a user can see all of the trusts created with the user as the trustor. Any trusts that do not have a Heat user as the trustee are suspect. It might even be possible to compromise Heat users, so even those should be audited. There are other ways that a harvested token can be abused, but the trust approach is the one I find the most worrysome, as it could be done as a "sleeper" agent. The same issues apply to the OAUTH1.0a extension. ** Affects: keystone Importance: Undecided Status: Confirmed ** Affects: ossa Importance: Undecided Status: Incomplete -- Hypervisor compromise my result in malicious trust creation https://bugs.launchpad.net/bugs/1455582 You received this bug notification because you are a member of OpenStack Security, which is subscribed to the bug report. From grant.murphy at hp.com Mon Jun 1 14:24:41 2015 From: grant.murphy at hp.com (Grant Murphy) Date: Mon, 01 Jun 2015 14:24:41 -0000 Subject: [Openstack-security] [Bug 1455582] Re: Hypervisor compromise my result in malicious trust creation References: <20150515171809.26411.43467.malonedeb@gac.canonical.com> Message-ID: <20150601142441.7926.41973.malone@gac.canonical.com> This seems to be OSSN territory. Subscribed OpenStack security team for input. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1455582 Title: Hypervisor compromise my result in malicious trust creation Status in OpenStack Identity (Keystone): Confirmed Status in OpenStack Security Advisories: Incomplete Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. If a hypervisor is compromised, and the hypervisor is a a Nova compute node, the end user now has access to every token that passes through that node. By default, a keystone token can be exchanged for another token. There is no restriction on scoping of the new token. A scoped token can be exchanged for an unscoped token, or a token scoped to a different project. We had set the default time limit for tokens down to 1 hour, to reduce the surface area of the attack. However, many workloads require a single token for the whole workload, and these workloads take more than one hour, so several installations have increased token lifespans back to the old value of 24 hours. A token can be used to change a password. If this is done, all tokens are revoked for the user. With the trust API, a user can set up a long term delegation that allows another user to perform an operation on their behalf. While tokens created via trusts are limited in what they can do, the limitations are only on things like change passwords or create a new token. Thus, if an attacker compromises a compute node and harvests tokens, the highest value attack for them is to automatically create a trust from the compromised user to some other account. This bypasses the time limitation of the token expiration, and will allow the attacker to perform operations on the users resources at the attackers convenience. Any site that is running a recent version of Heat would be expected to have many trusts set up from the customer user accounts to the Heat service user. Heat creates trusts using the users tokens, so we know this approach is not just theoretical, but actively used. This leaves a fairly obvious trail, in that a user can see all of the trusts created with the user as the trustor. Any trusts that do not have a Heat user as the trustee are suspect. It might even be possible to compromise Heat users, so even those should be audited. There are other ways that a harvested token can be abused, but the trust approach is the one I find the most worrysome, as it could be done as a "sleeper" agent. The same issues apply to the OAUTH1.0a extension. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1455582/+subscriptions From 1361360 at bugs.launchpad.net Mon Jun 1 16:26:36 2015 From: 1361360 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 01 Jun 2015 16:26:36 -0000 Subject: [Openstack-security] [Bug 1361360] Re: Eventlet green threads not released back to the pool leading to choking of new requests References: <20140825203231.13086.48412.malonedeb@wampee.canonical.com> Message-ID: <20150601162637.6583.3804.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/164643 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=392dc228034bbd8968f4c65ddfce6343bff938ea Submitter: Jenkins Branch: stable/icehouse commit 392dc228034bbd8968f4c65ddfce6343bff938ea Author: abhishekkekane Date: Tue Oct 21 01:37:42 2014 -0700 Eventlet green threads not released back to pool Presently, the wsgi server allows persist connections hence even after the response is sent to the client, it doesn't close the client socket connection. Because of this problem, the green thread is not released back to the pool. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Icehouse backport note: socket_timeout was dropped, it was introduced in 0.14[*] and Icehouse eventlet lower bound is 0.13 [*] https://github.com/eventlet/eventlet/commit/7d4916f01462de09cb58853d9de2e85777c2ad5b Note: The required unit-tests are manually added to the below path, as new path for unit-tests is not present in stable/icehouse release. nova/tests/test_wsgi.py DocImpact: Added wsgi_keep_alive option (default=True). SecurityImpact Conflicts: nova/tests/unit/test_wsgi.py Closes-Bug: #1361360 (cherry picked from commit 04d7a724fdf80db51e73f12c5b8c982db9310742) Change-Id: I3b14a37edbe4bdc5db31ff4f08f78e78b60077ff ** Changed in: glance/icehouse Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1361360 Title: Eventlet green threads not released back to the pool leading to choking of new requests Status in Cinder: Fix Released Status in Cinder icehouse series: Fix Released Status in Cinder juno series: Fix Released Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance icehouse series: Fix Committed Status in Orchestration API (Heat): In Progress Status in OpenStack Identity (Keystone): Fix Committed Status in Keystone icehouse series: Confirmed Status in Keystone juno series: Fix Committed Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in neutron juno series: Fix Committed Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) icehouse series: In Progress Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Data Processing (Sahara): Confirmed Bug description: Currently reproduced on Juno milestone 2. but this issue should be reproducible in all releases since its inception. It is possible to choke OpenStack API controller services using wsgi+eventlet library by simply not closing the client socket connection. Whenever a request is received by any OpenStack API service for example nova api service, eventlet library creates a green thread from the pool and starts processing the request. Even after the response is sent to the caller, the green thread is not returned back to the pool until the client socket connection is closed. This way, any malicious user can send many API requests to the API controller node and determine the wsgi pool size configured for the given service and then send those many requests to the service and after receiving the response, wait there infinitely doing nothing leading to disrupting services for other tenants. Even when service providers have enabled rate limiting feature, it is possible to choke the API services with a group (many tenants) attack. Following program illustrates choking of nova-api services (but this problem is omnipresent in all other OpenStack API Services using wsgi+eventlet) Note: I have explicitly set the wsi_default_pool_size default value to 10 in order to reproduce this problem in nova/wsgi.py. After you run the below program, you should try to invoke API ============================================================================================ import time import requests from multiprocessing import Process def request(number): #Port is important here path = 'http://127.0.0.1:8774/servers' try: response = requests.get(path) print "RESPONSE %s-%d" % (response.status_code, number) #during this sleep time, check if the client socket connection is released or not on the API controller node. time.sleep(1000) print “Thread %d complete" % number except requests.exceptions.RequestException as ex: print “Exception occurred %d-%s" % (number, str(ex)) if __name__ == '__main__': processes = [] for number in range(40): p = Process(target=request, args=(number,)) p.start() processes.append(p) for p in processes: p.join() ================================================================================================ Presently, the wsgi server allows persist connections if you configure keepalive to True which is default. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Additional information: By default eventlet passes “Connection: keepalive” if keepalive is set to True when a response is sent to the client. But it doesn’t have capability to set the timeout and max parameter. For example. Keep-Alive: timeout=10, max=5 Note: After we have disabled keepalive in all the OpenStack API service using wsgi library, then it might impact all existing applications built with the assumptions that OpenStack API services uses persistent connections. They might need to modify their applications if reconnection logic is not in place and also they might experience the performance has slowed down as it will need to reestablish the http connection for every request. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1361360/+subscriptions From fungi at yuggoth.org Mon Jun 1 19:26:58 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Mon, 01 Jun 2015 19:26:58 -0000 Subject: [Openstack-security] [Bug 1460024] Re: Service can create trust using received token References: <20150529112831.7600.94148.malonedeb@gac.canonical.com> Message-ID: <20150601192658.7895.4527.malone@gac.canonical.com> I've switched this bug to public and added a security tag in case someone wants to make sure it's a behavior we have documented clearly (in Keystone's docs, deployment manuals, security guide, OSSN, wherever). ** Changed in: ossa Status: Incomplete => Won't Fix ** Description changed: - This issue is being treated as a potential security risk under embargo. - Please do not make any public mention of embargoed (private) security - vulnerabilities before their coordinated publication by the OpenStack - Vulnerability Management Team in the form of an official OpenStack - Security Advisory. This includes discussion of the bug or associated - fixes in public forums such as mailing lists, code review systems and - bug trackers. Please also avoid private disclosure to other individuals - not already approved for access to this information, and provide this - same reminder to those who are made aware of the issue prior to - publication. All discussion should remain confined to this private bug - report, and any proposed fixes should be added to the bug as - attachments. - It seems possible for a service to create a trust using a token supplied by client on an API call. Use-case: 1. User uses login/password to get a token from keystone. 2. User creates a client of a service providing the token. 3. Client uses service API providing the token. 4. Service creates a trust allowing it to impersonate the user at any time. 5. The trust is created and the user doesn't know about it. Don't know whether it bug or a feature, but it doesn't look legitimate to me. ** Information type changed from Private Security to Public ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1460024 Title: Service can create trust using received token Status in OpenStack Identity (Keystone): Invalid Status in OpenStack Security Advisories: Won't Fix Bug description: It seems possible for a service to create a trust using a token supplied by client on an API call. Use-case: 1. User uses login/password to get a token from keystone. 2. User creates a client of a service providing the token. 3. Client uses service API providing the token. 4. Service creates a trust allowing it to impersonate the user at any time. 5. The trust is created and the user doesn't know about it. Don't know whether it bug or a feature, but it doesn't look legitimate to me. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1460024/+subscriptions From d.w.chadwick at kent.ac.uk Mon Jun 1 20:32:47 2015 From: d.w.chadwick at kent.ac.uk (David Chadwick) Date: Mon, 01 Jun 2015 21:32:47 +0100 Subject: [Openstack-security] [Bug 1460024] Re: Service can create trust using received token In-Reply-To: <20150601192658.7895.4527.malone@gac.canonical.com> References: <20150529112831.7600.94148.malonedeb@gac.canonical.com> <20150601192658.7895.4527.malone@gac.canonical.com> Message-ID: <556CC16F.1030508@kent.ac.uk> I think it may be worse than this. I think the delegated trust can have escalated privileges, e.g. be given the admin role even though the user does not have this. Can you check it? David On 01/06/2015 20:26, Jeremy Stanley wrote: > I've switched this bug to public and added a security tag in case > someone wants to make sure it's a behavior we have documented clearly > (in Keystone's docs, deployment manuals, security guide, OSSN, > wherever). > > ** Changed in: ossa > Status: Incomplete => Won't Fix > > ** Description changed: > > - This issue is being treated as a potential security risk under embargo. > - Please do not make any public mention of embargoed (private) security > - vulnerabilities before their coordinated publication by the OpenStack > - Vulnerability Management Team in the form of an official OpenStack > - Security Advisory. This includes discussion of the bug or associated > - fixes in public forums such as mailing lists, code review systems and > - bug trackers. Please also avoid private disclosure to other individuals > - not already approved for access to this information, and provide this > - same reminder to those who are made aware of the issue prior to > - publication. All discussion should remain confined to this private bug > - report, and any proposed fixes should be added to the bug as > - attachments. > - > It seems possible for a service to create a trust using a token supplied > by client on an API call. > > Use-case: > > 1. User uses login/password to get a token from keystone. > 2. User creates a client of a service providing the token. > 3. Client uses service API providing the token. > 4. Service creates a trust allowing it to impersonate the user at any time. > 5. The trust is created and the user doesn't know about it. > > Don't know whether it bug or a feature, but it doesn't look legitimate > to me. > > ** Information type changed from Private Security to Public > > ** Tags added: security > From gerrit2 at review.openstack.org Tue Jun 2 16:02:55 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 02 Jun 2015 16:02:55 +0000 Subject: [Openstack-security] [openstack/glance-specs] SecurityImpact review request change I305b2ae86415c8d256c641abb2795af663bee56a Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/177948 Log: commit fe7e82208a48a1b3ed5f5a9ce66c4d7ebe928b50 Author: Brianna Poulos Date: Mon Apr 27 15:35:51 2015 -0400 Encrypted and Authenticated Image Support This spec describes a means to support signing and signature validation of bootable images, along with encrypted images. DocImpact SecurityImpact Implements: blueprint encrypted-and-authenticated-image-support Change-Id: I305b2ae86415c8d256c641abb2795af663bee56a From 1361360 at bugs.launchpad.net Wed Jun 3 01:12:31 2015 From: 1361360 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 03 Jun 2015 01:12:31 -0000 Subject: [Openstack-security] [Bug 1361360] Re: Eventlet green threads not released back to the pool leading to choking of new requests References: <20140825203231.13086.48412.malonedeb@wampee.canonical.com> Message-ID: <20150603011231.6829.25862.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/144074 Committed: https://git.openstack.org/cgit/openstack/heat/commit/?id=2be72f42f9debf9c2f186212dd27cb4f860d3399 Submitter: Jenkins Branch: master commit 2be72f42f9debf9c2f186212dd27cb4f860d3399 Author: yangxurong Date: Mon Mar 30 14:39:17 2015 +1000 Eventlet green threads not released back to pool Presently, the wsgi server allows persist connections hence even after the response is sent to the client, it doesn't close the client socket connection. Because of this problem, the green thread is not released back to the pool. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Add a parameter to take advantage of the new(ish) eventlet socket timeout behaviour. Allows closing idle client connections after a period of time, eg: $ time nc localhost 8776 real 1m0.063s Setting 'client_socket_timeout = 0' means do not timeout. DocImpact: Added wsgi_keep_alive option (default=True). Added client_socket_timeout option (default=900). SecurityImpact Change-Id: I303d87addeed8b103eeb26dbcc48e3acce06ee6a Closes-Bug: #1361360 ** Changed in: heat Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1361360 Title: Eventlet green threads not released back to the pool leading to choking of new requests Status in Cinder: Fix Released Status in Cinder icehouse series: Fix Released Status in Cinder juno series: Fix Released Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance icehouse series: Fix Committed Status in Orchestration API (Heat): Fix Committed Status in OpenStack Identity (Keystone): Fix Committed Status in Keystone icehouse series: Confirmed Status in Keystone juno series: Fix Committed Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in neutron juno series: Fix Committed Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) icehouse series: In Progress Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Data Processing (Sahara): Confirmed Bug description: Currently reproduced on Juno milestone 2. but this issue should be reproducible in all releases since its inception. It is possible to choke OpenStack API controller services using wsgi+eventlet library by simply not closing the client socket connection. Whenever a request is received by any OpenStack API service for example nova api service, eventlet library creates a green thread from the pool and starts processing the request. Even after the response is sent to the caller, the green thread is not returned back to the pool until the client socket connection is closed. This way, any malicious user can send many API requests to the API controller node and determine the wsgi pool size configured for the given service and then send those many requests to the service and after receiving the response, wait there infinitely doing nothing leading to disrupting services for other tenants. Even when service providers have enabled rate limiting feature, it is possible to choke the API services with a group (many tenants) attack. Following program illustrates choking of nova-api services (but this problem is omnipresent in all other OpenStack API Services using wsgi+eventlet) Note: I have explicitly set the wsi_default_pool_size default value to 10 in order to reproduce this problem in nova/wsgi.py. After you run the below program, you should try to invoke API ============================================================================================ import time import requests from multiprocessing import Process def request(number): #Port is important here path = 'http://127.0.0.1:8774/servers' try: response = requests.get(path) print "RESPONSE %s-%d" % (response.status_code, number) #during this sleep time, check if the client socket connection is released or not on the API controller node. time.sleep(1000) print “Thread %d complete" % number except requests.exceptions.RequestException as ex: print “Exception occurred %d-%s" % (number, str(ex)) if __name__ == '__main__': processes = [] for number in range(40): p = Process(target=request, args=(number,)) p.start() processes.append(p) for p in processes: p.join() ================================================================================================ Presently, the wsgi server allows persist connections if you configure keepalive to True which is default. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Additional information: By default eventlet passes “Connection: keepalive” if keepalive is set to True when a response is sent to the client. But it doesn’t have capability to set the timeout and max parameter. For example. Keep-Alive: timeout=10, max=5 Note: After we have disabled keepalive in all the OpenStack API service using wsgi library, then it might impact all existing applications built with the assumptions that OpenStack API services uses persistent connections. They might need to modify their applications if reconnection logic is not in place and also they might experience the performance has slowed down as it will need to reestablish the http connection for every request. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1361360/+subscriptions From tristan.cacqueray at enovance.com Wed Jun 3 19:16:05 2015 From: tristan.cacqueray at enovance.com (Tristan Cacqueray) Date: Wed, 03 Jun 2015 19:16:05 -0000 Subject: [Openstack-security] [Bug 1434034] Re: Disabling users & groups may not invalidate previously-issued tokens References: <20150319111325.13509.80712.malonedeb@wampee.canonical.com> Message-ID: <20150603191605.16051.88037.malone@chaenomeles.canonical.com> This seems to be discussed in the public bug 1461095. Is there a reason this is still private ? -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1434034 Title: Disabling users & groups may not invalidate previously-issued tokens Status in OpenStack Identity (Keystone): In Progress Status in Keystone juno series: In Progress Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: Confirmed Bug description: Even if the user is disabled, can use the last token is validated. 0. user foo is enable 1. get token (a) 2. user foo is disabled 3. foo can still use any APIs by token(a) that's all. This issue is not cache process. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1434034/+subscriptions From gessau at cisco.com Thu Jun 4 20:04:55 2015 From: gessau at cisco.com (Henry Gessau) Date: Thu, 04 Jun 2015 20:04:55 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150604200457.10249.64928.launchpad@wampee.canonical.com> ** Changed in: neutron Assignee: (unassigned) => Mark McClain (markmcclain) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Thu Jun 4 20:09:53 2015 From: 1274034 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 04 Jun 2015 20:09:53 -0000 Subject: [Openstack-security] [Bug 1274034] Change abandoned on neutron (master) References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150604200953.12591.16038.malone@soybean.canonical.com> Change abandoned by Juergen Brendel (jbrendel at cisco.com) on branch: master Review: https://review.openstack.org/158491 Reason: Abandoned, since Marc McClain would like to implement a different solution for the problem. Also see my comment in the bug report. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Thu Jun 4 20:10:23 2015 From: 1274034 at bugs.launchpad.net (OpenStack Infra) Date: Thu, 04 Jun 2015 20:10:23 -0000 Subject: [Openstack-security] [Bug 1274034] Change abandoned on neutron (master) References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150604201023.29625.30665.malone@gac.canonical.com> Change abandoned by Juergen Brendel (jbrendel at cisco.com) on branch: master Review: https://review.openstack.org/157634 Reason: Abandoned, since Marc McClain would like to implement a different solution for the problem. Also see my comment in the bug report. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1274034 at bugs.launchpad.net Fri Jun 5 01:11:09 2015 From: 1274034 at bugs.launchpad.net (Kris Lindgren) Date: Fri, 05 Jun 2015 01:11:09 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150605011109.12696.30322.malone@soybean.canonical.com> Juergen - Can you provide a link to that discussion? -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From 1461822 at bugs.launchpad.net Fri Jun 5 03:01:44 2015 From: 1461822 at bugs.launchpad.net (Dolph Mathews) Date: Fri, 05 Jun 2015 03:01:44 -0000 Subject: [Openstack-security] [Bug 1461822] Re: Lack of password complexity verification in Keystone References: <20150604074737.12226.25346.malonedeb@soybean.canonical.com> Message-ID: <20150605030144.15775.94768.malone@chaenomeles.canonical.com> We've intentionally avoided implementing first class identity provider features in the past because it's a slippery slope to re-implementing things like AD. I certainly don't want to support an AD clone. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461822 Title: Lack of password complexity verification in Keystone Status in OpenStack Identity (Keystone): Triaged Bug description: Currently, we can specified an arbitrary string as password when creating a user (or updating user's password) by keystone. In normally use cases, the user's password shouldn't be weak, because it may cause potential security issues. Keystone should add a mechanism to perform password complexity verification, and to fit different scenarios, this mechanism can be enabled or disabled by config option. The checking rules should follow the industry general standard. There is a similar situation about instance's password in Nova, see bug[1] and mail thread[2]. [1] https://bugs.launchpad.net/nova/+bug/1461431 [2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1461822/+subscriptions From 1274034 at bugs.launchpad.net Fri Jun 5 07:49:23 2015 From: 1274034 at bugs.launchpad.net (Cedric Brandily) Date: Fri, 05 Jun 2015 07:49:23 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150605074923.10355.79107.malone@wampee.canonical.com> @Henry, Juergen: should we revert merged changes? https://review.openstack.org/141130 https://review.openstack.org/157097 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From gerrit2 at review.openstack.org Fri Jun 5 17:37:49 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Fri, 05 Jun 2015 17:37:49 +0000 Subject: [Openstack-security] [openstack/nova-specs] SecurityImpact review request change Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/188874 Log: commit c083680b52f97e2a8961bc5f947064c3b5dc975a Author: Dane Fichter Date: Fri Jun 5 13:25:11 2015 -0400 Nova Support of Glance Image Signing & Encryption This spec is related to work in the Glance project which handles signed and encrypted images. SecurityImpact DocImpact Change-Id: Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Implements: blueprint nova-support-image-signing From fungi at yuggoth.org Sat Jun 6 16:11:28 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Sat, 06 Jun 2015 16:11:28 -0000 Subject: [Openstack-security] [Bug 1434034] Re: Disabling users & groups may not invalidate previously-issued tokens References: <20150319111325.13509.80712.malonedeb@wampee.canonical.com> Message-ID: <20150606161129.10406.63334.launchpad@wampee.canonical.com> ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1434034 Title: Disabling users & groups may not invalidate previously-issued tokens Status in OpenStack Identity (Keystone): In Progress Status in Keystone juno series: In Progress Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: Confirmed Bug description: Even if the user is disabled, can use the last token is validated. 0. user foo is enable 1. get token (a) 2. user foo is disabled 3. foo can still use any APIs by token(a) that's all. This issue is not cache process. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1434034/+subscriptions From mzoeller at de.ibm.com Tue Jun 2 09:28:33 2015 From: mzoeller at de.ibm.com (Markus Zoeller) Date: Tue, 02 Jun 2015 09:28:33 -0000 Subject: [Openstack-security] [Bug 1456228] Re: Trusted vm can be powered on untrusted host References: <20150518141406.21329.60661.malonedeb@wampee.canonical.com> Message-ID: <20150602092834.7695.95424.launchpad@gac.canonical.com> ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1456228 Title: Trusted vm can be powered on untrusted host Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Incomplete Bug description: This is related to the trusted compute. I recently setup trusted compute pool in my company and have observed that although new trusted vm is not able to be launched from an untrusted host, but if an trusted vm that have launched earlier on a trusted host which is compromised later on, that VM can still be powered on. 1. Exact version of Nova/Openstack: [root at grunt2 ~]# rpm -qa | grep nova python-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-network-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-compute-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-conductor-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-cells-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-api-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-console-2014.1.2-100+45c2cbc.fc20.noarch python-novaclient-2.17.0-2.fc21.noarch openstack-nova-cert-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-scheduler-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-objectstore-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-common-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-novncproxy-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-doc-2014.1.2-100+45c2cbc.fc20.noarch 2. Relevant log files: this is not a error, don't think logs will help.. 3. Reproduce steps: * create trusted compute pool with only one compute node * create an trusted VM on that compute node * compromise the trusted compute node by changing the boot order * power on the trusted Vm created earlier. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1456228/+subscriptions From mzoeller at de.ibm.com Wed Jun 3 15:39:52 2015 From: mzoeller at de.ibm.com (Markus Zoeller) Date: Wed, 03 Jun 2015 15:39:52 -0000 Subject: [Openstack-security] [Bug 1461433] Re: Automatically generated admin password is not complex enough References: <20150603080018.10006.86026.malonedeb@wampee.canonical.com> Message-ID: <20150603153952.12795.69864.launchpad@soybean.canonical.com> ** Tags added: documentation security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461433 Title: Automatically generated admin password is not complex enough Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Incomplete Bug description: When performing actions such as create instances, evacuate instances, rebuild instances, rescue instances and update instances' admin password. When the user dose not provide admin password, generate_password() in utils.py is used to generate an admin password. Generate_password() now uses two password symbol groups: default and easier, the default symbol group contains numbers, upper case letters and small case letters. the easier symbol group contains only numbers and upper case letters. The generated password is not complex enough and can cause security problems. One possible solution is to add a new symbol group: STRONGER_PASSWORD_SYMBOLS which contains numbers, upper case letters, lower case letters and also special characters such as `~!@#$%^&*()-_=+ and space. Then adding a new option in configuration file: generate_strong_password = True, when this option is set, nova will generate password using STRONGER_PASSWORD_SYMBOLS symbol group and with longer password length. If this option is not set, the password will be generated using the default symbol group and default length. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1461433/+subscriptions From mzoeller at de.ibm.com Wed Jun 3 15:42:40 2015 From: mzoeller at de.ibm.com (Markus Zoeller) Date: Wed, 03 Jun 2015 15:42:40 -0000 Subject: [Openstack-security] [Bug 1461431] Re: Enable admin password complexity verification References: <20150603073922.10444.48985.malonedeb@wampee.canonical.com> Message-ID: <20150603154240.12630.10885.malone@soybean.canonical.com> @Zhenyu Zheng: Just to double-check, this is not a duplicate to bug 1461433, right? ** Tags added: documentation security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461431 Title: Enable admin password complexity verification Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Incomplete Bug description: When performing actions such as create instances, evacuate instances, rebuild instances, rescue instances and update instances' admin password. The complexity of user provided admin password has not been verified. This can cause security problems. One solution will be adding a configuration option: using_complex_admin_password = True, if this option is set in configure file by administrator, then Nova will perform password complexity checks, the check standards can be set to following the IT industry general standard, if the provided admin password is not complex enough, an exception will be throw. If this option is not set in configure file, then the complexity check will be skipped. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1461431/+subscriptions From zhengzhenyu at huawei.com Thu Jun 4 00:08:52 2015 From: zhengzhenyu at huawei.com (Zhenyu Zheng) Date: Thu, 04 Jun 2015 00:08:52 -0000 Subject: [Openstack-security] [Bug 1461431] Re: Enable admin password complexity verification References: <20150603073922.10444.48985.malonedeb@wampee.canonical.com> Message-ID: <20150604000852.29756.70808.malone@gac.canonical.com> @Markus Zoeller: Yes, This one is about check user provided password and bug 1461433 is about adding a stronger symbol group for auto generated passwords. Thank you -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461431 Title: Enable admin password complexity verification Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Incomplete Bug description: When performing actions such as create instances, evacuate instances, rebuild instances, rescue instances and update instances' admin password. The complexity of user provided admin password has not been verified. This can cause security problems. One solution will be adding a configuration option: using_complex_admin_password = True, if this option is set in configure file by administrator, then Nova will perform password complexity checks, the check standards can be set to following the IT industry general standard, if the provided admin password is not complex enough, an exception will be throw. If this option is not set in configure file, then the complexity check will be skipped. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1461431/+subscriptions From liusheng at huawei.com Thu Jun 4 07:47:37 2015 From: liusheng at huawei.com (Liusheng) Date: Thu, 04 Jun 2015 07:47:37 -0000 Subject: [Openstack-security] [Bug 1461822] [NEW] Lack of password complexity verification in Keystone References: <20150604074737.12226.25346.malonedeb@soybean.canonical.com> Message-ID: <20150604074737.12226.25346.malonedeb@soybean.canonical.com> Public bug reported: Currently, we can specified an arbitrary string as password when creating a user (or updating user's password) by keystone. In normally use cases, the user's password shouldn't be weak, because it may cause potential security issues. Keystone should add a mechanism to perform password complexity verification, and to fit different scenarios, this mechanism can be enabled or disabled by config option. The checking rules should follow the industry general standard. There is a similar situation about instance's password in Nova, see bug[1] and mail thread[2]. [1] https://bugs.launchpad.net/nova/+bug/1461431 [2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html ** Affects: keystone Importance: Undecided Status: New ** Tags: security ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461822 Title: Lack of password complexity verification in Keystone Status in OpenStack Identity (Keystone): New Bug description: Currently, we can specified an arbitrary string as password when creating a user (or updating user's password) by keystone. In normally use cases, the user's password shouldn't be weak, because it may cause potential security issues. Keystone should add a mechanism to perform password complexity verification, and to fit different scenarios, this mechanism can be enabled or disabled by config option. The checking rules should follow the industry general standard. There is a similar situation about instance's password in Nova, see bug[1] and mail thread[2]. [1] https://bugs.launchpad.net/nova/+bug/1461431 [2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1461822/+subscriptions From lbragstad at gmail.com Thu Jun 4 18:51:23 2015 From: lbragstad at gmail.com (Lance Bragstad) Date: Thu, 04 Jun 2015 18:51:23 -0000 Subject: [Openstack-security] [Bug 1461822] Re: Lack of password complexity verification in Keystone References: <20150604074737.12226.25346.malonedeb@soybean.canonical.com> Message-ID: <20150604185123.16051.44596.malone@chaenomeles.canonical.com> Marking this as Wishlist for now but I agree with David's response [0]. [0] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065622.html ** Changed in: keystone Importance: Undecided => Wishlist -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461822 Title: Lack of password complexity verification in Keystone Status in OpenStack Identity (Keystone): New Bug description: Currently, we can specified an arbitrary string as password when creating a user (or updating user's password) by keystone. In normally use cases, the user's password shouldn't be weak, because it may cause potential security issues. Keystone should add a mechanism to perform password complexity verification, and to fit different scenarios, this mechanism can be enabled or disabled by config option. The checking rules should follow the industry general standard. There is a similar situation about instance's password in Nova, see bug[1] and mail thread[2]. [1] https://bugs.launchpad.net/nova/+bug/1461431 [2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1461822/+subscriptions From jbrendel at cisco.com Thu Jun 4 20:00:13 2015 From: jbrendel at cisco.com (Juergen Brendel) Date: Thu, 04 Jun 2015 20:00:13 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150604200013.15742.80566.malone@chaenomeles.canonical.com> We had proposed a blueprint for a fix to this bug: https://blueprints.launchpad.net/neutron/+spec/arp-spoof-patch-ebtables The fix was implemented and presented in the form of four patches. The first two have been accepted and merged: https://review.openstack.org/#/c/141130/ https://review.openstack.org/#/c/157097/ The two remaining patches, which would have integrated the patch with the existing iptables code, however, were rejected: https://review.openstack.org/#/c/157634/ https://review.openstack.org/#/c/158491/ Marc McClain suggested a different approach and did not want to have the ebtables manager in its current form in the code. Since the remaining two patches now do not have a chance of being accepted any more, I am following Henry Gessau's recommendation: I am abandoning the remaining patches and assign this bug to Marc, who will propose and implement a different solution. We will be happy to review the proposed new solution once we see a blueprint. The acceptance requirement is simply to have a platform independent solution, which prevents ARP cache poisoning on shared networks, as described in the bug report. ** Changed in: ossa Assignee: Juergen Brendel (jbrendel) => (unassigned) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From morgan.fainberg at gmail.com Thu Jun 4 23:04:34 2015 From: morgan.fainberg at gmail.com (Morgan Fainberg) Date: Thu, 04 Jun 2015 23:04:34 -0000 Subject: [Openstack-security] [Bug 1461822] Re: Lack of password complexity verification in Keystone References: <20150604074737.12226.25346.malonedeb@soybean.canonical.com> Message-ID: <20150604230435.29469.38655.launchpad@gac.canonical.com> ** Changed in: keystone Status: New => Triaged -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461822 Title: Lack of password complexity verification in Keystone Status in OpenStack Identity (Keystone): Triaged Bug description: Currently, we can specified an arbitrary string as password when creating a user (or updating user's password) by keystone. In normally use cases, the user's password shouldn't be weak, because it may cause potential security issues. Keystone should add a mechanism to perform password complexity verification, and to fit different scenarios, this mechanism can be enabled or disabled by config option. The checking rules should follow the industry general standard. There is a similar situation about instance's password in Nova, see bug[1] and mail thread[2]. [1] https://bugs.launchpad.net/nova/+bug/1461431 [2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1461822/+subscriptions From tony at bakeyournoodle.com Fri Jun 5 00:52:21 2015 From: tony at bakeyournoodle.com (Tony Breeds) Date: Fri, 05 Jun 2015 00:52:21 -0000 Subject: [Openstack-security] [Bug 1447679] Re: service No-VNC (port 6080) doesn't require authentication References: <20150423154044.13260.70404.malonedeb@chaenomeles.canonical.com> Message-ID: <20150605005222.16298.45208.launchpad@chaenomeles.canonical.com> ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1447679 Title: service No-VNC (port 6080) doesn't require authentication Status in OpenStack Compute (Nova): In Progress Status in OpenStack Security Advisories: Won't Fix Bug description: Reported via private E-mail from Anass ANNOUR: I found that the service No-VNC (port 6080) doesn't require authentication, if you know the URL (ex: http://192.168.198.164:6080/vnc_auto.html?token=3640a3c8-ad10-45da-a523-18d3793ef8ec) you can access the machine from any other computer without any authentication before the token expires. (or in the same time as user still use the console) To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1447679/+subscriptions From liusheng at huawei.com Fri Jun 5 02:45:39 2015 From: liusheng at huawei.com (Liusheng) Date: Fri, 05 Jun 2015 02:45:39 -0000 Subject: [Openstack-security] [Bug 1461822] Re: Lack of password complexity verification in Keystone References: <20150604074737.12226.25346.malonedeb@soybean.canonical.com> Message-ID: <20150605024539.10635.28773.malone@wampee.canonical.com> Hi Lance Bragstad, thanks for confirming this, so can I submit a spec about adding a mechanism about password complexity? that will propose a optional password managing process and will wait other reviewers' opinions. ** Changed in: keystone Assignee: (unassigned) => Liusheng (liusheng) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461822 Title: Lack of password complexity verification in Keystone Status in OpenStack Identity (Keystone): Triaged Bug description: Currently, we can specified an arbitrary string as password when creating a user (or updating user's password) by keystone. In normally use cases, the user's password shouldn't be weak, because it may cause potential security issues. Keystone should add a mechanism to perform password complexity verification, and to fit different scenarios, this mechanism can be enabled or disabled by config option. The checking rules should follow the industry general standard. There is a similar situation about instance's password in Nova, see bug[1] and mail thread[2]. [1] https://bugs.launchpad.net/nova/+bug/1461431 [2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1461822/+subscriptions From morgan.fainberg at gmail.com Sat Jun 6 13:54:58 2015 From: morgan.fainberg at gmail.com (Morgan Fainberg) Date: Sat, 06 Jun 2015 13:54:58 -0000 Subject: [Openstack-security] [Bug 1434034] Re: Disabling users & groups may not invalidate previously-issued tokens References: <20150319111325.13509.80712.malonedeb@wampee.canonical.com> Message-ID: <20150606135458.9897.15743.malone@wampee.canonical.com> Tristan: no I was waiting for the VMT team to mark it public. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1434034 Title: Disabling users & groups may not invalidate previously-issued tokens Status in OpenStack Identity (Keystone): In Progress Status in Keystone juno series: In Progress Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: Confirmed Bug description: Even if the user is disabled, can use the last token is validated. 0. user foo is enable 1. get token (a) 2. user foo is disabled 3. foo can still use any APIs by token(a) that's all. This issue is not cache process. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1434034/+subscriptions From dstanek at dstanek.com Sun Jun 7 16:26:17 2015 From: dstanek at dstanek.com (David Stanek) Date: Sun, 07 Jun 2015 16:26:17 -0000 Subject: [Openstack-security] [Bug 1461822] Re: Lack of password complexity verification in Keystone References: <20150604074737.12226.25346.malonedeb@soybean.canonical.com> Message-ID: <20150607162617.16225.83557.malone@chaenomeles.canonical.com> Liusheng , Feel free to write a spec, but I don't think you'll get much support at this point. Do you know if there is a user-driven demand? An existing blueprint from last year: https://blueprints.launchpad.net/keystone/+spec/strong-password- enforcement A related blueprint that I worked on, but it mostly got stopped because the concensus was not to add IdP features since we don't want Keystone to be an IdP: https://blueprints.launchpad.net/keystone/+spec/password- rotation -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461822 Title: Lack of password complexity verification in Keystone Status in OpenStack Identity (Keystone): Triaged Bug description: Currently, we can specified an arbitrary string as password when creating a user (or updating user's password) by keystone. In normally use cases, the user's password shouldn't be weak, because it may cause potential security issues. Keystone should add a mechanism to perform password complexity verification, and to fit different scenarios, this mechanism can be enabled or disabled by config option. The checking rules should follow the industry general standard. There is a similar situation about instance's password in Nova, see bug[1] and mail thread[2]. [1] https://bugs.launchpad.net/nova/+bug/1461431 [2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/065600.html To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1461822/+subscriptions From malini.k.bhandaru at intel.com Mon Jun 8 01:13:08 2015 From: malini.k.bhandaru at intel.com (Malini Bhandaru) Date: Mon, 08 Jun 2015 01:13:08 -0000 Subject: [Openstack-security] [Bug 1456228] Re: Trusted vm can be powered on untrusted host References: <20150518141406.21329.60661.malonedeb@wampee.canonical.com> Message-ID: <20150608011308.16153.24169.malone@chaenomeles.canonical.com> Boot order change compromise. Jimmy, Tan Lin, any comment? If there is a re-boot, my understanding is the hashes change and if the whitelist did not change, the VM cannot launch. Is the issue that existing VMs just come right back up on the host without re-check for VMs that are supposed to launch on Trusted hosts? -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1456228 Title: Trusted vm can be powered on untrusted host Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Incomplete Bug description: This is related to the trusted compute. I recently setup trusted compute pool in my company and have observed that although new trusted vm is not able to be launched from an untrusted host, but if an trusted vm that have launched earlier on a trusted host which is compromised later on, that VM can still be powered on. 1. Exact version of Nova/Openstack: [root at grunt2 ~]# rpm -qa | grep nova python-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-network-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-compute-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-conductor-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-cells-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-api-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-console-2014.1.2-100+45c2cbc.fc20.noarch python-novaclient-2.17.0-2.fc21.noarch openstack-nova-cert-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-scheduler-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-objectstore-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-common-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-novncproxy-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-doc-2014.1.2-100+45c2cbc.fc20.noarch 2. Relevant log files: this is not a error, don't think logs will help.. 3. Reproduce steps: * create trusted compute pool with only one compute node * create an trusted VM on that compute node * compromise the trusted compute node by changing the boot order * power on the trusted Vm created earlier. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1456228/+subscriptions From rellerreller at yahoo.com Mon Jun 8 13:54:10 2015 From: rellerreller at yahoo.com (Nathan Reller) Date: Mon, 08 Jun 2015 13:54:10 -0000 Subject: [Openstack-security] [Bug 1456228] Re: Trusted vm can be powered on untrusted host References: <20150518141406.21329.60661.malonedeb@wampee.canonical.com> Message-ID: <20150608135410.16271.13508.malone@soybean.canonical.com> Can you confirm that the hashes have changed? If you make the boot order change you mentioned above and try to launch a trusted VM does that result in a failure to launch? I'm trying to confirm that this actual results in different hash and that PCR is checked against. Does Trusted Pools do a re-check on machine reboot or is it only invoked with the scheduler? -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1456228 Title: Trusted vm can be powered on untrusted host Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Incomplete Bug description: This is related to the trusted compute. I recently setup trusted compute pool in my company and have observed that although new trusted vm is not able to be launched from an untrusted host, but if an trusted vm that have launched earlier on a trusted host which is compromised later on, that VM can still be powered on. 1. Exact version of Nova/Openstack: [root at grunt2 ~]# rpm -qa | grep nova python-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-network-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-compute-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-conductor-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-cells-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-api-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-console-2014.1.2-100+45c2cbc.fc20.noarch python-novaclient-2.17.0-2.fc21.noarch openstack-nova-cert-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-scheduler-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-objectstore-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-common-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-novncproxy-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-doc-2014.1.2-100+45c2cbc.fc20.noarch 2. Relevant log files: this is not a error, don't think logs will help.. 3. Reproduce steps: * create trusted compute pool with only one compute node * create an trusted VM on that compute node * compromise the trusted compute node by changing the boot order * power on the trusted Vm created earlier. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1456228/+subscriptions From fungi at yuggoth.org Mon Jun 8 14:39:05 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Mon, 08 Jun 2015 14:39:05 -0000 Subject: [Openstack-security] [Bug 1455582] Re: Hypervisor compromise may result in malicious trust creation References: <20150515171809.26411.43467.malonedeb@gac.canonical.com> Message-ID: <20150608143905.16369.48267.malone@soybean.canonical.com> This is probably closest to C1 in our incident report taxonomy. Not practical, no advisory but possible security note. https://security.openstack.org/vmt-process.html#incident-report-taxonomy ** Information type changed from Public Security to Public ** Tags added: security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1455582 Title: Hypervisor compromise may result in malicious trust creation Status in OpenStack Identity (Keystone): Confirmed Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: If a hypervisor is compromised, and the hypervisor is a a Nova compute node, the end user now has access to every token that passes through that node. By default, a keystone token can be exchanged for another token. There is no restriction on scoping of the new token. A scoped token can be exchanged for an unscoped token, or a token scoped to a different project. We had set the default time limit for tokens down to 1 hour, to reduce the surface area of the attack. However, many workloads require a single token for the whole workload, and these workloads take more than one hour, so several installations have increased token lifespans back to the old value of 24 hours. A token can be used to change a password. If this is done, all tokens are revoked for the user. With the trust API, a user can set up a long term delegation that allows another user to perform an operation on their behalf. While tokens created via trusts are limited in what they can do, the limitations are only on things like change passwords or create a new token. Thus, if an attacker compromises a compute node and harvests tokens, the highest value attack for them is to automatically create a trust from the compromised user to some other account. This bypasses the time limitation of the token expiration, and will allow the attacker to perform operations on the users resources at the attackers convenience. Any site that is running a recent version of Heat would be expected to have many trusts set up from the customer user accounts to the Heat service user. Heat creates trusts using the users tokens, so we know this approach is not just theoretical, but actively used. This leaves a fairly obvious trail, in that a user can see all of the trusts created with the user as the trustor. Any trusts that do not have a Heat user as the trustee are suspect. It might even be possible to compromise Heat users, so even those should be audited. There are other ways that a harvested token can be abused, but the trust approach is the one I find the most worrysome, as it could be done as a "sleeper" agent. The same issues apply to the OAUTH1.0a extension. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1455582/+subscriptions From malini.k.bhandaru at intel.com Mon Jun 8 19:07:46 2015 From: malini.k.bhandaru at intel.com (Malini Bhandaru) Date: Mon, 08 Jun 2015 19:07:46 -0000 Subject: [Openstack-security] [Bug 1456228] Re: Trusted vm can be powered on untrusted host References: <20150518141406.21329.60661.malonedeb@wampee.canonical.com> Message-ID: <20150608190746.16244.67314.malone@soybean.canonical.com> Something to consider: how legitimate is this test scenario in a production cloud. 1) A host upgrade, boot order change -- this would be in the realm of admin privileges. 2) Should this be part of scheduled maintenance, more likely than not, the admin would have evacuated all virtual machines from said host prior to upgrade, in which case Nova scheduler would be involved and the VM would be migrated to another trusted host. And something to consider with respect to security hardening: 1) On host re-boot, as part of initialization step, it would be good to determine if it still is trusted if earlier on it was a trusted machine. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1456228 Title: Trusted vm can be powered on untrusted host Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Incomplete Bug description: This is related to the trusted compute. I recently setup trusted compute pool in my company and have observed that although new trusted vm is not able to be launched from an untrusted host, but if an trusted vm that have launched earlier on a trusted host which is compromised later on, that VM can still be powered on. 1. Exact version of Nova/Openstack: [root at grunt2 ~]# rpm -qa | grep nova python-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-network-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-compute-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-conductor-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-cells-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-api-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-console-2014.1.2-100+45c2cbc.fc20.noarch python-novaclient-2.17.0-2.fc21.noarch openstack-nova-cert-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-scheduler-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-objectstore-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-common-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-novncproxy-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-doc-2014.1.2-100+45c2cbc.fc20.noarch 2. Relevant log files: this is not a error, don't think logs will help.. 3. Reproduce steps: * create trusted compute pool with only one compute node * create an trusted VM on that compute node * compromise the trusted compute node by changing the boot order * power on the trusted Vm created earlier. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1456228/+subscriptions From 1334926 at bugs.launchpad.net Mon Jun 8 20:54:43 2015 From: 1334926 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 08 Jun 2015 20:54:43 -0000 Subject: [Openstack-security] [Bug 1334926] Related fix merged to neutron (master) References: <20140627021809.32583.22324.malonedeb@soybean.canonical.com> Message-ID: <20150608205443.13449.59961.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/180765 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=127de06c7e09e1468f2855a3033fb6193a6b9365 Submitter: Jenkins Branch: master commit 127de06c7e09e1468f2855a3033fb6193a6b9365 Author: Cedric Brandily Date: Wed May 6 22:40:39 2015 +0200 Clean only floating-ip related connection states Currently init_l3 deletes connection states related to ALL ips deleted in init_l3 but it's required only when floating-ips are deleted[1]. This change deletes only connection states related to floating-ips deleted in init_l3 ... it avoids to delete connection states in dhcp agents and on router internal ports! [1] look at change Ia9bd7ae243a0859dcb97e2fa939f7d16f9c2456c Closes-Bug: #1452434 Related-Bug: #1334926 Change-Id: Icfcfc585df6fd41de1e1345fd731e4631a6950ce -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1334926 Title: floatingip still working once connected even after it is disociated Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in OpenStack Security Notes: Fix Released Bug description: After we create an SSH connection to a VM via its floating ip, even though we have removed the floating ip association, we can still access the VM via that connection. Namely, SSH is not disconnected when the floating ip is not valid To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1334926/+subscriptions From gerrit2 at review.openstack.org Tue Jun 9 02:33:26 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 09 Jun 2015 02:33:26 +0000 Subject: [Openstack-security] [openstack/glance-specs] SecurityImpact review request change I9eeafff45844a4cbb504dd1d3d12985e263f11f7 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/189537 Log: commit 77d71eb60e0e94c3551ced33a5587c680dec6cdf Author: Ian Cordasco Date: Mon Jun 8 21:30:12 2015 -0500 Add spec to refactor the HTTP Store onto requests DocImpact SecurityImpact Blueprint: http-store-on-requests Change-Id: I9eeafff45844a4cbb504dd1d3d12985e263f11f7 From gerrit2 at review.openstack.org Tue Jun 9 02:38:16 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 09 Jun 2015 02:38:16 +0000 Subject: [Openstack-security] [openstack/glance-specs] SecurityImpact review request change I9eeafff45844a4cbb504dd1d3d12985e263f11f7 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/189537 Log: commit 38c1763a236fb1a142d01c7d7580f5dc5d2cbe68 Author: Ian Cordasco Date: Mon Jun 8 21:30:12 2015 -0500 Add spec to refactor the HTTP Store onto requests DocImpact SecurityImpact Blueprint: http-store-on-requests Change-Id: I9eeafff45844a4cbb504dd1d3d12985e263f11f7 From gerrit2 at review.openstack.org Tue Jun 9 03:03:00 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 09 Jun 2015 03:03:00 +0000 Subject: [Openstack-security] [openstack/glance-specs] SecurityImpact review request change I9eeafff45844a4cbb504dd1d3d12985e263f11f7 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/189537 Log: commit 01dcdac4ac959bc31eea68387f4092135844941d Author: Ian Cordasco Date: Mon Jun 8 21:30:12 2015 -0500 Add spec to refactor the HTTP Store onto requests DocImpact SecurityImpact Blueprint: http-store-on-requests Change-Id: I9eeafff45844a4cbb504dd1d3d12985e263f11f7 From rellerreller at yahoo.com Tue Jun 9 13:43:32 2015 From: rellerreller at yahoo.com (Nathan Reller) Date: Tue, 09 Jun 2015 13:43:32 -0000 Subject: [Openstack-security] [Bug 1456228] Re: Trusted vm can be powered on untrusted host References: <20150518141406.21329.60661.malonedeb@wampee.canonical.com> Message-ID: <20150609134332.15915.92651.malone@soybean.canonical.com> Does the design specify that the VM should not be powered back on when the system reboots? I ask because I think that is a different problem. With the scheduling problem there is an outside entity from Nova that can ask for attestation and enforce not giving the VM to an untrusted host. In this use case Nova would be responsible (I'm asking here and not stating, so please clarify if wrong) for asking for attestation and enforcing not launching a VM. If it is then this is risky because Nova would report measurements and enforce the decision as to whether or not to launch the VM. If Nova has been compromised then it could ignore whatever response is from attestation service or ignore it completely. I'm not sure what is in scope for requirements and design of trusted pools. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1456228 Title: Trusted vm can be powered on untrusted host Status in OpenStack Compute (Nova): New Status in OpenStack Security Advisories: Incomplete Bug description: This is related to the trusted compute. I recently setup trusted compute pool in my company and have observed that although new trusted vm is not able to be launched from an untrusted host, but if an trusted vm that have launched earlier on a trusted host which is compromised later on, that VM can still be powered on. 1. Exact version of Nova/Openstack: [root at grunt2 ~]# rpm -qa | grep nova python-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-network-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-compute-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-conductor-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-cells-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-api-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-console-2014.1.2-100+45c2cbc.fc20.noarch python-novaclient-2.17.0-2.fc21.noarch openstack-nova-cert-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-scheduler-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-objectstore-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-common-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-novncproxy-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-doc-2014.1.2-100+45c2cbc.fc20.noarch 2. Relevant log files: this is not a error, don't think logs will help.. 3. Reproduce steps: * create trusted compute pool with only one compute node * create an trusted VM on that compute node * compromise the trusted compute node by changing the boot order * power on the trusted Vm created earlier. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1456228/+subscriptions From gerrit2 at review.openstack.org Tue Jun 9 16:38:58 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 09 Jun 2015 16:38:58 +0000 Subject: [Openstack-security] [openstack/horizon] SecurityImpact review request change I0127fe09d211cec231dab26d5987dafe720c91dd Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/128916 Log: commit 3a64723917366eff4d8896b2b2d3d82fa462d25d Author: Brant Knudson Date: Sun Aug 24 10:04:10 2014 -0500 Document token hash algorithm option With https://review.openstack.org/#/c/116509/ , django-openstack-auth will support a new option for the token hash algorithm. This adds the documentation to Horizon's local settings example file. This is for security hardening. The token hash algorithm defaults to MD5, which is considered too weak due to the potential for hash collisions. Some security standards require a SHA2 hash algorithm to be used. DocImpact SecurityImpact Change-Id: I6774b9b7215d191259586e4721e357487bb777cd Closes-Bug: #1174499 (cherry picked from commit 372d033d89c0f5d305959a6ad5fd3e1159cc91ed) commit f1a8abb9250f158ba1f04cf2055f717e78ef8184 Author: Akihiro Motoki Date: Sun Oct 5 03:53:51 2014 +0900 Warn OPENSTACK_QUANTUM_NETWORK setting as deprecated Change-Id: If2f762fe665b9a88153a77a658f52bcd56185c53 Closes-Bug: #1377498 (cherry picked from commit 530e5fee789ce5ed19d90a6b4901f01e8efde5ff) commit 9b0ba951c07af13aa4c386b19876474b971e7946 Author: Akihiro Motoki Date: Sun Oct 5 14:23:43 2014 +0900 Import translations from Transifex for Juno * Import ~100% completed translations (translations available for 12 languages) * Update language list in openstack_dashboard settings.py * Update English POT files * Update Transifex resource name in .tx/config for Juno. * Remove compiled message catalogs (Related-Bug: #1196982) Closes-Bug: #1376542 The instruction on how to compile message catalogs will be covered by https://review.openstack.org/#/c/126169/ or the installation guide. Change-Id: Ib36562168009fa34b9818e99154df350678abd4b From mriedem at us.ibm.com Tue Jun 9 17:15:23 2015 From: mriedem at us.ibm.com (Matt Riedemann) Date: Tue, 09 Jun 2015 17:15:23 -0000 Subject: [Openstack-security] [Bug 1321785] Re: RFE: block_device_info dict should have a password key rather than clear password References: <20140521143043.29900.37913.malonedeb@wampee.canonical.com> Message-ID: <20150609171524.12842.26199.malone@wampee.canonical.com> Ideally we'd turn connection_info into a nova object and it would have a __repr__ method that would mask the values by default. Then we could use the ConnectionInfo object in the BlockDeviceMapping object and we wouldn't have to worry about this when things get logged. ** Tags added: volumes -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1321785 Title: RFE: block_device_info dict should have a password key rather than clear password Status in OpenStack Compute (Nova): Confirmed Status in OpenStack Compute (nova) icehouse series: Invalid Bug description: See bug 1319943 and the related patch https://review.openstack.org/#/c/93787/ for details, but right now the block_device_info dict passed around in the nova virt driver can contain a clear text password for the auth_password key. That bug and patch are masking the password when logged in the immediate known locations, but this could continue to crop up so we should change the design such that the block_device_info dict doesn't contain the password but rather a key to a store that nova can retrieve the password for use. Comment from Daniel Berrange in the patch above: "Long term I think we need to figure out a way to remove the passwords from any data dicts we pass around. Ideally the block device info would merely contain something like a UUID to identify a password, which Nova could use to fetch the actual password from a secure password manager service at time of use. Thus we wouldn't have to worry about random objects/dicts containing actual passwords. Obviously this isn't something we can do now, but could you file an RFE to address this from a design POV, because masking passwords at time of logging call is not really a viable long term strategy IMHO." To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1321785/+subscriptions From 1334926 at bugs.launchpad.net Wed Jun 10 01:53:58 2015 From: 1334926 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 10 Jun 2015 01:53:58 -0000 Subject: [Openstack-security] [Bug 1334926] Change abandoned on neutron (master) References: <20140627021809.32583.22324.malonedeb@soybean.canonical.com> Message-ID: <20150610015358.16929.64401.malone@soybean.canonical.com> Change abandoned by Kyle Mestery (mestery at mestery.com) on branch: master Review: https://review.openstack.org/177245 Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1334926 Title: floatingip still working once connected even after it is disociated Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in OpenStack Security Notes: Fix Released Bug description: After we create an SSH connection to a VM via its floating ip, even though we have removed the floating ip association, we can still access the VM via that connection. Namely, SSH is not disconnected when the floating ip is not valid To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1334926/+subscriptions From 1446406 at bugs.launchpad.net Wed Jun 10 02:54:12 2015 From: 1446406 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 10 Jun 2015 02:54:12 -0000 Subject: [Openstack-security] [Bug 1446406] Fix merged to barbican (master) References: <20150420223742.32593.66588.malonedeb@gac.canonical.com> Message-ID: <20150610025412.12842.69523.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/179301 Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=80af5cbd25f49e0f96b10604978712643213d427 Submitter: Jenkins Branch: master commit e6f05febbe18a86e4e6b05acc5f4868fa3beb291 Author: Nathan Reller Date: Tue Apr 28 08:54:25 2015 -0400 Fixed Bug for KMIP Secret Storage The KMIP secret store was incorrectly storing secrets. In some cases this resulted in extra information being stored with the keys and in other cases the key storage would fail with a 500 internal server error. This patch fixes the KMIP secret store to correctly store secrets. Change-Id: I94944a05776d366bd33d46ddb25f7129425405d0 Co-authored-by: Kaitlin Farr Closes-Bug: #1449234 (cherry picked from commit 597869880f186ce951809fe85d5d7d0610f35c4f) commit 604c402be0e50aaa305154dc1c39fda08b7566d9 Author: Arun Kant Date: Fri Apr 24 09:19:25 2015 -0700 Fix for missing id check in ACL count query. Fixing issue and adding unit test to cover this API specifically. It may need to be backported to Kilo as well. Closes-Bug: #1447868 Change-Id: I1d6cc4ea59ea767d08112b148fb6b085bb2c4859 commit 46184bb4b3a81e503a9e4aff4ba9ea0a66061a16 Author: Charles Neill Date: Tue Apr 21 15:49:20 2015 -0500 Removing signing_dir directive from config The signing_dir directive defined in barbican-api-paste.ini explicitly stores Keystone's signing certificates in a known /tmp directory. This could be exploited by populating the directory with bogus certificates, potentially allowing a malicious user to generate valid tokens. Added comment explaining signing_dir, and a reasonable (commented) default. Change-Id: I15fda6863e888e3881694ab47a836eee2fb578ee Closes-Bug: #1446406 commit 4861932b51e491d217276f07f52e116179dc0d15 Author: Dave McCowan Date: Tue Apr 21 17:59:41 2015 -0400 Fix failure with get on dict that was None When calling get_acl_dict_for_user() in the RBAC feature, the user list may be empty. In this case, make sure an empty list (not None) is returned so the receiving code won't fail. Change-Id: I6aeb94e03aa7898823ec408807180f7eeb2d2916 Closes-bug: #1446826 commit b37c35c9229dab43e3d77e5061d06f34c787bc2b Author: Dave McCowan Date: Fri Apr 24 08:50:09 2015 -0400 Fix call to load_privatekey() when passphrase is None The original code worked, but breaks with PyOpenSSL 0.15.1, the version currently used by the gate. Closes-Bug: #1448193 Change-Id: Iae44f08fa6442e3463e6b552955229f3fd36fbde commit 93718aaa70d3f4523e636bfa6d602470e0d26b26 Author: OpenStack Proposal Bot Date: Mon Apr 20 17:54:00 2015 +0000 Updated from global requirements Change-Id: Ife99d56a70c0ebd10a9ea47b06f969cd1e74b984 commit bb1cf4d54b2b7e95dd3f37d4c3f0cd1b0045ce7b Author: Thierry Carrez Date: Mon Apr 20 18:26:05 2015 +0200 Update .gitreview to match stable/kilo Change-Id: I6d6a396924b338fe7cca3fc381feda8752491f56 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1446406 Title: Insecure signing_dir configuration in barbican-api-paste.ini Status in OpenStack Key Management (Barbican): Fix Committed Status in Barbican kilo series: Fix Released Bug description: It appears that Barbican sets signing_dir to "/tmp/barbican/cache" in etc/barbican/barbican-api-paste.ini (Reference: https://github.com/openstack/barbican/blob/master/etc/barbican /barbican-api-paste.ini#L42) A Nova bug from 2013 (https://bugs.launchpad.net/nova/+bug/1174608) mentions that they had the same basic issue, and it's a security issue because: "This means that if an attacker populated the /tmp/keystone-signing-nova with the appropriate files for signautre verification they could potentially issue forged tokens which would be validated by the middleware. As: - The directory location deterministic. (default for glance, nova) - *If the directory already exists it is reused*" This Nova bug was issued CVE-2013-2030: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-2030 This was originally reported to Barbican devs by the user "zigo" in the #openstack-barbican channel on Freenode: 2015-03-23 16:59:15 zigo_ I just saw in barbican-api-paste.ini a "signing_dir" directive. This is a security issue which you guys need to fix. 2015-03-23 16:59:28 zigo_ The signing_dir directive should never be set to /tmp like this. 2015-03-23 16:59:33 zigo_ Best is to simply remove the directive. 2015-03-23 16:59:57 zigo_ I can find the announce for the nova security patch that happened a few years ago if you don't just trust my words… :) zigo's suggested fix was to remove the directive. It appears Cinder has taken this approach for their project (https://bugs.launchpad.net/cinder/+bug/1185098) To manage notifications about this bug go to: https://bugs.launchpad.net/barbican/+bug/1446406/+subscriptions From 1329214 at bugs.launchpad.net Wed Jun 10 05:25:02 2015 From: 1329214 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 10 Jun 2015 05:25:02 -0000 Subject: [Openstack-security] [Bug 1329214] Fix merged to cinder (master) References: <20140612080140.21505.11780.malonedeb@gac.canonical.com> Message-ID: <20150610052502.14818.72439.malone@gac.canonical.com> Reviewed: https://review.openstack.org/128920 Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=66494f54112fdfa135b3974c75aa388c8d1fb49e Submitter: Jenkins Branch: master commit be3d4604dc0566e0838959d998ff1d37755de6d3 Author: Tomoki Sekiyama Date: Tue Oct 14 19:09:44 2014 -0400 Fix LVM iSCSI driver tgtadm CHAP authentication Currently CHAP Authentication in LVM iSCSI driver with tgtadm does not work. This is because the tgtadm helper creates the target configuration file with an 'IncomingUser' entry, which is ignored by tgtd. This patch fixes it to 'incominguser'. Change-Id: I14871985a2a916834122f849238f05b75726bc1a Closes-Bug: #1329214 (cherry picked from commit e3563891545c801726d227f752cf99488ed5c7dd) commit f7ee62cc58d8b642af67510a310f6259492a4508 Author: Mitsuhiro Tanino Date: Tue Oct 14 12:41:41 2014 -0400 Export cinder volumes only if the status is 'in-use' Currently, cinder volumes are exported both 'in-use' and 'available' after restarting cinder-volume service. This behavior was introduced following commit. commit ffefe18334a9456250e1b6ff88b7b47fb366f374 Author: Zhiteng Huang Date: Sat Aug 23 18:32:57 2014 +0000 If the volumes are attached to nova instances, they should be exported via tgtd after restarting cinder-volume. But the volumes which are not attached to instances must not be exported because everyone can connect these volumes. This patch changes volume export behavior that exports a volume only if the volume status is 'in-use'. Change-Id: I4c598c240b9290c81bd8001e5a0720c8c329aeb9 Signed-off-by: Mitsuhiro Tanino Closes-bug: #1381106 (cherry picked from commit e2f28b967910625432be0eab6a851adf53ac58ea) commit 01e7c516852e53df661b2eedc970c327c1ff10ce Author: Vipin Balachandran Date: Fri Oct 10 23:06:27 2014 +0530 Revert "Relocate volume to compliant datastore" Commit 4be8913520f5e9fe4109ade101da9509e4a83360 introduced a regression which causes failures during cinder volume re-attach. This patch reverts commit 4be8913520f5e9fe4109ade101da9509e4a83360 as an immediate fix. Closes-Bug: #1379830 Change-Id: I5dfbd45533489c3c81db8d256bbfd2f85614a357 (cherry picked from commit 48cb82971e0418f9a629e2b39d0433dc2c0e6919) commit 900d49723f65e87658381ff955559f54ac98c487 Author: Andreas Jaeger Date: Thu Oct 9 12:25:28 2014 +0200 Updated translations Commands run:- $ python setup.py extract_messages $ python setup.py update_catalog --no-fuzzy-matching \ --ignore-obsolete=true $ source \ ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh $ setup_loglevel_vars $ cleanup_po_files cinder Change-Id: I73f3bdccb4be98df95fa853864e465f4d83a8884 commit 8e94aaa2b28b491314fe8642061ac73e3fe8e966 Author: Navneet Singh Date: Thu Aug 28 16:03:41 2014 +0530 NetApp fix eseries unit test mock clean This patch fixes the issue of mock not getting cleaned for requests in unit tests. Closes-Bug: #1353506 Change-Id: Iab401021d7f180ff1f2bf3ed79166699112cc367 (cherry picked from commit 140956515327494a53de6ad09c35690624248f0a) commit aaecfcf15e6b9defde5822453f2ae97aaf959408 Author: John Griffith Date: Tue Oct 7 11:49:58 2014 -0600 Make sure device support Direct before setting We added '-t none' option to the qemu-img convert operation in image_utils.py a while back to accomodate a couple of backend devices that didn't flush writes on disconnect. (Change: I7a04f683add8c23b9125fe837c4048ccc3ac224d) The only problem here is that some backend devices don't support Direct mode and raise an exception and fail when setting this option. This patch adds a simple check using dd to see if the dest supports the Direct flag and only sets '-t none' if the device does in fact support it. Additionally it was brought up that even yet other backends are using file devices not blk devices. In their case setting Direct will still work, however it's sub-optimal as qemu-convert has internal mechanisms to make sure flushing etc are done correctly and efficiently for those devices. So to accomodate that particular use case I'm also adding a check if blk dev that can be used for determining whether to set Direct for the qemu-convert process. Change-Id: I34127ac373ceadcfb6fc2662628b1a91eb7b0046 Closes-Bug: 1375487 (cherry picked from commit c42273fbc1983b146180c82b8a34b0d832a6f431) commit a8cec39f8243fd4ee6c0a16fc0620d4b0980c749 Author: Juan Zuluaga Date: Wed Sep 24 18:51:07 2014 -0400 ZFSSA iSCSI vol create fails with vol type option Vol create with volume-type option is not working since volume_backend_name contains the class name as predefined string. No matter what was specified in cinder.conf as volume_backend_name, volume creation failed. Multi-backend option and using extra specs to create custom volumes won't work. The fix is to look whether volume_backend_name is part of the configuration or falls into the class name in case there is no backend name. Closes-Bug: 1373621 DocImpact (cherry picked from commit 5c61d57d3693523e9cbf11bf0b5b09bafe699247) Change-Id: I1bc501dd4c5689d96c7beb720b64112df1770232 commit 04cd35fd88768ec0f5d23619cec2df4981ee7d8c Author: Sean McGinnis Date: Fri Sep 26 15:21:35 2014 -0500 Handle eqlx SSH connection close on abort. EqualLogic array CLI operation timeout causes the SSH thread to be aborted. This would cause SSH sessions to be orphaned and hit a max connection limit on the array. This fix catches these aborts and makes sure the connection is closed. Change-Id: I9392fd5dd79eb44f252bf50217f17cc473e6f2f0 Closes-Bug: 1374613 (cherry picked from commit 5cb23b67c53437fc51a6b37acac477fba4d6a7ab) commit 787b328518b2eec8275956835ae16488644e7d87 Author: Juan Zuluaga Date: Tue Sep 16 11:23:36 2014 -0400 ZFSSA iSCSI driver cannot add multple initiators to a group All initiators defined in zfssa_initiator property would be added to the group. Also fixed some typos related to initiators error messages. Change-Id: Iec6c90702e5aafa153b4a7f1e429974ac450afc0 Closes-Bug: #1369750 (cherry picked from commit f94d671e627dd7b5143422ffe739418fcfb51a70) commit c566767d6a5041d1d86b1e199028d78772ebc508 Author: Patrick East Date: Tue Sep 30 11:47:42 2014 -0700 Fix race condition in ISCSIConnector _disconnect_volume_multipath_iscsi This is a similar issue as seen in https://bugs.launchpad.net/cinder/+bug/1375382 The list of devices returned by driver.get_all_block_devices() in _disconnect_volume_multipath_iscsi will potentially contain broken symlinks as the SCSI devices have been deleted from calling self._linuxscsi.remove_multipath_device(device_realpath) right before _disconnect_volume_multipath_iscsi but the udev rule for the symlink may not yet have completed. Adding in a check to os.path.exists() will ensure that we will not consider the broken symlinks as an “in use” device. Change-Id: I79c9627e9b47127d3765fcec5b7e3bacef179630 Closes-Bug: #1375946 (cherry picked from commit 4541521de576297d9b7d4115b040ff54773d9d50) commit 40eff25fce9a350d1872b083503e4306242961de Author: Clinton Knight Date: Fri Sep 26 12:07:44 2014 -0400 Deprecate / obsolete NetApp volume extra specs The NetApp Data ONTAP (Cluster-mode) NFS & iSCSI drivers for Juno support the Cinder pools feature, but the drivers are reporting two qualified extra specs that must be converted to unqualified extra specs in order to be used by the Cinder scheduler's capability filter. Furthermore, there are four extra specs that must be deprecated due to having the pools feature. Warnings will be logged during volume creation if any of the obsolete or deprecated extra specs are seen in the volume type. Change-Id: I4dbd667610e481356304a12b8dae84cff61aa9d9 Closes-bug: 1374630 (cherry picked from commit 4cb4be4122a44dc99d6f29f065cdd32ae86273ce) commit 2601acaec8d3c154f7638db0e7dad307d0efcc48 Author: Vincent Hou Date: Fri Sep 12 16:10:02 2014 +0800 IBM Storwize driver: Retype the volume with correct empty QoS * Currently for Storwzie driver, if the new type does not have QoS configurations, the old QoS configurations remain in the volume after retyping it. It should be retyped into a volume with empty QoS for the Storwize driver. * Refactor three dicts into one for better maintainance of the QoS keys for Storwize driver. DocImpact Change-Id: I2b2801a4ef72ef02c11392ed00b56f5263a8a7e4 Closes-Bug: #1368595 (cherry picked from commit 26de1b1d829849665dae921b8be739194b84515d) commit d5efe6703297761215907eeaf703cec040e6ad25 Author: Tristan Cacqueray Date: Fri Oct 3 19:57:01 2014 +0000 Sync latest processutils from oslo-incubator An earlier commit (Ia92aab76fa83d01c5fbf6f9d31df2463fc26ba5c) failed to address ssh_execute(). This change set addresses ssh_execute. ------------------------------------------------ oslo-incubator head: commit 4990535fb5f3e2dc9b397e1a18c1b5dda94ef1c4 Merge: 9f5c700 2a130bf Author: Jenkins Date: Mon Sep 29 23:12:14 2014 +0000 Merge "Script to list unreleased changes in all oslo projects" ----------------------------------------------- The sync pulls in the following changes (newest to oldest): 6a60f842 - Mask passwords in exceptions and error messages (SSH) ----------------------------------------------- Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958 Closes-Bug: #1377981 (cherry picked from commit 5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567) commit c70ef7d8d4d9479fe5d3f4a8387c4eac1dca274d Author: OpenStack Proposal Bot Date: Mon Oct 6 16:09:05 2014 +0000 Updated from global requirements Change-Id: I116f04494e596e470f8fec242466ac5fe21b222c commit 79afa849658f689a9105473fdfba1d993684d3df Author: Lucian Petrut Date: Tue Sep 30 11:58:22 2014 +0300 Windows SMBFS: Handle volume_name in _qemu_img_info The volume_name is now parsed to the _qemu_img_info wrapper. As this method is not prone to security issues because this driver does not support raw images (at least not yet), we don't have to perform any checks on the backing image file path. Thus, this method simply ignores this argument that will be parsed by the base class methods. Related-Bug: #1350504 Change-Id: I801a6338250ec2dc631c4058543f7d0088b3e4d4 (cherry picked from commit 5e0ce63d6df39dcad5a0ef35553369e49c67dfb8) commit 608ecf565f99b9840095ecff424e396c4bae631a Author: Eric Harney Date: Tue Sep 9 16:20:24 2014 -0400 Refuse invalid qcow2 backing files Don't allow qcow2 files that are pointing to backing files outside of: volume- volume-. volume-.tmp-snap- (optionally prefixed with /mnt/path) Closes-Bug: #1350504 Change-Id: Ic89cffc93940b7b119cfcde3362f304c9f2875df (cherry picked from commit dca3c8323cf8cf12aa8ce4ba21f647ce631e8153) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1329214 Title: tgtadm iscsi chap does not work Status in Cinder: Fix Released Status in OpenStack Security Notes: In Progress Bug description: When using LVMISCSIDriver and iscsi_helper tgtadm, it should support chap unidirectional authentication because target configuration file and db.volume has record chap user and chap passwd. By testing, I found that tgtadm iscsi chap does not work. Is it a security bug for iscsi_helper tgtadm? My detail test work is as follows. 1. Test details as follows without modify the source code: 1) Devstack all in one server A(10.250.10.190); another testing server B(10.250.10.191) 2) create a vm VM-A and a cinder volume VOLUME-A, attach VOLUME-A to VM-A 3) server B directly login the iscsi target that server-A export and get VOLUME-A sucessfully . iscsiadm -m discovery -t sendtargets -p 10.250.10.190 iscsiadm -m node -T iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e -p 10.250.10.190 -l --login 2. Test details as follows with modify the source code: 1) add creating user/passwd and binding user to tid code before leaving the function TgtAdm:create_iscsi_target. type, name, passwd = chap_auth.split() self._execute('tgtadm', '--lld', 'iscsi', '--mode', 'account', '--op', 'new', '--user', name, '--password', passwd) self._execute('tgtadm', '--lld', 'iscsi', '--mode', 'account', '--op', 'bind', '--tid', tid, '--user', name ) 2) try to login VOLUME-A as the steps in item 1, it reported an authorization error as follows. root at devaio1:/etc/iscsi# iscsiadm -m node -T iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e -p 10.250.10.190 -l --login Logging in to [iface: default, target: iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e, portal: 10.250.10.190,3260] (multiple) iscsiadm: Could not login to [iface: default, target: iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e, portal: 10.250.10.190,3260]. iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure) iscsiadm: Could not log into all portals To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1329214/+subscriptions From mriedem at us.ibm.com Wed Jun 10 16:09:24 2015 From: mriedem at us.ibm.com (Matt Riedemann) Date: Wed, 10 Jun 2015 16:09:24 -0000 Subject: [Openstack-security] [Bug 1321785] Re: RFE: block_device_info dict should have a password key rather than clear password References: <20140521143043.29900.37913.malonedeb@wampee.canonical.com> Message-ID: <20150610160924.14946.55283.malone@gac.canonical.com> Some discussion on this in the mailing list: http://lists.openstack.org/pipermail/openstack-dev/2015-June/066471.html -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1321785 Title: RFE: block_device_info dict should have a password key rather than clear password Status in OpenStack Compute (Nova): Confirmed Status in OpenStack Compute (nova) icehouse series: Invalid Bug description: See bug 1319943 and the related patch https://review.openstack.org/#/c/93787/ for details, but right now the block_device_info dict passed around in the nova virt driver can contain a clear text password for the auth_password key. That bug and patch are masking the password when logged in the immediate known locations, but this could continue to crop up so we should change the design such that the block_device_info dict doesn't contain the password but rather a key to a store that nova can retrieve the password for use. Comment from Daniel Berrange in the patch above: "Long term I think we need to figure out a way to remove the passwords from any data dicts we pass around. Ideally the block device info would merely contain something like a UUID to identify a password, which Nova could use to fetch the actual password from a secure password manager service at time of use. Thus we wouldn't have to worry about random objects/dicts containing actual passwords. Obviously this isn't something we can do now, but could you file an RFE to address this from a design POV, because masking passwords at time of logging call is not really a viable long term strategy IMHO." To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1321785/+subscriptions From 1461154 at bugs.launchpad.net Thu Jun 11 21:25:06 2015 From: 1461154 at bugs.launchpad.net (Lin Hua Cheng) Date: Thu, 11 Jun 2015 21:25:06 -0000 Subject: [Openstack-security] [Bug 1461154] Re: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers References: <20150602162757.6123.3584.malonedeb@wampee.canonical.com> Message-ID: <20150611212507.18273.85991.launchpad@gac.canonical.com> ** Changed in: horizon Assignee: (unassigned) => Brian Tully (brian-tully) ** Changed in: horizon Importance: Undecided => Low -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461154 Title: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisories: Won't Fix Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. Vulnerability Details A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. Impact An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. Recommendations Set the HTTP X-Frame-Options header to one of the following: DENY - deny any frames SAMEORIGIN - frames are only allowed from the same origin ALLOW-FROM - a list of allowable origin's Although many pages within Horizon 1.1 leverage the X-Frame-Options header with the recommended SAMEORIGIN policy, some (still popular) older browsers don’t support this setting. Namely, browsers older than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus vulnerable to an attack known as ClickJacking unless an additional mitigating control is present. To support legacy browsers, a suggested best practice is to add a frame breaking script to the base/global template file. Based off of https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best- for-now_Legacy_Browser_Frame_Breaking_Script """ One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header. In the document HEAD element, add the following: First apply an ID to the style element itself: And then delete that style by its ID immediately after in the script: This way, everything can be in the document HEAD and you only need one method/taglib in your API. """ To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1461154/+subscriptions From 1361360 at bugs.launchpad.net Fri Jun 12 10:06:54 2015 From: 1361360 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 12 Jun 2015 10:06:54 -0000 Subject: [Openstack-security] [Bug 1361360] Fix merged to glance (stable/juno) References: <20140825203231.13086.48412.malonedeb@wampee.canonical.com> Message-ID: <20150612100654.27148.64799.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/162964 Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=d569ed9db9dc1941ef74d38f85f8f67a85ff10b0 Submitter: Jenkins Branch: stable/juno commit d569ed9db9dc1941ef74d38f85f8f67a85ff10b0 Author: abhishekkekane Date: Tue Oct 21 04:39:59 2014 -0700 Eventlet green threads not released back to pool Presently, the wsgi server allows persist connections. Hence even after the response is sent to the client, it doesn't close the client socket connection. Because of this problem, the green thread is not released back to the pool. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. DocImpact: Added http_keepalive option (default=True). Conflicts: doc/source/configuring.rst etc/glance-api.conf glance/common/wsgi.py glance/tests/unit/test_opts.py SecurityImpact Closes-Bug: #1361360 Change-Id: I93aaca24935a4f3096210233097dd6b8c5440176 (cherry picked from commit 16a821e00d15520d2f6e940e184bd289b8782620) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1361360 Title: Eventlet green threads not released back to the pool leading to choking of new requests Status in Cinder: Fix Released Status in Cinder icehouse series: Fix Released Status in Cinder juno series: Fix Released Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance icehouse series: Fix Committed Status in Orchestration API (Heat): Fix Committed Status in OpenStack Identity (Keystone): Fix Committed Status in Keystone icehouse series: Confirmed Status in Keystone juno series: Fix Committed Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in neutron juno series: Fix Committed Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) icehouse series: In Progress Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Data Processing (Sahara): Confirmed Bug description: Currently reproduced on Juno milestone 2. but this issue should be reproducible in all releases since its inception. It is possible to choke OpenStack API controller services using wsgi+eventlet library by simply not closing the client socket connection. Whenever a request is received by any OpenStack API service for example nova api service, eventlet library creates a green thread from the pool and starts processing the request. Even after the response is sent to the caller, the green thread is not returned back to the pool until the client socket connection is closed. This way, any malicious user can send many API requests to the API controller node and determine the wsgi pool size configured for the given service and then send those many requests to the service and after receiving the response, wait there infinitely doing nothing leading to disrupting services for other tenants. Even when service providers have enabled rate limiting feature, it is possible to choke the API services with a group (many tenants) attack. Following program illustrates choking of nova-api services (but this problem is omnipresent in all other OpenStack API Services using wsgi+eventlet) Note: I have explicitly set the wsi_default_pool_size default value to 10 in order to reproduce this problem in nova/wsgi.py. After you run the below program, you should try to invoke API ============================================================================================ import time import requests from multiprocessing import Process def request(number): #Port is important here path = 'http://127.0.0.1:8774/servers' try: response = requests.get(path) print "RESPONSE %s-%d" % (response.status_code, number) #during this sleep time, check if the client socket connection is released or not on the API controller node. time.sleep(1000) print “Thread %d complete" % number except requests.exceptions.RequestException as ex: print “Exception occurred %d-%s" % (number, str(ex)) if __name__ == '__main__': processes = [] for number in range(40): p = Process(target=request, args=(number,)) p.start() processes.append(p) for p in processes: p.join() ================================================================================================ Presently, the wsgi server allows persist connections if you configure keepalive to True which is default. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Additional information: By default eventlet passes “Connection: keepalive” if keepalive is set to True when a response is sent to the client. But it doesn’t have capability to set the timeout and max parameter. For example. Keep-Alive: timeout=10, max=5 Note: After we have disabled keepalive in all the OpenStack API service using wsgi library, then it might impact all existing applications built with the assumptions that OpenStack API services uses persistent connections. They might need to modify their applications if reconnection logic is not in place and also they might experience the performance has slowed down as it will need to reestablish the http connection for every request. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1361360/+subscriptions From gerrit2 at review.openstack.org Fri Jun 12 10:58:06 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Fri, 12 Jun 2015 10:58:06 +0000 Subject: [Openstack-security] [openstack/nova-specs] SecurityImpact review request change Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/188874 Log: commit 34218330ac8ee3c06c3688cbd4bcf24667ee20fd Author: Dane Fichter Date: Fri Jun 5 13:25:11 2015 -0400 Nova Support of Glance Image Signing & Encryption This spec is related to work in the Glance project which handles signed and encrypted images. SecurityImpact DocImpact It depends on this glance spec: Depends-On: I305b2ae86415c8d256c641abb2795af663bee56a Change-Id: Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Implements: blueprint nova-support-image-signing From gerrit2 at review.openstack.org Fri Jun 12 13:51:14 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Fri, 12 Jun 2015 13:51:14 +0000 Subject: [Openstack-security] [openstack/barbican-specs] SecurityImpact review request change I80b4d5506ad0cb289f77db8ad0d9632bea9ae474 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/191076 Log: commit 8e2fe63ad7ad3f0ed4d2b9fae72a8c31b8e2ba38 Author: jfwood Date: Fri Jun 12 08:41:34 2015 -0500 Add List of Group-IDs to ACL for Secrets/Containers The current access control list (ACL) approach in Barbican only allows for adding user IDs for access to a given secret or container. This blueprint proposes allowing group IDs to be added to ACLs to accommodate users within specified groups access to secrets/containers as well. Adding group support to ACLs would support LDAP group based access to secrets/containers. Change-Id: I80b4d5506ad0cb289f77db8ad0d9632bea9ae474 Implements: blueprint api-acl-add-group-list APIImpact: Update /v1/.../acls resource to add new 'groups' list DocImpact: Update acls resource docs to mention a new 'groups' list SecurityImpact: Adds a new means to access secrets and containers From email at daviey.com Sat Jun 13 12:58:42 2015 From: email at daviey.com (Dave Walker) Date: Sat, 13 Jun 2015 13:58:42 +0100 Subject: [Openstack-security] [oss-security] CVE-2015-1850: OpenStack Cinder/Nova: Format-guessing and file disclosure in image convert In-Reply-To: <20150613091637.GE11230@mail.waldi.eu.org> References: <20150613091637.GE11230@mail.waldi.eu.org> Message-ID: On 13 Jun 2015 10:17 am, "Bastian Blank" wrote: > > Hi > > OpenStack Cinder and Nova do not provide input format to several calls > of "qemu-img convert". In Cinder these calls are done as root. This > allows the attacker to play the format guessing in qemu-img by providing > input with a qcow2 signature. If this signature contains a base file, > this file will be read by a process running as root and embedded in the > output. This bug is similar to CVE-2013-1922 and has been assigned > CVE-2015-1850. > > Tested with: lvm backed volume storage in Cinder, it may apply to others > as well. > > Steps to reproduce: > - create volume and attach to vm, > - create a qcow2 signature on the volume containing a base-file[1] from > within the vm and > - trigger an upload to Glance with "cinder upload-to-image --disk-type > qcow2"[2]. > The image uploaded to Glance will have the base-file from the > cinder-volume host embedded. > > Affected versions: tested on 2014.1.3, found while reading 2014.2.1 > > Timeline: > - Reported upstream 2015-01-27 > - Published 2015-06-13 > > Regards, > Bastian Blank > > [1]: qemu-img create -f qcow2 -b /etc/passwd /dev/vdb > [2]: The disk-type != raw triggers the use of "qemu-img convert" Hi, +CC openstack-security I see that this is being brought to oss-sec', but seemingly not via the OpenStack Security Group or Vulnerability Management Team. CVE-2015-1850 is referenced in your mail, are you saying that this has been assigned to this issue? I cannot easily find any other reference of its allocation. You said that this was raised upstream on 2015-01-27, do you have a Launchpad bug number or information on this discourse as to what was the outcome? Thanks -- Kind Regards, Dave Walker -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeremy at openstack.org Sat Jun 13 14:35:29 2015 From: jeremy at openstack.org (Jeremy Stanley) Date: Sat, 13 Jun 2015 14:35:29 +0000 Subject: [Openstack-security] [oss-security] CVE-2015-1850: OpenStack Cinder/Nova: Format-guessing and file disclosure in image convert In-Reply-To: References: <20150613091637.GE11230@mail.waldi.eu.org> Message-ID: <20150613143529.GE2732@openstack.org> [cross-post to oss-security ML dropped to avoid unwarranted crosstalk noise there] On 2015-06-13 13:58:42 +0100 (+0100), Dave Walker wrote: > I see that this is being brought to oss-sec', but seemingly not via the > OpenStack Security Group or Vulnerability Management Team. [...] > You said that this was raised upstream on 2015-01-27, do you have a > Launchpad bug number or information on this discourse as to what was the > outcome? Since this is now public, I'm lifting the current embargo. See bug report at https://launchpad.net/bugs/1415087 for additional details. -- Jeremy Stanley -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 949 bytes Desc: Digital signature URL: From gerrit2 at review.openstack.org Sat Jun 13 21:51:06 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Sat, 13 Jun 2015 21:51:06 +0000 Subject: [Openstack-security] [openstack/glance-specs] SecurityImpact review request change I9eeafff45844a4cbb504dd1d3d12985e263f11f7 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/189537 Log: commit acc748fb3468ab6d7a8313bb1dbff1cac95b64f2 Author: Ian Cordasco Date: Mon Jun 8 21:30:12 2015 -0500 Add spec to refactor the HTTP Store onto requests DocImpact SecurityImpact Blueprint: http-store-on-requests Change-Id: I9eeafff45844a4cbb504dd1d3d12985e263f11f7 From gerrit2 at review.openstack.org Sun Jun 14 04:06:41 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Sun, 14 Jun 2015 04:06:41 +0000 Subject: [Openstack-security] [openstack/glance-specs] SecurityImpact review request change Ib8fe5a6d5ca3cdceb2b584bcdd17a70bc7ec84aa Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/191542 Log: commit 0d6451662848292a891ea7f19e49d703174949ee Author: Ian Cordasco Date: Sat Jun 13 23:05:56 2015 -0500 Add spec to make image checksum configurable ApiImpact DocImpact SecurityImpact Blueprint: make-checksum-configurable Change-Id: Ib8fe5a6d5ca3cdceb2b584bcdd17a70bc7ec84aa From 1461154 at bugs.launchpad.net Sun Jun 14 22:50:35 2015 From: 1461154 at bugs.launchpad.net (OpenStack Infra) Date: Sun, 14 Jun 2015 22:50:35 -0000 Subject: [Openstack-security] [Bug 1461154] Re: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers References: <20150602162757.6123.3584.malonedeb@wampee.canonical.com> Message-ID: <20150614225035.18404.91898.malone@gac.canonical.com> Fix proposed to branch: master Review: https://review.openstack.org/191591 ** Changed in: horizon Status: New => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461154 Title: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers Status in OpenStack Dashboard (Horizon): In Progress Status in OpenStack Security Advisories: Won't Fix Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. Vulnerability Details A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. Impact An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. Recommendations Set the HTTP X-Frame-Options header to one of the following: DENY - deny any frames SAMEORIGIN - frames are only allowed from the same origin ALLOW-FROM - a list of allowable origin's Although many pages within Horizon 1.1 leverage the X-Frame-Options header with the recommended SAMEORIGIN policy, some (still popular) older browsers don’t support this setting. Namely, browsers older than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus vulnerable to an attack known as ClickJacking unless an additional mitigating control is present. To support legacy browsers, a suggested best practice is to add a frame breaking script to the base/global template file. Based off of https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best- for-now_Legacy_Browser_Frame_Breaking_Script """ One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header. In the document HEAD element, add the following: First apply an ID to the style element itself: And then delete that style by its ID immediately after in the script: This way, everything can be in the document HEAD and you only need one method/taglib in your API. """ To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1461154/+subscriptions From gerrit2 at review.openstack.org Mon Jun 15 16:56:36 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 15 Jun 2015 16:56:36 +0000 Subject: [Openstack-security] [openstack/barbican-specs] SecurityImpact review request change I80b4d5506ad0cb289f77db8ad0d9632bea9ae474 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/191076 Log: commit 393fe6a62acec625437c4065a90e7320b25a6e18 Author: jfwood Date: Fri Jun 12 08:41:34 2015 -0500 Add List of Group-IDs to ACL for Secrets/Containers The current access control list (ACL) approach in Barbican only allows for adding user IDs for access to a given secret or container. This blueprint proposes allowing group IDs to be added to ACLs to accommodate users within specified groups access to secrets/containers as well. Adding group support to ACLs would support LDAP group based access to secrets/containers. This blueprint depends on the approval of a Keystone blueprint: https://review.openstack.org/#/c/188564/ Change-Id: I80b4d5506ad0cb289f77db8ad0d9632bea9ae474 Implements: blueprint api-acl-add-group-list APIImpact: Update /v1/.../acls resource to add new 'groups' list DocImpact: Update acls resource docs to mention a new 'groups' list SecurityImpact: Adds a new means to access secrets and containers From msm at redhat.com Mon Jun 15 16:52:45 2015 From: msm at redhat.com (Michael McCune) Date: Mon, 15 Jun 2015 16:52:45 -0000 Subject: [Openstack-security] [Bug 1451931] Re: ironic password config not marked as secret References: <20150505164255.28640.31104.malonedeb@soybean.canonical.com> Message-ID: <20150615165247.17233.43443.launchpad@chaenomeles.canonical.com> ** Changed in: ossn Assignee: (unassigned) => Michael McCune (mimccune) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1451931 Title: ironic password config not marked as secret Status in OpenStack Compute (Nova): Fix Committed Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: The ironic config option for the password and auth token are not marked as secret so the values will get logged during startup in debug mode. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1451931/+subscriptions From tnurlygayanov at mirantis.com Mon Jun 15 17:20:31 2015 From: tnurlygayanov at mirantis.com (Timur Nurlygayanov) Date: Mon, 15 Jun 2015 20:20:31 +0300 Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? Message-ID: Hi team, Looks like we are using Bandit framework [1] for static analysis of code of different OpenStack components, but I can't find some integration security tests for OpenStack components. Do we have some additional open-source test framework / tests suite for security testing of OpenStack components? I found the blueprint in Tempest about fuzzy testing [2], so, we can start to develop some security tests in Tempest and use them to perform security testing on the integration level and also to validate some security bug fixes. Do we have some list with scenarios, which we can cover with fuzzing tests in Tempest? We can start from some tests which will validate fixed security issues, it will be really helpful if you can share some ideas about tests, which we have to create. Thank you! [1] https://github.com/stackforge/bandit [2] https://blueprints.launchpad.net/tempest/+spec/fuzzy-test -- Timur, Senior QA Engineer OpenStack Projects Mirantis Inc -------------- next part -------------- An HTML attachment was scrubbed... URL: From gerrit2 at review.openstack.org Mon Jun 15 20:28:15 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 15 Jun 2015 20:28:15 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change Idbe37922c5f944e3d567ce16913ce5d87af41fef Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/141485 Log: commit 7d3df5cbb6d20a101159d8c405d77261147e9f1d Author: Joel Coffman Date: Thu Feb 5 09:28:16 2015 -0500 libvirt: Disconnect dm-crypt on instance suspend/stop Strengthens protection provided by ephemeral storage encryption feature by disconnecting the dm-crypt device, which provides access to unencrypted disk, when an encrypted instance is suspended or stopped. Co-Authored-By: Daniel Genin Implements: blueprint stop-dmcrypt-on-suspend SecurityImpact Change-Id: Idbe37922c5f944e3d567ce16913ce5d87af41fef From gerrit2 at review.openstack.org Tue Jun 16 19:28:06 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 16 Jun 2015 19:28:06 +0000 Subject: [Openstack-security] [openstack/glance] SecurityImpact review request change I129edb4cf6372165ce8ba3759bb40beadba9cdda Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/192394 Log: commit e147f8b5a2b6d5d4b15be3a7c70bf5b24e8d20d9 Author: Mike Fedosin Date: Fri Jun 12 17:53:37 2015 +0300 Add client_socket_timeout parameter Add a parameter to take advantage of the new(ish) eventlet socket timeout behaviour. Allows closing idle client connections after a period of time. Leaving the sockets open may allow malefactors to attack the system by creating many simultaneous connections, which leads to significant cpu consumption by glance-api servers. Setting 'client_socket_timeout = 0' means do not timeout. DocImpact: Added client_socket_timeout option (default=900). SecurityImpact Change-Id: I129edb4cf6372165ce8ba3759bb40beadba9cdda From gerrit2 at review.openstack.org Tue Jun 16 22:57:45 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 16 Jun 2015 22:57:45 +0000 Subject: [Openstack-security] [openstack/barbican-specs] SecurityImpact review request change I409ac9a604dac39e0a1ed3f704702089bca674f0 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/192453 Log: commit 841704a61bf804efcf8b88485dccbfd168e8287e Author: Ade Lee Date: Tue Jun 16 18:52:49 2015 -0400 Add mechanism for automated certificate renewals This adds a mechanism for authorizing certificate renewals in an automated fashion, by providing the certificate being renewed and proof of possession of the private key as authentication/authorization. Implements: auto-cert-renewal APIImpact: Add mechanism to auto-renew certificates DocImpact: Add docs for mechanism to auto-renew certificates SecurityImpact: Add mechanism to auto-renew certificates Change-Id: I409ac9a604dac39e0a1ed3f704702089bca674f0 From robert.clark at hp.com Wed Jun 17 10:32:24 2015 From: robert.clark at hp.com (Clark, Robert Graham) Date: Wed, 17 Jun 2015 10:32:24 +0000 Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? In-Reply-To: References: Message-ID: Fuzzing with Tempest is something that was discussed at the last summit, I think Rackspace had some interesting work that wanted to share but I might be miss-remembering. One of the issues is that unless you’re looking with issues in the python libraries used for handling the APIs (which would be interesting to find) message/protocol fuzzing is pretty limited, instead we need something that really understands the API to perform fuzzing to find things that logically shouldn’t be allowed to happen – many of these will be broken state issues. -Rob From: Timur Nurlygayanov [mailto:tnurlygayanov at mirantis.com] Sent: 15 June 2015 18:21 To: openstack-security at lists.openstack.org Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? Hi team, Looks like we are using Bandit framework [1] for static analysis of code of different OpenStack components, but I can't find some integration security tests for OpenStack components. Do we have some additional open-source test framework / tests suite for security testing of OpenStack components? I found the blueprint in Tempest about fuzzy testing [2], so, we can start to develop some security tests in Tempest and use them to perform security testing on the integration level and also to validate some security bug fixes. Do we have some list with scenarios, which we can cover with fuzzing tests in Tempest? We can start from some tests which will validate fixed security issues, it will be really helpful if you can share some ideas about tests, which we have to create. Thank you! [1] https://github.com/stackforge/bandit [2] https://blueprints.launchpad.net/tempest/+spec/fuzzy-test -- Timur, Senior QA Engineer OpenStack Projects Mirantis Inc -------------- next part -------------- An HTML attachment was scrubbed... URL: From fungi at yuggoth.org Wed Jun 17 11:46:56 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Wed, 17 Jun 2015 11:46:56 -0000 Subject: [Openstack-security] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled References: <20150617025422.18505.35016.malonedeb@gac.canonical.com> Message-ID: <20150617114656.18785.8403.malone@gac.canonical.com> The OpenStack VMT currently considers (based on existing precedent) disclosure of sensitive information in debug-level logging a security hardening opportunity, and does not issue security advisories for it. This is class D in our report taxonomy: https://security.openstack.org /vmt-process.html#incident-report-taxonomy ** Information type changed from Private Security to Public ** Also affects: ossa Importance: Undecided Status: New ** Changed in: ossa Status: New => Won't Fix -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1465922 Title: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled Status in OpenStack Identity (Keystone): New Status in OpenStack Security Advisories: Won't Fix Bug description: grep CLEARTEXTPASSWORD keystone.log 2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_user(user={u'domain_id': u'default', u'password': u'CLEARTEXTPASSWORD', u'enabled': True, u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name': u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site- packages/keystone/common/controller.py:57 Issue code: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57 LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) Shadow the values of sensitive fields like 'password' by some meaningless garbled text like "XXXXX" is one way to fix. Well, in addition to this, I think we should never pass the 'password' with its original value along the code and save it in any persistence, instead we should convert it to a strong hash value as early as possible. With the help of a good hash system, we never have to need the original value of the password, right? To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1465922/+subscriptions From lbragstad at gmail.com Wed Jun 17 13:03:59 2015 From: lbragstad at gmail.com (Lance Bragstad) Date: Wed, 17 Jun 2015 13:03:59 -0000 Subject: [Openstack-security] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled References: <20150617025422.18505.35016.malonedeb@gac.canonical.com> Message-ID: <20150617130359.18538.25330.malone@gac.canonical.com> I believe the same it true in Keystone based on what Jeremy has linked above. ** Changed in: keystone Status: New => Won't Fix -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1465922 Title: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled Status in OpenStack Identity (Keystone): Won't Fix Status in OpenStack Security Advisories: Won't Fix Bug description: grep CLEARTEXTPASSWORD keystone.log 2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_user(user={u'domain_id': u'default', u'password': u'CLEARTEXTPASSWORD', u'enabled': True, u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name': u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site- packages/keystone/common/controller.py:57 Issue code: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57 LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) Shadow the values of sensitive fields like 'password' by some meaningless garbled text like "XXXXX" is one way to fix. Well, in addition to this, I think we should never pass the 'password' with its original value along the code and save it in any persistence, instead we should convert it to a strong hash value as early as possible. With the help of a good hash system, we never have to need the original value of the password, right? To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1465922/+subscriptions From fungi at yuggoth.org Wed Jun 17 14:40:02 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Wed, 17 Jun 2015 14:40:02 -0000 Subject: [Openstack-security] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled References: <20150617025422.18505.35016.malonedeb@gac.canonical.com> Message-ID: <20150617144002.9654.61394.malone@chaenomeles.canonical.com> Well, there's not necessarily a reason to avoid masking sensitive data in debug level logs as a security hardening measure, we just have enough cases of this already in various places along with documentation saying not to disclose debug logs to untrusted parties that we don't issue security advisories when yet another is discovered. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1465922 Title: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled Status in OpenStack Identity (Keystone): Won't Fix Status in OpenStack Security Advisories: Won't Fix Bug description: grep CLEARTEXTPASSWORD keystone.log 2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_user(user={u'domain_id': u'default', u'password': u'CLEARTEXTPASSWORD', u'enabled': True, u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name': u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site- packages/keystone/common/controller.py:57 Issue code: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57 LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) Shadow the values of sensitive fields like 'password' by some meaningless garbled text like "XXXXX" is one way to fix. Well, in addition to this, I think we should never pass the 'password' with its original value along the code and save it in any persistence, instead we should convert it to a strong hash value as early as possible. With the help of a good hash system, we never have to need the original value of the password, right? To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1465922/+subscriptions From Daniel.Kingshott at bestbuy.com Wed Jun 17 14:54:47 2015 From: Daniel.Kingshott at bestbuy.com (Kingshott, Daniel) Date: Wed, 17 Jun 2015 14:54:47 +0000 Subject: [Openstack-security] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled In-Reply-To: <20150617144002.9654.61394.malone@chaenomeles.canonical.com> References: <20150617025422.18505.35016.malonedeb@gac.canonical.com> <20150617144002.9654.61394.malone@chaenomeles.canonical.com> Message-ID: I would tend to agree with Jeremy, it¹s not unusual to see debug enabled to get useful messages, especially in keystone. On 6/17/15, 7:40 AM, "Jeremy Stanley" wrote: >Well, there's not necessarily a reason to avoid masking sensitive data >in debug level logs as a security hardening measure, we just have enough >cases of this already in various places along with documentation saying >not to disclose debug logs to untrusted parties that we don't issue >security advisories when yet another is discovered. > >-- >You received this bug notification because you are a member of OpenStack >Security, which is subscribed to OpenStack. >https://bugs.launchpad.net/bugs/1465922 > >Title: > Password visible in clear text in keystone.log when user created and > keystone debug logging is enabled > >Status in OpenStack Identity (Keystone): > Won't Fix >Status in OpenStack Security Advisories: > Won't Fix > >Bug description: > grep CLEARTEXTPASSWORD keystone.log > > 2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-] > RBAC: Authorizing identity:create_user(user={u'domain_id': u'default', > u'password': u'CLEARTEXTPASSWORD', u'enabled': True, > u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name': > u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site- > packages/keystone/common/controller.py:57 > > Issue code: > >https://github.com/openstack/keystone/blob/master/keystone/common/controll >er.py#L57 > > LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { > 'action': action, > 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in >kwargs])}) > > Shadow the values of sensitive fields like 'password' by some > meaningless garbled text like "XXXXX" is one way to fix. > > Well, in addition to this, I think we should never pass the 'password' > with its original value along the code and save it in any persistence, > instead we should convert it to a strong hash value as early as > possible. With the help of a good hash system, we never have to need > the original value of the password, right? > >To manage notifications about this bug go to: >https://bugs.launchpad.net/keystone/+bug/1465922/+subscriptions > >_______________________________________________ >Openstack-security mailing list >Openstack-security at lists.openstack.org >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security From charles.neill at RACKSPACE.COM Wed Jun 17 15:57:44 2015 From: charles.neill at RACKSPACE.COM (Charles Neill) Date: Wed, 17 Jun 2015 15:57:44 +0000 Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? In-Reply-To: Message-ID: I'm actually working on some (very simple) fuzzing tests for the Barbican project right now. I've realized that using a Python client that is strictly defined for sending "good" data to an API isn't necessarily the best mechanism for truly fuzzing that API. For example, the "requests" lib chokes on trying to convert unicode strings to ascii in HTTP request headers. I'm contemplating using something like sulley (link: https://github.com/OpenRCE/sulley) for deeper fuzzing, but I don't have time to really dig into it at the moment. I'd love to hear others' thoughts on this problem. Cheers, Charles Neill From: , Robert Graham > Date: Wednesday, June 17, 2015 at 5:32 AM To: Timur Nurlygayanov >, "openstack-security at lists.openstack.org" > Subject: Re: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? Fuzzing with Tempest is something that was discussed at the last summit, I think Rackspace had some interesting work that wanted to share but I might be miss-remembering. One of the issues is that unless you’re looking with issues in the python libraries used for handling the APIs (which would be interesting to find) message/protocol fuzzing is pretty limited, instead we need something that really understands the API to perform fuzzing to find things that logically shouldn’t be allowed to happen – many of these will be broken state issues. -Rob From: Timur Nurlygayanov [mailto:tnurlygayanov at mirantis.com] Sent: 15 June 2015 18:21 To: openstack-security at lists.openstack.org Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? Hi team, Looks like we are using Bandit framework [1] for static analysis of code of different OpenStack components, but I can't find some integration security tests for OpenStack components. Do we have some additional open-source test framework / tests suite for security testing of OpenStack components? I found the blueprint in Tempest about fuzzy testing [2], so, we can start to develop some security tests in Tempest and use them to perform security testing on the integration level and also to validate some security bug fixes. Do we have some list with scenarios, which we can cover with fuzzing tests in Tempest? We can start from some tests which will validate fixed security issues, it will be really helpful if you can share some ideas about tests, which we have to create. Thank you! [1] https://github.com/stackforge/bandit [2] https://blueprints.launchpad.net/tempest/+spec/fuzzy-test -- Timur, Senior QA Engineer OpenStack Projects Mirantis Inc -------------- next part -------------- An HTML attachment was scrubbed... URL: From fungi at yuggoth.org Wed Jun 17 16:34:40 2015 From: fungi at yuggoth.org (Jeremy Stanley) Date: Wed, 17 Jun 2015 16:34:40 +0000 Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? In-Reply-To: References: Message-ID: <20150617163440.GW2731@yuggoth.org> On 2015-06-17 15:57:44 +0000 (+0000), Charles Neill wrote: [...] > I've realized that using a Python client that is strictly defined > for sending "good" data to an API isn't necessarily the best > mechanism for truly fuzzing that API. For example, the "requests" > lib chokes on trying to convert unicode strings to ascii in HTTP > request headers. [...] There's the low-level client used in Tempest: http://git.openstack.org/cgit/openstack/tempest-lib/tree/tempest_lib/common Though it's using httplib2 and not just raw sockets, so still possibly too high-level depending on whether you're also wanting to fuzz Apache/nginx/whatever as well. -- Jeremy Stanley From 1361360 at bugs.launchpad.net Wed Jun 17 18:15:32 2015 From: 1361360 at bugs.launchpad.net (Alan Pevec) Date: Wed, 17 Jun 2015 18:15:32 -0000 Subject: [Openstack-security] [Bug 1361360] Re: Eventlet green threads not released back to the pool leading to choking of new requests References: <20140825203231.13086.48412.malonedeb@wampee.canonical.com> Message-ID: <20150617181535.11034.71423.launchpad@gac.canonical.com> ** Changed in: nova/icehouse Status: In Progress => Fix Committed ** Changed in: nova/icehouse Milestone: None => 2014.1.5 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1361360 Title: Eventlet green threads not released back to the pool leading to choking of new requests Status in Cinder: Fix Released Status in Cinder icehouse series: Fix Released Status in Cinder juno series: Fix Released Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance icehouse series: Fix Committed Status in Orchestration API (Heat): Fix Committed Status in OpenStack Identity (Keystone): Fix Committed Status in Keystone icehouse series: Confirmed Status in Keystone juno series: Fix Committed Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in neutron juno series: Fix Committed Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) icehouse series: Fix Committed Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Data Processing (Sahara): Confirmed Bug description: Currently reproduced on Juno milestone 2. but this issue should be reproducible in all releases since its inception. It is possible to choke OpenStack API controller services using wsgi+eventlet library by simply not closing the client socket connection. Whenever a request is received by any OpenStack API service for example nova api service, eventlet library creates a green thread from the pool and starts processing the request. Even after the response is sent to the caller, the green thread is not returned back to the pool until the client socket connection is closed. This way, any malicious user can send many API requests to the API controller node and determine the wsgi pool size configured for the given service and then send those many requests to the service and after receiving the response, wait there infinitely doing nothing leading to disrupting services for other tenants. Even when service providers have enabled rate limiting feature, it is possible to choke the API services with a group (many tenants) attack. Following program illustrates choking of nova-api services (but this problem is omnipresent in all other OpenStack API Services using wsgi+eventlet) Note: I have explicitly set the wsi_default_pool_size default value to 10 in order to reproduce this problem in nova/wsgi.py. After you run the below program, you should try to invoke API ============================================================================================ import time import requests from multiprocessing import Process def request(number): #Port is important here path = 'http://127.0.0.1:8774/servers' try: response = requests.get(path) print "RESPONSE %s-%d" % (response.status_code, number) #during this sleep time, check if the client socket connection is released or not on the API controller node. time.sleep(1000) print “Thread %d complete" % number except requests.exceptions.RequestException as ex: print “Exception occurred %d-%s" % (number, str(ex)) if __name__ == '__main__': processes = [] for number in range(40): p = Process(target=request, args=(number,)) p.start() processes.append(p) for p in processes: p.join() ================================================================================================ Presently, the wsgi server allows persist connections if you configure keepalive to True which is default. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Additional information: By default eventlet passes “Connection: keepalive” if keepalive is set to True when a response is sent to the client. But it doesn’t have capability to set the timeout and max parameter. For example. Keep-Alive: timeout=10, max=5 Note: After we have disabled keepalive in all the OpenStack API service using wsgi library, then it might impact all existing applications built with the assumptions that OpenStack API services uses persistent connections. They might need to modify their applications if reconnection logic is not in place and also they might experience the performance has slowed down as it will need to reestablish the http connection for every request. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1361360/+subscriptions From gerrit2 at review.openstack.org Thu Jun 18 06:38:16 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Thu, 18 Jun 2015 06:38:16 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change Ie03acc00a7c904aec13c90ae6a53938d08e5e0c9 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/192986 Log: commit 05e451add83319b667df4709f6d506ab29373efb Author: Rajesh Tailor Date: Tue Mar 31 05:24:47 2015 -0700 Kill rsync/scp processes before deleting instance In the resize operation, during copying files from source to destination compute node scp/rsync processes are not aborted after the instance is deleted because linux kernel doesn't delete instance files physically until all processes using the file handle is closed completely. Hence rsync/scp process keeps on running until it transfers 100% of file data. Added callback methods to execute call which will store the pid of scp/rsync process in cache as a key: value pair and to remove the pid from the cache after process completion. Process id will be used to kill the process if it is running while deleting the instance. Instance uuid is used as a key in the cache and pid will be the value. SecurityImpact Change-Id: Ie03acc00a7c904aec13c90ae6a53938d08e5e0c9 Closes-bug: #1387543 From michael.xin at RACKSPACE.COM Thu Jun 18 14:33:39 2015 From: michael.xin at RACKSPACE.COM (Michael Xin) Date: Thu, 18 Jun 2015 14:33:39 +0000 Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? In-Reply-To: References: Message-ID: Charles and Clark: Thanks for the update. There are two different types of fuzzing that are discussed here: 1. Deep security fuzzing to find new security defects. Sulley looks like a good tool for this purpose. For this type of fuzzing, the goal is to generate huge amount of unexpected fuzz attack vectors to check whether the application could handle these data. It will take a long time and it has the potential to find new security defects. 2. Light fuzzing automation that can be integrated with CI process. For this type of fuzzing, we have pre-defined fuzzing strings and we know the expected responses back. We can have a list of security tests defined: authentication & authorization, injection issues, security transport layer issues, user input validation, denial of services, etc. It should give us consistent level of security coverage. This approach has the risk of missing new security defects. But once new security defects are identified, it is possible to add security checks to make sure that they will be identified in the future. This types of security tests can be run the same time that QA function tests are run. It is easy for integrate. Rackspace has been working with our QE to build more security test cases like these. For OpenStack, we are currently pushing security test cases to Barbican and Poppy projects. More should come in the future. Thanks and have a great day. Yours, Michael ----------------------------------------------------------------------------- Michael Xin | Manager, Security Engineering - US Product Security |Rackspace Hosting Office #: 501-7341 or 210-312-7341 Mobile #: 210-284-8674 5000 Walzem Road, San Antonio, Tx 78218 ---------------------------------------------------------------------------- Experience fanatical support From: Charles Neill > Date: Wednesday, June 17, 2015 at 10:57 AM To: "Clark, Robert Graham" >, Timur Nurlygayanov >, "openstack-security at lists.openstack.org" > Subject: Re: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? I'm actually working on some (very simple) fuzzing tests for the Barbican project right now. I've realized that using a Python client that is strictly defined for sending "good" data to an API isn't necessarily the best mechanism for truly fuzzing that API. For example, the "requests" lib chokes on trying to convert unicode strings to ascii in HTTP request headers. I'm contemplating using something like sulley (link: https://github.com/OpenRCE/sulley) for deeper fuzzing, but I don't have time to really dig into it at the moment. I'd love to hear others' thoughts on this problem. Cheers, Charles Neill From: , Robert Graham > Date: Wednesday, June 17, 2015 at 5:32 AM To: Timur Nurlygayanov >, "openstack-security at lists.openstack.org" > Subject: Re: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? Fuzzing with Tempest is something that was discussed at the last summit, I think Rackspace had some interesting work that wanted to share but I might be miss-remembering. One of the issues is that unless you're looking with issues in the python libraries used for handling the APIs (which would be interesting to find) message/protocol fuzzing is pretty limited, instead we need something that really understands the API to perform fuzzing to find things that logically shouldn't be allowed to happen - many of these will be broken state issues. -Rob From: Timur Nurlygayanov [mailto:tnurlygayanov at mirantis.com] Sent: 15 June 2015 18:21 To: openstack-security at lists.openstack.org Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? Hi team, Looks like we are using Bandit framework [1] for static analysis of code of different OpenStack components, but I can't find some integration security tests for OpenStack components. Do we have some additional open-source test framework / tests suite for security testing of OpenStack components? I found the blueprint in Tempest about fuzzy testing [2], so, we can start to develop some security tests in Tempest and use them to perform security testing on the integration level and also to validate some security bug fixes. Do we have some list with scenarios, which we can cover with fuzzing tests in Tempest? We can start from some tests which will validate fixed security issues, it will be really helpful if you can share some ideas about tests, which we have to create. Thank you! [1] https://github.com/stackforge/bandit [2] https://blueprints.launchpad.net/tempest/+spec/fuzzy-test -- Timur, Senior QA Engineer OpenStack Projects Mirantis Inc -------------- next part -------------- An HTML attachment was scrubbed... URL: From gerrit2 at review.openstack.org Thu Jun 18 15:12:47 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Thu, 18 Jun 2015 15:12:47 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change I6fe512ff00a0fde1c75d49efe8bfa5f3d2d34df6 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/191095 Log: commit 116e360ae13f4b65dce8c6c7369686a670a45bd3 Author: Davanum Srinivas Date: Fri Jun 12 10:26:08 2015 -0400 Allow non-admin to list all tenants based on policy Currently, running 'nova list --all-tenants' with a policy change: "compute:get_all_tenants": "role:special_role or is_admin:True" will not work as expected, The returned list of servers will not contain all instances of all tenants. We should support administrators who wish to enable this functionality in their policy.json. We need to fix this problem both in the v2 API and in the v2.1 as well. Deep in instance_get_all_by_filters_sort, there is a check which adds a filter of project_id or user_id if the context is NOT an admin context. So, the returned list will be a subset of all the instances in the database. To fix this scenario, the easy way is to call get_all with an elevated context to pass this check in instance_get_all_by_filters_sort. So in fixing the bug above, we need to fix the default policy so that all-tenants is available by default only to administrators. UpgradeImpact SecurityImpact DocImpact: --all-tenants will list all servers for non-admin APIImpact: --all-tenants will list all servers for non-admin Implements blueprint allow-ip6-search-for-non-admin Closes-Bug: #1464381 Change-Id: I6fe512ff00a0fde1c75d49efe8bfa5f3d2d34df6 From gerrit2 at review.openstack.org Thu Jun 18 15:15:37 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Thu, 18 Jun 2015 15:15:37 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change I6fe512ff00a0fde1c75d49efe8bfa5f3d2d34df6 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/191095 Log: commit 014e491ed08019bdef930d648f3966706bfd467b Author: Davanum Srinivas Date: Fri Jun 12 10:26:08 2015 -0400 Allow non-admin to list all tenants based on policy Currently, running 'nova list --all-tenants' with a policy change: "compute:get_all_tenants": "role:special_role or is_admin:True" will not work as expected, The returned list of servers will not contain all instances of all tenants. We should support administrators who wish to enable this functionality in their policy.json. We need to fix this problem both in the v2 API and in the v2.1 as well. Deep in instance_get_all_by_filters_sort, there is a check which adds a filter of project_id or user_id if the context is NOT an admin context. So, the returned list will be a subset of all the instances in the database. To fix this scenario, the easy way is to call get_all with an elevated context to pass this check in instance_get_all_by_filters_sort. So in fixing the bug above, we need to fix the default policy so that all-tenants is available by default only to administrators. UpgradeImpact SecurityImpact DocImpact: --all-tenants will list all servers for non-admin APIImpact: --all-tenants will list all servers for non-admin Implements blueprint allow-ip6-search-for-non-admin Closes-Bug: #1464381 Change-Id: I6fe512ff00a0fde1c75d49efe8bfa5f3d2d34df6 From tnurlygayanov at mirantis.com Thu Jun 18 16:23:22 2015 From: tnurlygayanov at mirantis.com (Timur Nurlygayanov) Date: Thu, 18 Jun 2015 19:23:22 +0300 Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? In-Reply-To: References: Message-ID: Thank you all for the responses! We are planing to contribute our security tests too and we are looking for the right place for this. Michael, do you plan to add some security tests to Tempest as well? On Thu, Jun 18, 2015 at 5:33 PM, Michael Xin wrote: > Charles and Clark: > Thanks for the update. There are two different types of fuzzing that are > discussed here: > > 1. Deep security fuzzing to find new security defects. Sulley looks > like a good tool for this purpose. For this type of fuzzing, the goal is to > generate huge amount of unexpected fuzz attack vectors to check whether the > application could handle these data. It will take a long time and it has > the potential to find new security defects. > 2. Light fuzzing automation that can be integrated with CI process. > For this type of fuzzing, we have pre-defined fuzzing strings and we know > the expected responses back. We can have a list of security tests defined: > authentication & authorization, injection issues, security transport layer > issues, user input validation, denial of services, etc. It should give us > consistent level of security coverage. This approach has the risk of > missing new security defects. But once new security defects are identified, > it is possible to add security checks to make sure that they will be > identified in the future. This types of security tests can be run the same > time that QA function tests are run. It is easy for integrate. Rackspace > has been working with our QE to build more security test cases like these. > For OpenStack, we are currently pushing security test cases to Barbican and > Poppy projects. More should come in the future. > > > > Thanks and have a great day. > > Yours, > Michael > > > ----------------------------------------------------------------------------- > Michael Xin | Manager, Security Engineering - US > Product Security |Rackspace Hosting > Office #: 501-7341 or 210-312-7341 > Mobile #: 210-284-8674 > 5000 Walzem Road, San Antonio, Tx 78218 > > ---------------------------------------------------------------------------- > Experience fanatical support > > > From: Charles Neill > Date: Wednesday, June 17, 2015 at 10:57 AM > To: "Clark, Robert Graham" , Timur Nurlygayanov < > tnurlygayanov at mirantis.com>, "openstack-security at lists.openstack.org" < > openstack-security at lists.openstack.org> > > Subject: Re: [Openstack-security] [security] [QA] Do we have security > tests suite for OpenStack components? > > I'm actually working on some (very simple) fuzzing tests for the > Barbican project right now. I've realized that using a Python client that > is strictly defined for sending "good" data to an API isn't necessarily the > best mechanism for truly fuzzing that API. For example, the "requests" lib > chokes on trying to convert unicode strings to ascii in HTTP request > headers. > > I'm contemplating using something like sulley (link: > https://github.com/OpenRCE/sulley) for deeper fuzzing, but I don't have > time to really dig into it at the moment. I'd love to hear others' thoughts > on this problem. > > Cheers, > Charles Neill > > From: , Robert Graham > Date: Wednesday, June 17, 2015 at 5:32 AM > To: Timur Nurlygayanov , " > openstack-security at lists.openstack.org" < > openstack-security at lists.openstack.org> > Subject: Re: [Openstack-security] [security] [QA] Do we have security > tests suite for OpenStack components? > > Fuzzing with Tempest is something that was discussed at the last > summit, I think Rackspace had some interesting work that wanted to share > but I might be miss-remembering. > > > > One of the issues is that unless you’re looking with issues in the python > libraries used for handling the APIs (which would be interesting to find) > message/protocol fuzzing is pretty limited, instead we need something that > really understands the API to perform fuzzing to find things that logically > shouldn’t be allowed to happen – many of these will be broken state issues. > > > > -Rob > > > > *From:* Timur Nurlygayanov [mailto:tnurlygayanov at mirantis.com > ] > *Sent:* 15 June 2015 18:21 > *To:* openstack-security at lists.openstack.org > *Subject:* [Openstack-security] [security] [QA] Do we have security tests > suite for OpenStack components? > > > > Hi team, > > Looks like we are using Bandit framework [1] for static analysis of code > of different OpenStack components, but I can't find some integration > security tests for OpenStack components. Do we have some additional > open-source test framework / tests suite for security testing of OpenStack > components? > > I found the blueprint in Tempest about fuzzy testing [2], so, we can start > to develop some security tests in Tempest and use them to perform security > testing on the integration level and also to validate some security bug > fixes. > > Do we have some list with scenarios, which we can cover with fuzzing tests > in Tempest? We can start from some tests which will validate fixed security > issues, it will be really helpful if you can share some ideas about tests, > which we have to create. > > > > Thank you! > > [1] https://github.com/stackforge/bandit > [2] https://blueprints.launchpad.net/tempest/+spec/fuzzy-test > > > -- > > > > Timur, > > Senior QA Engineer > > OpenStack Projects > > Mirantis Inc > -- Timur, Senior QA Engineer OpenStack Projects Mirantis Inc -------------- next part -------------- An HTML attachment was scrubbed... URL: From gerrit2 at review.openstack.org Thu Jun 18 17:08:02 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Thu, 18 Jun 2015 17:08:02 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change I6fe512ff00a0fde1c75d49efe8bfa5f3d2d34df6 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/191095 Log: commit 55e63f83a7caec5a8d85b7532c501e1b846295ba Author: Davanum Srinivas Date: Fri Jun 12 10:26:08 2015 -0400 Allow non-admin to list all tenants based on policy Currently, running 'nova list --all-tenants' with a policy change: "compute:get_all_tenants": "role:special_role or is_admin:True" will not work as expected, The returned list of servers will not contain all instances of all tenants. We should support administrators who wish to enable this functionality in their policy.json. We need to fix this problem both in the v2 API and in the v2.1 as well. Deep in instance_get_all_by_filters_sort, there is a check which adds a filter of project_id or user_id if the context is NOT an admin context. So, the returned list will be a subset of all the instances in the database. To fix this scenario, the easy way is to call get_all with an elevated context to pass this check in instance_get_all_by_filters_sort. So in fixing the bug above, we need to fix the default policy so that all-tenants is available by default only to administrators. UpgradeImpact SecurityImpact DocImpact: --all-tenants will list all servers for non-admin APIImpact: --all-tenants will list all servers for non-admin Closes-Bug: #1464381 Change-Id: I6fe512ff00a0fde1c75d49efe8bfa5f3d2d34df6 From michael.xin at RACKSPACE.COM Thu Jun 18 21:25:00 2015 From: michael.xin at RACKSPACE.COM (Michael Xin) Date: Thu, 18 Jun 2015 21:25:00 +0000 Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? In-Reply-To: References: Message-ID: Timur: Thanks. Yes. That’s part of the plan. Thanks and have a great day. Yours, Michael ----------------------------------------------------------------------------- Michael Xin | Manager, Security Engineering - US Product Security |Rackspace Hosting Office #: 501-7341 or 210-312-7341 Mobile #: 210-284-8674 5000 Walzem Road, San Antonio, Tx 78218 ---------------------------------------------------------------------------- Experience fanatical support From: Timur Nurlygayanov > Date: Thursday, June 18, 2015 at 11:23 AM To: michael xin > Cc: Charles Neill >, "Clark, Robert Graham" >, "openstack-security at lists.openstack.org" > Subject: Re: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? Thank you all for the responses! We are planing to contribute our security tests too and we are looking for the right place for this. Michael, do you plan to add some security tests to Tempest as well? On Thu, Jun 18, 2015 at 5:33 PM, Michael Xin > wrote: Charles and Clark: Thanks for the update. There are two different types of fuzzing that are discussed here: 1. Deep security fuzzing to find new security defects. Sulley looks like a good tool for this purpose. For this type of fuzzing, the goal is to generate huge amount of unexpected fuzz attack vectors to check whether the application could handle these data. It will take a long time and it has the potential to find new security defects. 2. Light fuzzing automation that can be integrated with CI process. For this type of fuzzing, we have pre-defined fuzzing strings and we know the expected responses back. We can have a list of security tests defined: authentication & authorization, injection issues, security transport layer issues, user input validation, denial of services, etc. It should give us consistent level of security coverage. This approach has the risk of missing new security defects. But once new security defects are identified, it is possible to add security checks to make sure that they will be identified in the future. This types of security tests can be run the same time that QA function tests are run. It is easy for integrate. Rackspace has been working with our QE to build more security test cases like these. For OpenStack, we are currently pushing security test cases to Barbican and Poppy projects. More should come in the future. Thanks and have a great day. Yours, Michael ----------------------------------------------------------------------------- Michael Xin | Manager, Security Engineering - US Product Security |Rackspace Hosting Office #: 501-7341 or 210-312-7341 Mobile #: 210-284-8674 5000 Walzem Road, San Antonio, Tx 78218 ---------------------------------------------------------------------------- Experience fanatical support From: Charles Neill > Date: Wednesday, June 17, 2015 at 10:57 AM To: "Clark, Robert Graham" >, Timur Nurlygayanov >, "openstack-security at lists.openstack.org" > Subject: Re: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? I'm actually working on some (very simple) fuzzing tests for the Barbican project right now. I've realized that using a Python client that is strictly defined for sending "good" data to an API isn't necessarily the best mechanism for truly fuzzing that API. For example, the "requests" lib chokes on trying to convert unicode strings to ascii in HTTP request headers. I'm contemplating using something like sulley (link: https://github.com/OpenRCE/sulley) for deeper fuzzing, but I don't have time to really dig into it at the moment. I'd love to hear others' thoughts on this problem. Cheers, Charles Neill From: , Robert Graham > Date: Wednesday, June 17, 2015 at 5:32 AM To: Timur Nurlygayanov >, "openstack-security at lists.openstack.org" > Subject: Re: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? Fuzzing with Tempest is something that was discussed at the last summit, I think Rackspace had some interesting work that wanted to share but I might be miss-remembering. One of the issues is that unless you’re looking with issues in the python libraries used for handling the APIs (which would be interesting to find) message/protocol fuzzing is pretty limited, instead we need something that really understands the API to perform fuzzing to find things that logically shouldn’t be allowed to happen – many of these will be broken state issues. -Rob From: Timur Nurlygayanov [mailto:tnurlygayanov at mirantis.com] Sent: 15 June 2015 18:21 To: openstack-security at lists.openstack.org Subject: [Openstack-security] [security] [QA] Do we have security tests suite for OpenStack components? Hi team, Looks like we are using Bandit framework [1] for static analysis of code of different OpenStack components, but I can't find some integration security tests for OpenStack components. Do we have some additional open-source test framework / tests suite for security testing of OpenStack components? I found the blueprint in Tempest about fuzzy testing [2], so, we can start to develop some security tests in Tempest and use them to perform security testing on the integration level and also to validate some security bug fixes. Do we have some list with scenarios, which we can cover with fuzzing tests in Tempest? We can start from some tests which will validate fixed security issues, it will be really helpful if you can share some ideas about tests, which we have to create. Thank you! [1] https://github.com/stackforge/bandit [2] https://blueprints.launchpad.net/tempest/+spec/fuzzy-test -- Timur, Senior QA Engineer OpenStack Projects Mirantis Inc -- Timur, Senior QA Engineer OpenStack Projects Mirantis Inc -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1361360 at bugs.launchpad.net Fri Jun 19 12:50:03 2015 From: 1361360 at bugs.launchpad.net (Alan Pevec) Date: Fri, 19 Jun 2015 12:50:03 -0000 Subject: [Openstack-security] [Bug 1361360] Re: Eventlet green threads not released back to the pool leading to choking of new requests References: <20140825203231.13086.48412.malonedeb@wampee.canonical.com> Message-ID: <20150619125010.5391.7488.launchpad@wampee.canonical.com> ** Changed in: nova/icehouse Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1361360 Title: Eventlet green threads not released back to the pool leading to choking of new requests Status in Cinder: Fix Released Status in Cinder icehouse series: Fix Released Status in Cinder juno series: Fix Released Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance icehouse series: Fix Committed Status in Orchestration API (Heat): Fix Committed Status in OpenStack Identity (Keystone): Fix Committed Status in Keystone icehouse series: Confirmed Status in Keystone juno series: Fix Committed Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in neutron juno series: Fix Committed Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) icehouse series: Fix Released Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Data Processing (Sahara): Confirmed Bug description: Currently reproduced on Juno milestone 2. but this issue should be reproducible in all releases since its inception. It is possible to choke OpenStack API controller services using wsgi+eventlet library by simply not closing the client socket connection. Whenever a request is received by any OpenStack API service for example nova api service, eventlet library creates a green thread from the pool and starts processing the request. Even after the response is sent to the caller, the green thread is not returned back to the pool until the client socket connection is closed. This way, any malicious user can send many API requests to the API controller node and determine the wsgi pool size configured for the given service and then send those many requests to the service and after receiving the response, wait there infinitely doing nothing leading to disrupting services for other tenants. Even when service providers have enabled rate limiting feature, it is possible to choke the API services with a group (many tenants) attack. Following program illustrates choking of nova-api services (but this problem is omnipresent in all other OpenStack API Services using wsgi+eventlet) Note: I have explicitly set the wsi_default_pool_size default value to 10 in order to reproduce this problem in nova/wsgi.py. After you run the below program, you should try to invoke API ============================================================================================ import time import requests from multiprocessing import Process def request(number): #Port is important here path = 'http://127.0.0.1:8774/servers' try: response = requests.get(path) print "RESPONSE %s-%d" % (response.status_code, number) #during this sleep time, check if the client socket connection is released or not on the API controller node. time.sleep(1000) print “Thread %d complete" % number except requests.exceptions.RequestException as ex: print “Exception occurred %d-%s" % (number, str(ex)) if __name__ == '__main__': processes = [] for number in range(40): p = Process(target=request, args=(number,)) p.start() processes.append(p) for p in processes: p.join() ================================================================================================ Presently, the wsgi server allows persist connections if you configure keepalive to True which is default. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Additional information: By default eventlet passes “Connection: keepalive” if keepalive is set to True when a response is sent to the client. But it doesn’t have capability to set the timeout and max parameter. For example. Keep-Alive: timeout=10, max=5 Note: After we have disabled keepalive in all the OpenStack API service using wsgi library, then it might impact all existing applications built with the assumptions that OpenStack API services uses persistent connections. They might need to modify their applications if reconnection logic is not in place and also they might experience the performance has slowed down as it will need to reestablish the http connection for every request. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1361360/+subscriptions From 1465922 at bugs.launchpad.net Fri Jun 19 19:20:00 2015 From: 1465922 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 19 Jun 2015 19:20:00 -0000 Subject: [Openstack-security] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled References: <20150617025422.18505.35016.malonedeb@gac.canonical.com> Message-ID: <20150619192001.27686.18618.launchpad@gac.canonical.com> ** Changed in: keystone Status: Confirmed => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1465922 Title: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled Status in OpenStack Identity (Keystone): In Progress Status in OpenStack Security Advisories: Won't Fix Bug description: grep CLEARTEXTPASSWORD keystone.log 2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_user(user={u'domain_id': u'default', u'password': u'CLEARTEXTPASSWORD', u'enabled': True, u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name': u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site- packages/keystone/common/controller.py:57 Issue code: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57 LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) Shadow the values of sensitive fields like 'password' by some meaningless garbled text like "XXXXX" is one way to fix. Well, in addition to this, I think we should never pass the 'password' with its original value along the code and save it in any persistence, instead we should convert it to a strong hash value as early as possible. With the help of a good hash system, we never have to need the original value of the password, right? To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1465922/+subscriptions From gerrit2 at review.openstack.org Fri Jun 19 22:43:02 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Fri, 19 Jun 2015 22:43:02 +0000 Subject: [Openstack-security] [openstack/glance-specs] SecurityImpact review request change I305b2ae86415c8d256c641abb2795af663bee56a Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/177948 Log: commit c1fe7ca32aaadba74dfea65e9562ad01342435d9 Author: Brianna Poulos Date: Mon Apr 27 15:35:51 2015 -0400 Encrypted and Authenticated Image Support This spec describes a means to support signing and signature validation of bootable images, along with encrypted images. DocImpact SecurityImpact Implements: blueprint encrypted-and-authenticated-image-support Change-Id: I305b2ae86415c8d256c641abb2795af663bee56a From 1442343 at bugs.launchpad.net Fri Jun 19 22:37:32 2015 From: 1442343 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 19 Jun 2015 22:37:32 -0000 Subject: [Openstack-security] [Bug 1442343] Re: Mapping openstack_project attribute in k2k assertions with different domains References: <20150409195425.7552.82346.malonedeb@chaenomeles.canonical.com> Message-ID: <20150619223732.7922.43499.malone@wampee.canonical.com> Reviewed: https://review.openstack.org/179195 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=0c0bf69ceff55d81054a61123cccabb721b96b09 Submitter: Jenkins Branch: stable/kilo commit 0c0bf69ceff55d81054a61123cccabb721b96b09 Author: Rodrigo Duarte Sousa Date: Fri Apr 10 14:59:34 2015 -0300 Add openstack_project_domain to assertion Currently, a keystone IdP does not provide the domain of the project when generating SAML assertions. Since it is possible to have two projects with the same name but in different domains, this patch adds an additional attribute called "openstack_project_domain" in the assertion to identify the domain of the project. Closes-Bug: 1442343 bp assertion-extra-attributes Change-Id: I62ed73d87f268c73294738845421deb87088326b (cherry picked from commit fa844bc88edb417f9513d19c749886a61d7b26ce) ** Tags added: in-stable-kilo -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1442343 Title: Mapping openstack_project attribute in k2k assertions with different domains Status in OpenStack Identity (Keystone): Fix Committed Bug description: We can have two projects with the same name in different domains. So if we have a "Project A" in "Domain X" and a "Project A" in "Domain Y", there is no way to differ what "Project A" is being used in a SAML assertion generated by this IdP (we have only the openstack_project attribute in the SAML assertion). To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1442343/+subscriptions From 1391504 at bugs.launchpad.net Mon Jun 22 13:59:20 2015 From: 1391504 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 22 Jun 2015 13:59:20 -0000 Subject: [Openstack-security] [Bug 1391504] Change abandoned on nova (master) References: <20141111130915.17341.22090.malonedeb@chaenomeles.canonical.com> Message-ID: <20150622135920.29682.55397.malone@chaenomeles.canonical.com> Change abandoned by John Garbutt (john at johngarbutt.com) on branch: master Review: https://review.openstack.org/123428 Reason: this appears to have little attention, so I am assuming the submitter is no longer working on this, so abadongin this for now. please restore this if you want to work on it again. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1391504 Title: Sample policies for Openstack Status in Cinder: Triaged Status in OpenStack Image Registry and Delivery Service (Glance): In Progress Status in OpenStack Identity (Keystone): Confirmed Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Compute (Nova): Confirmed Bug description: Regarding OpenStack policies, in general, the described roles seem quite complicated, it is not clear which roles are appropriated for each user. For example, in many policies it is defined just a global admin role. We would like to clarify what are the role organizations, for example, cloud_admin is the role for the cloud managers, domain_admin is the role for the domain managers, project_admin for the project admin and project_member a member with a role in a project but with no admin permissions. In this way, it is clear for the cloud manager which capability is being given to a user. The idea is create a policy.cloudsample.json, where roles as cloud_admin project_admin, and project_member will be defined and some default permissions, making policies closer to the business reality. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1391504/+subscriptions From gerrit2 at review.openstack.org Mon Jun 22 15:36:40 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 22 Jun 2015 15:36:40 +0000 Subject: [Openstack-security] [openstack/nova-specs] SecurityImpact review request change I4b242faeb6c94285df37133828ca4c0231e64a3b Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/192892 Log: commit 56c761f0c575b9f62b88c3b2061b672c6d9378a4 Author: Claudiu Belu Date: Wed Jun 17 23:55:03 2015 +0300 Adds Hyper-V Shielded VMs spec https://blueprints.launchpad.net/nova/+spec/hyper-v-shielded-vms If the administrator of a hypervisor host is compromised, all of the existent virtual machine data can be read, which is highly undesirable. Windows / Hyper-V Server Technical Preview introduced the concept of shielded VMs, offering the users an environment where the protection of the virtual machine data is enhanced against threats like malware, compromised storage, network and even host administrators. SecurityImpact Change-Id: I4b242faeb6c94285df37133828ca4c0231e64a3b Implements: blueprint hyper-v-shielded-vms From 1451931 at bugs.launchpad.net Mon Jun 22 18:30:59 2015 From: 1451931 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 22 Jun 2015 18:30:59 -0000 Subject: [Openstack-security] [Bug 1451931] Fix proposed to nova (stable/kilo) References: <20150505164255.28640.31104.malonedeb@soybean.canonical.com> Message-ID: <20150622183100.32064.21980.malone@soybean.canonical.com> Fix proposed to branch: stable/kilo Review: https://review.openstack.org/194289 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1451931 Title: ironic password config not marked as secret Status in OpenStack Compute (Nova): Fix Committed Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: The ironic config option for the password and auth token are not marked as secret so the values will get logged during startup in debug mode. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1451931/+subscriptions From 1451931 at bugs.launchpad.net Mon Jun 22 18:31:25 2015 From: 1451931 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 22 Jun 2015 18:31:25 -0000 Subject: [Openstack-security] [Bug 1451931] Fix proposed to nova (stable/juno) References: <20150505164255.28640.31104.malonedeb@soybean.canonical.com> Message-ID: <20150622183125.8070.78360.malone@wampee.canonical.com> Fix proposed to branch: stable/juno Review: https://review.openstack.org/194290 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1451931 Title: ironic password config not marked as secret Status in OpenStack Compute (Nova): Fix Committed Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: The ironic config option for the password and auth token are not marked as secret so the values will get logged during startup in debug mode. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1451931/+subscriptions From mriedem at us.ibm.com Mon Jun 22 20:23:40 2015 From: mriedem at us.ibm.com (Matt Riedemann) Date: Mon, 22 Jun 2015 20:23:40 -0000 Subject: [Openstack-security] [Bug 1451931] Re: ironic password config not marked as secret References: <20150505164255.28640.31104.malonedeb@soybean.canonical.com> Message-ID: <20150622202341.24889.42270.launchpad@gac.canonical.com> ** Also affects: nova/juno Importance: Undecided Status: New ** Also affects: nova/kilo Importance: Undecided Status: New ** Changed in: nova/juno Assignee: (unassigned) => Michael McCune (mimccune) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1451931 Title: ironic password config not marked as secret Status in OpenStack Compute (Nova): Fix Committed Status in OpenStack Compute (nova) juno series: New Status in OpenStack Compute (nova) kilo series: New Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: The ironic config option for the password and auth token are not marked as secret so the values will get logged during startup in debug mode. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1451931/+subscriptions From msm at redhat.com Mon Jun 22 21:59:02 2015 From: msm at redhat.com (Michael McCune) Date: Mon, 22 Jun 2015 21:59:02 -0000 Subject: [Openstack-security] [Bug 1451931] Re: ironic password config not marked as secret References: <20150505164255.28640.31104.malonedeb@soybean.canonical.com> Message-ID: <20150622215905.7348.82814.launchpad@wampee.canonical.com> ** Changed in: nova/kilo Assignee: (unassigned) => Michael McCune (mimccune) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1451931 Title: ironic password config not marked as secret Status in OpenStack Compute (Nova): Fix Committed Status in OpenStack Compute (nova) juno series: New Status in OpenStack Compute (nova) kilo series: New Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: The ironic config option for the password and auth token are not marked as secret so the values will get logged during startup in debug mode. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1451931/+subscriptions From gerrit2 at review.openstack.org Mon Jun 22 22:34:49 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Mon, 22 Jun 2015 22:34:49 +0000 Subject: [Openstack-security] [openstack/glance-specs] SecurityImpact review request change I305b2ae86415c8d256c641abb2795af663bee56a Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/177948 Log: commit 730d2cf196b47ca4ab4a12c4766649f8836e591c Author: Brianna Poulos Date: Mon Apr 27 15:35:51 2015 -0400 Encrypted and Authenticated Image Support This spec describes a means to support signing and signature validation of bootable images, along with encrypted images. DocImpact SecurityImpact Implements: blueprint encrypted-and-authenticated-image-support Change-Id: I305b2ae86415c8d256c641abb2795af663bee56a From gerrit2 at review.openstack.org Tue Jun 23 06:45:23 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 23 Jun 2015 06:45:23 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change Ie03acc00a7c904aec13c90ae6a53938d08e5e0c9 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/192986 Log: commit c6d5cddc58c54904798b03d6701dac2a5c520f1b Author: Rajesh Tailor Date: Tue Mar 31 05:24:47 2015 -0700 libvirt: Kill rsync/scp processes before deleting instance In the resize operation, during copying files from source to destination compute node scp/rsync processes are not aborted after the instance is deleted because linux kernel doesn't delete instance files physically until all processes using the file handle is closed completely. Hence rsync/scp process keeps on running until it transfers 100% of file data. Added callback methods to execute call which will store the pid of scp/rsync process in memorycache as a key: value pair and to remove the pid from the cache after process completion. Process id will be used to kill the process if it is running while deleting the instance. Instance uuid is used as a key in the cache and pid will be the value. SecurityImpact Closes-bug: #1387543 Change-Id: Ie03acc00a7c904aec13c90ae6a53938d08e5e0c9 From sbauza at free.fr Tue Jun 23 07:46:44 2015 From: sbauza at free.fr (Sylvain Bauza) Date: Tue, 23 Jun 2015 07:46:44 -0000 Subject: [Openstack-security] [Bug 1456228] Re: Trusted vm can be powered on untrusted host References: <20150518141406.21329.60661.malonedeb@wampee.canonical.com> Message-ID: <20150623074644.29273.34847.malone@chaenomeles.canonical.com> The TrustedFilter filter actually doesn't check by itself but rather calls the Attestation API to know if the destination host is correct or not. That way, it's just when the instance is scheduled that it goes to the scheduler, then finds an acceptable destination (so calls the Attestation API for each host to see if it's compromised or not) and then calls the corresponding compute node to spawn that VM. Once the VM is spawned, the scheduler is no longer involved unless a migration, a resize or an evacuation is asked for that VM. That means that having a valid host, running a VM, stopping it, compromising the host, then restarting the VM is something that Nova doesn't check, because it's not its responsibility. To be clear, Nova doesn't want to support that feature. ** Changed in: nova Status: New => Invalid -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1456228 Title: Trusted vm can be powered on untrusted host Status in OpenStack Compute (Nova): Invalid Status in OpenStack Security Advisories: Incomplete Bug description: This is related to the trusted compute. I recently setup trusted compute pool in my company and have observed that although new trusted vm is not able to be launched from an untrusted host, but if an trusted vm that have launched earlier on a trusted host which is compromised later on, that VM can still be powered on. 1. Exact version of Nova/Openstack: [root at grunt2 ~]# rpm -qa | grep nova python-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-network-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-compute-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-conductor-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-cells-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-api-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-console-2014.1.2-100+45c2cbc.fc20.noarch python-novaclient-2.17.0-2.fc21.noarch openstack-nova-cert-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-scheduler-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-objectstore-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-common-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-novncproxy-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-doc-2014.1.2-100+45c2cbc.fc20.noarch 2. Relevant log files: this is not a error, don't think logs will help.. 3. Reproduce steps: * create trusted compute pool with only one compute node * create an trusted VM on that compute node * compromise the trusted compute node by changing the boot order * power on the trusted Vm created earlier. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1456228/+subscriptions From slukjanov at mirantis.com Tue Jun 23 08:29:56 2015 From: slukjanov at mirantis.com (Sergey Lukjanov) Date: Tue, 23 Jun 2015 08:29:56 -0000 Subject: [Openstack-security] [Bug 1361360] Re: Eventlet green threads not released back to the pool leading to choking of new requests References: <20140825203231.13086.48412.malonedeb@wampee.canonical.com> Message-ID: <20150623083000.24785.17800.launchpad@gac.canonical.com> ** Changed in: sahara Milestone: liberty-1 => liberty-2 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1361360 Title: Eventlet green threads not released back to the pool leading to choking of new requests Status in Cinder: Fix Released Status in Cinder icehouse series: Fix Released Status in Cinder juno series: Fix Released Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance icehouse series: Fix Committed Status in Orchestration API (Heat): Fix Committed Status in OpenStack Identity (Keystone): Fix Committed Status in Keystone icehouse series: Confirmed Status in Keystone juno series: Fix Committed Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in neutron juno series: Fix Committed Status in OpenStack Compute (Nova): Fix Released Status in OpenStack Compute (nova) icehouse series: Fix Released Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Data Processing (Sahara): Confirmed Bug description: Currently reproduced on Juno milestone 2. but this issue should be reproducible in all releases since its inception. It is possible to choke OpenStack API controller services using wsgi+eventlet library by simply not closing the client socket connection. Whenever a request is received by any OpenStack API service for example nova api service, eventlet library creates a green thread from the pool and starts processing the request. Even after the response is sent to the caller, the green thread is not returned back to the pool until the client socket connection is closed. This way, any malicious user can send many API requests to the API controller node and determine the wsgi pool size configured for the given service and then send those many requests to the service and after receiving the response, wait there infinitely doing nothing leading to disrupting services for other tenants. Even when service providers have enabled rate limiting feature, it is possible to choke the API services with a group (many tenants) attack. Following program illustrates choking of nova-api services (but this problem is omnipresent in all other OpenStack API Services using wsgi+eventlet) Note: I have explicitly set the wsi_default_pool_size default value to 10 in order to reproduce this problem in nova/wsgi.py. After you run the below program, you should try to invoke API ============================================================================================ import time import requests from multiprocessing import Process def request(number): #Port is important here path = 'http://127.0.0.1:8774/servers' try: response = requests.get(path) print "RESPONSE %s-%d" % (response.status_code, number) #during this sleep time, check if the client socket connection is released or not on the API controller node. time.sleep(1000) print “Thread %d complete" % number except requests.exceptions.RequestException as ex: print “Exception occurred %d-%s" % (number, str(ex)) if __name__ == '__main__': processes = [] for number in range(40): p = Process(target=request, args=(number,)) p.start() processes.append(p) for p in processes: p.join() ================================================================================================ Presently, the wsgi server allows persist connections if you configure keepalive to True which is default. In order to close the client socket connection explicitly after the response is sent and read successfully by the client, you simply have to set keepalive to False when you create a wsgi server. Additional information: By default eventlet passes “Connection: keepalive” if keepalive is set to True when a response is sent to the client. But it doesn’t have capability to set the timeout and max parameter. For example. Keep-Alive: timeout=10, max=5 Note: After we have disabled keepalive in all the OpenStack API service using wsgi library, then it might impact all existing applications built with the assumptions that OpenStack API services uses persistent connections. They might need to modify their applications if reconnection logic is not in place and also they might experience the performance has slowed down as it will need to reestablish the http connection for every request. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1361360/+subscriptions From gerrit2 at review.openstack.org Tue Jun 23 09:28:45 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 23 Jun 2015 09:28:45 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change Ie03acc00a7c904aec13c90ae6a53938d08e5e0c9 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/192986 Log: commit 82a088e804062f66138ead3c87b4ab029d08efa4 Author: Rajesh Tailor Date: Tue Mar 31 05:24:47 2015 -0700 libvirt: Kill rsync/scp processes before deleting instance In the resize operation, during copying files from source to destination compute node scp/rsync processes are not aborted after the instance is deleted because linux kernel doesn't delete instance files physically until all processes using the file handle is closed completely. Hence rsync/scp process keeps on running until it transfers 100% of file data. Added callback methods to execute call which will store the pid of scp/rsync process in memorycache as a key: value pair and to remove the pid from the cache after process completion. Process id will be used to kill the process if it is running while deleting the instance. Instance uuid is used as a key in the cache and pid will be the value. SecurityImpact Closes-bug: #1387543 Change-Id: Ie03acc00a7c904aec13c90ae6a53938d08e5e0c9 From gerrit2 at review.openstack.org Tue Jun 23 21:14:10 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 23 Jun 2015 21:14:10 +0000 Subject: [Openstack-security] [openstack/nova-specs] SecurityImpact review request change Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/188874 Log: commit add1eeae27da5b2eb9af4e72481a8334a0a5664c Author: Dane Fichter Date: Fri Jun 5 13:25:11 2015 -0400 Nova Support of Glance Image Signing This spec is related to work in the Glance project which handles signed and encrypted images. SecurityImpact DocImpact It depends on this glance spec: Depends-On: I305b2ae86415c8d256c641abb2795af663bee56a Change-Id: Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Implements: blueprint nova-support-image-signing From gerrit2 at review.openstack.org Tue Jun 23 21:15:28 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 23 Jun 2015 21:15:28 +0000 Subject: [Openstack-security] [openstack/nova-specs] SecurityImpact review request change Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/188874 Log: commit db6032a901a640302258fc77c9c1721fe57ad3d4 Author: Dane Fichter Date: Fri Jun 5 13:25:11 2015 -0400 Nova Support of Glance Image Signing This spec is related to work in the Glance project which handles signed images. SecurityImpact DocImpact It depends on this glance spec: Depends-On: I305b2ae86415c8d256c641abb2795af663bee56a Change-Id: Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Implements: blueprint nova-support-image-signing From gerrit2 at review.openstack.org Tue Jun 23 23:24:38 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Tue, 23 Jun 2015 23:24:38 +0000 Subject: [Openstack-security] [openstack/nova] SecurityImpact review request change Ie03acc00a7c904aec13c90ae6a53938d08e5e0c9 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/192986 Log: commit 86cd3244584699006c5217dbe1195f0c7a83968b Author: Rajesh Tailor Date: Tue Mar 31 05:24:47 2015 -0700 libvirt: Kill rsync/scp processes before deleting instance In the resize operation, during copying files from source to destination compute node scp/rsync processes are not aborted after the instance is deleted because linux kernel doesn't delete instance files physically until all processes using the file handle is closed completely. Hence rsync/scp process keeps on running until it transfers 100% of file data. Added callback methods to execute call which will store the pid of scp/rsync process in memorycache as a key: value pair and to remove the pid from the cache after process completion. Process id will be used to kill the process if it is running while deleting the instance. Instance uuid is used as a key in the cache and pid will be the value. SecurityImpact Depends-On: I08693891b2b4c1d4c166e41b38adc6776e25d8e5 Closes-bug: #1387543 Change-Id: Ie03acc00a7c904aec13c90ae6a53938d08e5e0c9 From 1451931 at bugs.launchpad.net Wed Jun 24 09:51:57 2015 From: 1451931 at bugs.launchpad.net (OpenStack Infra) Date: Wed, 24 Jun 2015 09:51:57 -0000 Subject: [Openstack-security] [Bug 1451931] Re: ironic password config not marked as secret References: <20150505164255.28640.31104.malonedeb@soybean.canonical.com> Message-ID: <20150624095157.29750.62166.malone@chaenomeles.canonical.com> Reviewed: https://review.openstack.org/194289 Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cd6353af7b2b4b0ef392eb015cbba9122a64f8bf Submitter: Jenkins Branch: stable/kilo commit cd6353af7b2b4b0ef392eb015cbba9122a64f8bf Author: Joe Gordon Date: Mon May 4 11:19:33 2015 -0700 Mark ironic credential config as secret Mark ironic credentials as secret so we don't log the values. Detected with bandit while testing out: I3026b81317f0a6322acfc94784899a7453af586f Change-Id: Icfd13b3294a9fa0881a5ab01f50864ebcbce393e Closes-Bug: #1451931 ** Changed in: nova/kilo Status: New => Fix Committed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1451931 Title: ironic password config not marked as secret Status in OpenStack Compute (Nova): Fix Committed Status in OpenStack Compute (nova) juno series: New Status in OpenStack Compute (nova) kilo series: Fix Committed Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: The ironic config option for the password and auth token are not marked as secret so the values will get logged during startup in debug mode. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1451931/+subscriptions From kzaitsev at mirantis.com Thu Jun 11 11:06:20 2015 From: kzaitsev at mirantis.com (Kirill Zaitsev) Date: Thu, 11 Jun 2015 11:06:20 -0000 Subject: [Openstack-security] [Bug 1464219] [NEW] [api] there are no checks of request tenant_id in delete/deploy of environment References: <20150611110620.13354.78142.malonedeb@wampee.canonical.com> Message-ID: <20150611110620.13354.78142.malonedeb@wampee.canonical.com> Public bug reported: Looks like the code currently does not check, that a given env belongs to current requests tenant. Therefore it might be possible for users from different tenants to delete/deploy environments. ** Affects: murano Importance: Undecided Status: New ** Tags: api kilo-backport-potential security -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1464219 Title: [api] there are no checks of request tenant_id in delete/deploy of environment Status in Murano: New Bug description: Looks like the code currently does not check, that a given env belongs to current requests tenant. Therefore it might be possible for users from different tenants to delete/deploy environments. To manage notifications about this bug go to: https://bugs.launchpad.net/murano/+bug/1464219/+subscriptions From brian.tully at hp.com Thu Jun 11 21:10:28 2015 From: brian.tully at hp.com (Brian Tully) Date: Thu, 11 Jun 2015 21:10:28 -0000 Subject: [Openstack-security] [Bug 1461154] Re: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers References: <20150602162757.6123.3584.malonedeb@wampee.canonical.com> Message-ID: <20150611211028.30378.74213.malone@wampee.canonical.com> Tristan - does this need to be opened as a separate bug or can we reuse this bug? I have a patch that I've been waiting to commit until this became public, but now it's marked as "won't fix" so I'm confused as to what the next steps are. Please advise :) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461154 Title: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisories: Won't Fix Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. Vulnerability Details A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. Impact An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. Recommendations Set the HTTP X-Frame-Options header to one of the following: DENY - deny any frames SAMEORIGIN - frames are only allowed from the same origin ALLOW-FROM - a list of allowable origin's Although many pages within Horizon 1.1 leverage the X-Frame-Options header with the recommended SAMEORIGIN policy, some (still popular) older browsers don’t support this setting. Namely, browsers older than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus vulnerable to an attack known as ClickJacking unless an additional mitigating control is present. To support legacy browsers, a suggested best practice is to add a frame breaking script to the base/global template file. Based off of https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best- for-now_Legacy_Browser_Frame_Breaking_Script """ One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header. In the document HEAD element, add the following: First apply an ID to the style element itself: And then delete that style by its ID immediately after in the script: This way, everything can be in the document HEAD and you only need one method/taglib in your API. """ To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1461154/+subscriptions From brian.tully at hp.com Thu Jun 11 21:13:10 2015 From: brian.tully at hp.com (Brian Tully) Date: Thu, 11 Jun 2015 21:13:10 -0000 Subject: [Openstack-security] [Bug 1461154] Re: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers References: <20150602162757.6123.3584.malonedeb@wampee.canonical.com> Message-ID: <20150611211310.18569.4420.malone@gac.canonical.com> ahh nevermind, I see that the "won't fix" was assigned to "ossa" :) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461154 Title: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers Status in OpenStack Dashboard (Horizon): New Status in OpenStack Security Advisories: Won't Fix Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments. Vulnerability Details A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. Impact An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. Recommendations Set the HTTP X-Frame-Options header to one of the following: DENY - deny any frames SAMEORIGIN - frames are only allowed from the same origin ALLOW-FROM - a list of allowable origin's Although many pages within Horizon 1.1 leverage the X-Frame-Options header with the recommended SAMEORIGIN policy, some (still popular) older browsers don’t support this setting. Namely, browsers older than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus vulnerable to an attack known as ClickJacking unless an additional mitigating control is present. To support legacy browsers, a suggested best practice is to add a frame breaking script to the base/global template file. Based off of https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best- for-now_Legacy_Browser_Frame_Breaking_Script """ One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header. In the document HEAD element, add the following: First apply an ID to the style element itself: And then delete that style by its ID immediately after in the script: This way, everything can be in the document HEAD and you only need one method/taglib in your API. """ To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1461154/+subscriptions From icordasc+launchpad at coglib.com Fri Jun 12 17:52:52 2015 From: icordasc+launchpad at coglib.com (Ian Cordasco) Date: Fri, 12 Jun 2015 17:52:52 -0000 Subject: [Openstack-security] [Bug 1436082] Re: VMWare and HTTP stores do not verify HTTPS Connections as they use httplib.HTTPSConnection References: <20150324214535.8217.99560.malonedeb@soybean.canonical.com> Message-ID: <20150612175253.18211.68417.launchpad@gac.canonical.com> ** Also affects: ossn Importance: Undecided Status: New ** Changed in: ossn Assignee: (unassigned) => Ian Cordasco (icordasc) ** Changed in: ossn Status: New => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1436082 Title: VMWare and HTTP stores do not verify HTTPS Connections as they use httplib.HTTPSConnection Status in OpenStack Glance backend store-drivers library (glance_store): In Progress Status in OpenStack Security Notes: In Progress Bug description: VMWare store: https://github.com/openstack/glance_store/blob/ea88e503b617a7ac9a0ae7e537d6517e9992a104/glance_store/_drivers/vmware_datastore.py#L501 (_get_conn_class above uses simply httplib.HTTPSConnection). HTTP Store: https://github.com/openstack/glance_store/blob/master/glance_store/_drivers/http.py#L179 This leaves both stores open to man-in-the-middle attacks while transferring image data. To manage notifications about this bug go to: https://bugs.launchpad.net/glance-store/+bug/1436082/+subscriptions From bknudson at us.ibm.com Fri Jun 19 19:00:53 2015 From: bknudson at us.ibm.com (Brant Knudson) Date: Fri, 19 Jun 2015 19:00:53 -0000 Subject: [Openstack-security] [Bug 1465922] Re: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled References: <20150617025422.18505.35016.malonedeb@gac.canonical.com> Message-ID: <20150619190053.6152.99900.malone@wampee.canonical.com> Was able to recreate locally on master. ** Changed in: keystone Status: Won't Fix => Confirmed ** Changed in: keystone Importance: Undecided => Medium ** Changed in: keystone Assignee: (unassigned) => Brant Knudson (blk-u) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1465922 Title: Password visible in clear text in keystone.log when user created and keystone debug logging is enabled Status in OpenStack Identity (Keystone): Confirmed Status in OpenStack Security Advisories: Won't Fix Bug description: grep CLEARTEXTPASSWORD keystone.log 2015-06-16 06:44:39.770 20986 DEBUG keystone.common.controller [-] RBAC: Authorizing identity:create_user(user={u'domain_id': u'default', u'password': u'CLEARTEXTPASSWORD', u'enabled': True, u'default_project_id': u'0175b43419064ae38c4b74006baaeb8d', u'name': u'DermotJ'}) _build_policy_check_credentials /usr/lib/python2.7/site- packages/keystone/common/controller.py:57 Issue code: https://github.com/openstack/keystone/blob/master/keystone/common/controller.py#L57 LOG.debug('RBAC: Authorizing %(action)s(%(kwargs)s)', { 'action': action, 'kwargs': ', '.join(['%s=%s' % (k, kwargs[k]) for k in kwargs])}) Shadow the values of sensitive fields like 'password' by some meaningless garbled text like "XXXXX" is one way to fix. Well, in addition to this, I think we should never pass the 'password' with its original value along the code and save it in any persistence, instead we should convert it to a strong hash value as early as possible. With the help of a good hash system, we never have to need the original value of the password, right? To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1465922/+subscriptions From gerrit2 at review.openstack.org Wed Jun 24 13:33:23 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 24 Jun 2015 13:33:23 +0000 Subject: [Openstack-security] [openstack/nova-specs] SecurityImpact review request change If7f87473a81b12c6d450a933c6780d4bc4e965a1 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/195078 Log: commit 43e3e10218994f2a06e1d17e0a0ed407f8f5556f Author: Dane Fichter Date: Fri Jun 5 13:25:11 2015 -0400 Nova Support of Glance Image Signing This spec is related to work in the Glance project which handles signed and encrypted images. SecurityImpact DocImpact It depends on this glance spec: Depends-On: I305b2ae86415c8d256c641abb2795af663bee56a Change-Id: Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Implements: blueprint nova-support-image-signing Nova Support of Glance Image Signing This spec is related to work in the Glance project which handles signed images. SecurityImpact DocImpact Change-Id: If7f87473a81b12c6d450a933c6780d4bc4e965a1 From gerrit2 at review.openstack.org Wed Jun 24 14:24:45 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 24 Jun 2015 14:24:45 +0000 Subject: [Openstack-security] [openstack/nova-specs] SecurityImpact review request change Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/188874 Log: commit 34009e98c48941c5fbfb39757513b5cea5cf7cfb Author: Dane Fichter Date: Fri Jun 5 13:25:11 2015 -0400 Nova Support of Glance Image Signing This spec is related to work in the Glance project which handles signed images. SecurityImpact DocImpact It depends on this glance spec: Depends-On: I305b2ae86415c8d256c641abb2795af663bee56a Change-Id: Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Implements: blueprint nova-support-image-signing From gerrit2 at review.openstack.org Wed Jun 24 19:22:31 2015 From: gerrit2 at review.openstack.org (gerrit2 at review.openstack.org) Date: Wed, 24 Jun 2015 19:22:31 +0000 Subject: [Openstack-security] [openstack/nova-specs] SecurityImpact review request change Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Message-ID: Hi, I'd like you to take a look at this patch for potential SecurityImpact. https://review.openstack.org/188874 Log: commit 92e95a61288a381529525cf03578f7b010361a32 Author: Dane Fichter Date: Fri Jun 5 13:25:11 2015 -0400 Nova Support of Glance Image Signing This spec is related to work in the Glance project which handles signed images. SecurityImpact DocImpact It depends on this glance spec: Depends-On: I305b2ae86415c8d256c641abb2795af663bee56a Change-Id: Ia8e7fcc21d7c15e480facbe30af88cdce2d73159 Implements: blueprint nova-support-image-signing From sbauza at free.fr Wed Jun 24 20:31:07 2015 From: sbauza at free.fr (Sylvain Bauza) Date: Wed, 24 Jun 2015 20:31:07 -0000 Subject: [Openstack-security] [Bug 1456228] Re: Trusted vm can be powered on untrusted host References: <20150518141406.21329.60661.malonedeb@wampee.canonical.com> Message-ID: <20150624203108.10755.75633.malone@soybean.canonical.com> Tristan, to be clear, instances are spawned correctly. The problem is not at the creation stage or if a migration/evacuation is done, but rather what happens if one host gets compromised for the running instances. That's where the flaw is. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1456228 Title: Trusted vm can be powered on untrusted host Status in OpenStack Compute (Nova): Invalid Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: This is related to the trusted compute. I recently setup trusted compute pool in my company and have observed that although new trusted vm is not able to be launched from an untrusted host, but if an trusted vm that have launched earlier on a trusted host which is compromised later on, that VM can still be powered on. 1. Exact version of Nova/Openstack: [root at grunt2 ~]# rpm -qa | grep nova python-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-network-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-compute-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-conductor-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-cells-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-api-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-console-2014.1.2-100+45c2cbc.fc20.noarch python-novaclient-2.17.0-2.fc21.noarch openstack-nova-cert-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-scheduler-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-objectstore-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-common-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-novncproxy-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-doc-2014.1.2-100+45c2cbc.fc20.noarch 2. Relevant log files: this is not a error, don't think logs will help.. 3. Reproduce steps: * create trusted compute pool with only one compute node * create an trusted VM on that compute node * compromise the trusted compute node by changing the boot order * power on the trusted Vm created earlier. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1456228/+subscriptions From sbauza at free.fr Wed Jun 24 20:33:09 2015 From: sbauza at free.fr (Sylvain Bauza) Date: Wed, 24 Jun 2015 20:33:09 -0000 Subject: [Openstack-security] [Bug 1456228] Re: Trusted vm can be powered on untrusted host References: <20150518141406.21329.60661.malonedeb@wampee.canonical.com> Message-ID: <20150624203309.11141.35205.malone@soybean.canonical.com> Also, I raised the problem here and why I consider this filter should be removed from in-tree : http://lists.openstack.org/pipermail/openstack-dev/2015-June/067766.html Comments welcome. -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1456228 Title: Trusted vm can be powered on untrusted host Status in OpenStack Compute (Nova): Invalid Status in OpenStack Security Advisories: Won't Fix Status in OpenStack Security Notes: New Bug description: This is related to the trusted compute. I recently setup trusted compute pool in my company and have observed that although new trusted vm is not able to be launched from an untrusted host, but if an trusted vm that have launched earlier on a trusted host which is compromised later on, that VM can still be powered on. 1. Exact version of Nova/Openstack: [root at grunt2 ~]# rpm -qa | grep nova python-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-network-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-compute-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-conductor-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-cells-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-api-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-console-2014.1.2-100+45c2cbc.fc20.noarch python-novaclient-2.17.0-2.fc21.noarch openstack-nova-cert-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-scheduler-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-objectstore-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-common-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-novncproxy-2014.1.2-100+45c2cbc.fc20.noarch openstack-nova-doc-2014.1.2-100+45c2cbc.fc20.noarch 2. Relevant log files: this is not a error, don't think logs will help.. 3. Reproduce steps: * create trusted compute pool with only one compute node * create an trusted VM on that compute node * compromise the trusted compute node by changing the boot order * power on the trusted Vm created earlier. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1456228/+subscriptions From karansachan at gmail.com Fri Jun 26 12:51:41 2015 From: karansachan at gmail.com (karan sachan) Date: Fri, 26 Jun 2015 18:21:41 +0530 Subject: [Openstack-security] [Openstack-dev][pyCADF]CADF audit event generation Message-ID: Hi Community, I have been trying to generate audit data and logs using pycadf. I have done the changes as mentioned here . I also followed the webinar on An Overview of Cloud Auditing Support for OpenStack. I have done following steps to configure CADF API audit filter with ceilometer for NOVA: 1. Enable and configure audit middleware: added [filter:audit] in etc/nova/api-paste.conf and added etc/nova/nova_api_audit_map.conf file 2. Added LIBS_FROM_GIT=pycadf in local.conf 3. Installed keystonemiddleware I could check on horizon that events have been captured by ceilometer on screen. [Problem 1] I don't know what will be the outcome of this configurations. Whether any new file will be generated having all the event logs. If yes, then kindly let us know the location where the file will be generated. If some other action happens then let us know how to trace it. [Problem 2] As we are currently on Icehouse, I could not see keystonemiddleware for it, it seems like only available to Juno and Kilo. So kindly suggest how to configure over Icehouse. -- Thanks & Regards, Karan Sachan -------------- next part -------------- An HTML attachment was scrubbed... URL: From 1334926 at bugs.launchpad.net Fri Jun 26 15:13:15 2015 From: 1334926 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 26 Jun 2015 15:13:15 -0000 Subject: [Openstack-security] [Bug 1334926] Related fix proposed to neutron (feature/qos) References: <20140627021809.32583.22324.malonedeb@soybean.canonical.com> Message-ID: <20150626151315.15457.64950.malone@wampee.canonical.com> Related fix proposed to branch: feature/qos Review: https://review.openstack.org/196097 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1334926 Title: floatingip still working once connected even after it is disociated Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in OpenStack Security Notes: Fix Released Bug description: After we create an SSH connection to a VM via its floating ip, even though we have removed the floating ip association, we can still access the VM via that connection. Namely, SSH is not disconnected when the floating ip is not valid To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1334926/+subscriptions From 1466216 at bugs.launchpad.net Fri Jun 26 16:52:29 2015 From: 1466216 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 26 Jun 2015 16:52:29 -0000 Subject: [Openstack-security] [Bug 1466216] Fix proposed to os-ansible-deployment (kilo) References: <20150617203545.4905.22166.malonedeb@wampee.canonical.com> Message-ID: <20150626165229.7454.21673.malone@gac.canonical.com> Fix proposed to branch: kilo Review: https://review.openstack.org/196144 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1466216 Title: Upgrade to ansible 1.9.2 when released Status in Ansible playbooks for deploying OpenStack: Fix Committed Status in openstack-ansible kilo series: In Progress Status in openstack-ansible trunk series: Fix Committed Bug description: Ansible 1.9.2 (unreleased) fixed a CVE-2015-3908 that affected usage of get_url. The vulnerability is related to allowing an HTTPS connection to be MITM'd. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1466216/+subscriptions From kevin.carter at rackspace.com Fri Jun 26 16:52:53 2015 From: kevin.carter at rackspace.com (Kevin Carter) Date: Fri, 26 Jun 2015 16:52:53 -0000 Subject: [Openstack-security] [Bug 1466216] Re: Upgrade to ansible 1.9.2 when released References: <20150617203545.4905.22166.malonedeb@wampee.canonical.com> Message-ID: <20150626165254.15377.79308.launchpad@wampee.canonical.com> ** Also affects: openstack-ansible/kilo Importance: Undecided Status: New ** Also affects: openstack-ansible/trunk Importance: High Assignee: Tom Cameron (tom-cameron) Status: In Progress ** Changed in: openstack-ansible/kilo Milestone: None => 11.0.4 ** Changed in: openstack-ansible/trunk Milestone: 11.0.4 => None ** Changed in: openstack-ansible/kilo Assignee: (unassigned) => Tom Cameron (tom-cameron) ** Changed in: openstack-ansible/kilo Importance: Undecided => High ** Changed in: openstack-ansible/kilo Status: New => In Progress -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1466216 Title: Upgrade to ansible 1.9.2 when released Status in Ansible playbooks for deploying OpenStack: Fix Committed Status in openstack-ansible kilo series: In Progress Status in openstack-ansible trunk series: Fix Committed Bug description: Ansible 1.9.2 (unreleased) fixed a CVE-2015-3908 that affected usage of get_url. The vulnerability is related to allowing an HTTPS connection to be MITM'd. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1466216/+subscriptions From 1466216 at bugs.launchpad.net Fri Jun 26 16:56:37 2015 From: 1466216 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 26 Jun 2015 16:56:37 -0000 Subject: [Openstack-security] [Bug 1466216] Re: Upgrade to ansible 1.9.2 when released References: <20150617203545.4905.22166.malonedeb@wampee.canonical.com> Message-ID: <20150626165639.10679.10807.launchpad@soybean.canonical.com> ** Changed in: openstack-ansible Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1466216 Title: Upgrade to ansible 1.9.2 when released Status in Ansible playbooks for deploying OpenStack: Fix Committed Status in openstack-ansible kilo series: In Progress Status in openstack-ansible trunk series: Fix Committed Bug description: Ansible 1.9.2 (unreleased) fixed a CVE-2015-3908 that affected usage of get_url. The vulnerability is related to allowing an HTTPS connection to be MITM'd. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1466216/+subscriptions From 1355125 at bugs.launchpad.net Mon Jun 29 03:24:46 2015 From: 1355125 at bugs.launchpad.net (Sam Morrison) Date: Mon, 29 Jun 2015 03:24:46 -0000 Subject: [Openstack-security] [Bug 1355125] Re: keystonemiddleware appears not to hash PKIZ tokens References: <20140811105447.23844.43062.malonedeb@wampee.canonical.com> Message-ID: <20150629032446.11069.22711.malone@soybean.canonical.com> Ubuntu trusty/juno is affected by this too It has version 1.0.0-1~cloud0 ** Also affects: python-keystonemiddleware (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1355125 Title: keystonemiddleware appears not to hash PKIZ tokens Status in OpenStack Identity (Keystone) Middleware: Fix Released Status in Python client library for Keystone: Fix Released Status in python-keystonemiddleware package in Ubuntu: New Bug description: It looks like Keystone hashes only PKI tokens [1] and test test_verify_signed_token_raises_exception_for_revoked_pkiz_token [2] does not take hashing into account (and checks only already hashed data and not hashing itself) And that should make token revocation for PKIZ tokens broken. [1] https://github.com/openstack/keystonemiddleware/blob/c9036a00ef3f7c4b9475799d5b713db7a2d94961/keystonemiddleware/auth_token.py#L1399 [2] https://github.com/openstack/keystonemiddleware/blob/c9036a00ef3f7c4b9475799d5b713db7a2d94961/keystonemiddleware/tests/test_auth_token_middleware.py#L741 To manage notifications about this bug go to: https://bugs.launchpad.net/keystonemiddleware/+bug/1355125/+subscriptions From 1466216 at bugs.launchpad.net Mon Jun 29 09:56:18 2015 From: 1466216 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 29 Jun 2015 09:56:18 -0000 Subject: [Openstack-security] [Bug 1466216] Re: Upgrade to ansible 1.9.2 when released References: <20150617203545.4905.22166.malonedeb@wampee.canonical.com> Message-ID: <20150629095618.11100.48314.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/196144 Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=5514ae8878d787f63b24f980f204475524ec6644 Submitter: Jenkins Branch: kilo commit 5514ae8878d787f63b24f980f204475524ec6644 Author: Tom Cameron Date: Fri Jun 26 10:37:41 2015 -0400 Upgrade to ansible 1.9.2 Update Ansible version to v1.9.2-1. This update includes a fix to address CVE-2015-3908 - A vulnerability where HTTPS can be MITM'd. Change-Id: I4dca72706cf73cdd974788e9c012ad8ecb7a9c15 Closes-Bug: #1466216 (cherry picked from commit c22296272e4e299db7c12f5f9b4608737da13729) ** Changed in: openstack-ansible/kilo Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1466216 Title: Upgrade to ansible 1.9.2 when released Status in Ansible playbooks for deploying OpenStack: Fix Committed Status in openstack-ansible kilo series: Fix Committed Status in openstack-ansible trunk series: Fix Committed Bug description: Ansible 1.9.2 (unreleased) fixed a CVE-2015-3908 that affected usage of get_url. The vulnerability is related to allowing an HTTPS connection to be MITM'd. To manage notifications about this bug go to: https://bugs.launchpad.net/openstack-ansible/+bug/1466216/+subscriptions From 1464219 at bugs.launchpad.net Mon Jun 29 12:31:17 2015 From: 1464219 at bugs.launchpad.net (Serg Melikyan) Date: Mon, 29 Jun 2015 12:31:17 -0000 Subject: [Openstack-security] [Bug 1464219] Re: [api] there are no checks of request tenant_id during abandoning of an environment References: <20150611110620.13354.78142.malonedeb@wampee.canonical.com> Message-ID: <20150629123119.15764.83078.launchpad@wampee.canonical.com> ** Changed in: murano Milestone: liberty-1 => liberty-2 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1464219 Title: [api] there are no checks of request tenant_id during abandoning of an environment Status in Murano: Confirmed Bug description: Looks like the code currently does not check, that a given env belongs to current requests tenant. Therefore it might be possible for users from different tenants to delete/deploy environments. To manage notifications about this bug go to: https://bugs.launchpad.net/murano/+bug/1464219/+subscriptions From 1334926 at bugs.launchpad.net Mon Jun 29 15:23:55 2015 From: 1334926 at bugs.launchpad.net (OpenStack Infra) Date: Mon, 29 Jun 2015 15:23:55 -0000 Subject: [Openstack-security] [Bug 1334926] Related fix proposed to neutron (feature/pecan) References: <20140627021809.32583.22324.malonedeb@soybean.canonical.com> Message-ID: <20150629152356.7379.46047.malone@gac.canonical.com> Related fix proposed to branch: feature/pecan Review: https://review.openstack.org/196701 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1334926 Title: floatingip still working once connected even after it is disociated Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in OpenStack Security Notes: Fix Released Bug description: After we create an SSH connection to a VM via its floating ip, even though we have removed the floating ip association, we can still access the VM via that connection. Namely, SSH is not disconnected when the floating ip is not valid To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1334926/+subscriptions From 1334926 at bugs.launchpad.net Tue Jun 30 00:37:29 2015 From: 1334926 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 30 Jun 2015 00:37:29 -0000 Subject: [Openstack-security] [Bug 1334926] Change abandoned on neutron (feature/pecan) References: <20140627021809.32583.22324.malonedeb@soybean.canonical.com> Message-ID: <20150630003729.15315.64826.malone@wampee.canonical.com> Change abandoned by Kyle Mestery (mestery at mestery.com) on branch: feature/pecan Review: https://review.openstack.org/196701 Reason: This is lacking the functional fix [1], so I'll propose a new merge commit which includes that one. [1] https://review.openstack.org/#/c/196711/ -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1334926 Title: floatingip still working once connected even after it is disociated Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in OpenStack Security Notes: Fix Released Bug description: After we create an SSH connection to a VM via its floating ip, even though we have removed the floating ip association, we can still access the VM via that connection. Namely, SSH is not disconnected when the floating ip is not valid To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1334926/+subscriptions From 1334926 at bugs.launchpad.net Tue Jun 30 00:42:33 2015 From: 1334926 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 30 Jun 2015 00:42:33 -0000 Subject: [Openstack-security] [Bug 1334926] Related fix proposed to neutron (feature/pecan) References: <20140627021809.32583.22324.malonedeb@soybean.canonical.com> Message-ID: <20150630004233.2948.79495.malone@chaenomeles.canonical.com> Related fix proposed to branch: feature/pecan Review: https://review.openstack.org/196920 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1334926 Title: floatingip still working once connected even after it is disociated Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in OpenStack Security Notes: Fix Released Bug description: After we create an SSH connection to a VM via its floating ip, even though we have removed the floating ip association, we can still access the VM via that connection. Namely, SSH is not disconnected when the floating ip is not valid To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1334926/+subscriptions From 1274034 at bugs.launchpad.net Tue Jun 30 09:00:45 2015 From: 1274034 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 30 Jun 2015 09:00:45 -0000 Subject: [Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning References: <20140129101504.12361.90017.malonedeb@gac.canonical.com> Message-ID: <20150630090046.7454.23456.launchpad@gac.canonical.com> ** Changed in: neutron Assignee: Mark McClain (markmcclain) => Kevin Benton (kevinbenton) -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1274034 Title: Neutron firewall anti-spoofing does not prevent ARP poisoning Status in OpenStack Neutron (virtual network service): In Progress Status in OpenStack Security Advisories: Invalid Status in OpenStack Security Notes: Fix Released Bug description: The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning. When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature: - no-mac-spoofing - no-ip-spoofing - no-arp-spoofing - nova-no-nd-reflection - allow-dhcp-server Actually, the neutron firewall driver 'iptabes_firawall' handles only MAC and IP anti-spoofing rules. This is a security vulnerability, especially on shared networks. Reproduce an ARP cache poisoning and man in the middle: - Create a private network/subnet 10.0.0.0/24 - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4) - Log on VM1 and install ettercap [1] - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:' - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2] - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1 [1] http://ettercap.github.io/ettercap/ [2] http://paste.openstack.org/show/62112/ To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions From tdecacqu at redhat.com Wed Jun 24 14:25:51 2015 From: tdecacqu at redhat.com (Tristan Cacqueray) Date: Wed, 24 Jun 2015 14:25:51 -0000 Subject: [Openstack-security] [Bug 1461154] Re: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers References: <20150602162757.6123.3584.malonedeb@wampee.canonical.com> Message-ID: <20150624142552.7959.90143.launchpad@wampee.canonical.com> ** Description changed: - This issue is being treated as a potential security risk under embargo. - Please do not make any public mention of embargoed (private) security - vulnerabilities before their coordinated publication by the OpenStack - Vulnerability Management Team in the form of an official OpenStack - Security Advisory. This includes discussion of the bug or associated - fixes in public forums such as mailing lists, code review systems and - bug trackers. Please also avoid private disclosure to other individuals - not already approved for access to this information, and provide this - same reminder to those who are made aware of the issue prior to - publication. All discussion should remain confined to this private bug - report, and any proposed fixes should be added to the bug as - attachments. - Vulnerability Details A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. Impact An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. Recommendations Set the HTTP X-Frame-Options header to one of the following: DENY - deny any frames SAMEORIGIN - frames are only allowed from the same origin ALLOW-FROM - a list of allowable origin's Although many pages within Horizon 1.1 leverage the X-Frame-Options header with the recommended SAMEORIGIN policy, some (still popular) older browsers don’t support this setting. Namely, browsers older than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus vulnerable to an attack known as ClickJacking unless an additional mitigating control is present. To support legacy browsers, a suggested best practice is to add a frame breaking script to the base/global template file. Based off of https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best- for-now_Legacy_Browser_Frame_Breaking_Script """ One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header. In the document HEAD element, add the following: First apply an ID to the style element itself: And then delete that style by its ID immediately after in the script: This way, everything can be in the document HEAD and you only need one method/taglib in your API. """ -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1461154 Title: Cross-Frame Scripting (XFS) Clickjacking vulnerability with legacy browsers Status in OpenStack Dashboard (Horizon): In Progress Status in OpenStack Security Advisories: Won't Fix Bug description: Vulnerability Details A Cross-Frame Scripting (XFS) vulnerability can allow an attacker to load the vulnerable application inside an HTML iframe tag on a malicious page. Impact An attacker could use XFS to devise a Clickjacking attack to conduct phishing, frame sniffing, social engineering or Cross-Site Request Forgery attacks. Recommendations Set the HTTP X-Frame-Options header to one of the following: DENY - deny any frames SAMEORIGIN - frames are only allowed from the same origin ALLOW-FROM - a list of allowable origin's Although many pages within Horizon 1.1 leverage the X-Frame-Options header with the recommended SAMEORIGIN policy, some (still popular) older browsers don’t support this setting. Namely, browsers older than IE 8 and Firefox 3.6.9 don’t recognize the header and are thus vulnerable to an attack known as ClickJacking unless an additional mitigating control is present. To support legacy browsers, a suggested best practice is to add a frame breaking script to the base/global template file. Based off of https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Best- for-now_Legacy_Browser_Frame_Breaking_Script """ One way to defend against clickjacking is to include a "frame-breaker" script in each page that should not be framed. The following methodology will prevent a webpage from being framed even in legacy browsers, that do not support the X-Frame-Options-Header. In the document HEAD element, add the following: First apply an ID to the style element itself: And then delete that style by its ID immediately after in the script: This way, everything can be in the document HEAD and you only need one method/taglib in your API. """ To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1461154/+subscriptions From doug at doughellmann.com Wed Jun 24 20:59:22 2015 From: doug at doughellmann.com (Doug Hellmann) Date: Wed, 24 Jun 2015 20:59:22 -0000 Subject: [Openstack-security] [Bug 1446406] Re: Insecure signing_dir configuration in barbican-api-paste.ini References: <20150420223742.32593.66588.malonedeb@gac.canonical.com> Message-ID: <20150624205924.3225.88328.launchpad@chaenomeles.canonical.com> ** Changed in: barbican Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1446406 Title: Insecure signing_dir configuration in barbican-api-paste.ini Status in OpenStack Key Management (Barbican): Fix Released Status in Barbican kilo series: Fix Released Bug description: It appears that Barbican sets signing_dir to "/tmp/barbican/cache" in etc/barbican/barbican-api-paste.ini (Reference: https://github.com/openstack/barbican/blob/master/etc/barbican /barbican-api-paste.ini#L42) A Nova bug from 2013 (https://bugs.launchpad.net/nova/+bug/1174608) mentions that they had the same basic issue, and it's a security issue because: "This means that if an attacker populated the /tmp/keystone-signing-nova with the appropriate files for signautre verification they could potentially issue forged tokens which would be validated by the middleware. As: - The directory location deterministic. (default for glance, nova) - *If the directory already exists it is reused*" This Nova bug was issued CVE-2013-2030: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-2030 This was originally reported to Barbican devs by the user "zigo" in the #openstack-barbican channel on Freenode: 2015-03-23 16:59:15 zigo_ I just saw in barbican-api-paste.ini a "signing_dir" directive. This is a security issue which you guys need to fix. 2015-03-23 16:59:28 zigo_ The signing_dir directive should never be set to /tmp like this. 2015-03-23 16:59:33 zigo_ Best is to simply remove the directive. 2015-03-23 16:59:57 zigo_ I can find the announce for the nova security patch that happened a few years ago if you don't just trust my words… :) zigo's suggested fix was to remove the directive. It appears Cinder has taken this approach for their project (https://bugs.launchpad.net/cinder/+bug/1185098) To manage notifications about this bug go to: https://bugs.launchpad.net/barbican/+bug/1446406/+subscriptions From 1334926 at bugs.launchpad.net Fri Jun 26 17:30:12 2015 From: 1334926 at bugs.launchpad.net (OpenStack Infra) Date: Fri, 26 Jun 2015 17:30:12 -0000 Subject: [Openstack-security] [Bug 1334926] Re: floatingip still working once connected even after it is disociated References: <20140627021809.32583.22324.malonedeb@soybean.canonical.com> Message-ID: <20150626173012.11005.27934.malone@soybean.canonical.com> Reviewed: https://review.openstack.org/196097 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=1cfed745d54a6ce9cb3dd4e6f454666d9e6676c2 Submitter: Jenkins Branch: feature/qos commit ba7d673d1ddd5bfa5aa1be5b26a59e9a8cd78a9f Author: Kevin Benton Date: Thu Jun 25 18:31:38 2015 -0700 Remove duplicated call to setup_coreplugin The test case for vlan_transparent was calling setup_coreplugin before calling the super setUp method which already calls setup_coreplugin. This was causing duplicate core plugin fixtures which resulted in patching the dhcp periodic check twice. Change-Id: Ide4efad42748e799d8e9c815480c8ffa94b27b38 Partial-Bug: #1468998 commit e64062efa3b793f7c4ce4ab9e62918af4f1bfcc9 Author: Kevin Benton Date: Thu Jun 25 18:29:37 2015 -0700 Remove double mock of dhcp agent periodic check The test case for the periodic check was patching a target that the core plugin fixture already patched out. This removes that and exposes the mock from the fixture so the test case can reference it. Change-Id: I3adee6a875c497e070db4198567b52aa16b81ce8 Partial-Bug: #1468998 commit 25ae0429a713143d42f626dd59ed4514ba25820c Author: Kevin Benton Date: Thu Jun 25 18:24:10 2015 -0700 Remove double fanout mock The test_mech_driver was duplicating a fanout mock already setup in the setUp routine. Change-Id: I5b88dff13113d55c72241d3d5025791a76672ac2 Partial-Bug: #1468998 commit 993771556332d9b6bbf7eb3f0300cf9d8a2cb464 Author: Kevin Benton Date: Thu Jun 25 17:55:16 2015 -0700 Remove double callback manager mocks setup_test_registry_instance() in the base test case class gives each test its own registry by mocking out the get_callback_manager. The L3 agent test cases were duplicating this. Partial-Bug: #1468998 Change-Id: I7356daa846524611e9f92365939e8ad15d1e1cd8 commit 0be1efad93734f11cd63fb3b7bd2983442ce1268 Author: Kevin Benton Date: Thu Jun 25 16:57:30 2015 -0700 Remove ensure_dirs double-patch test_spawn_radvd called mock.patch on ensure_dirs after the setup method already patched it out. This causes issues when mock.patch.stopall() is called because the mocks are stored as a set and are unwound in a non-deterministic fashion.[1] So some of the time they will be undone correctly, but others will leave a monkey-patched in mock, causing the ensure_dir test to fail. 1. http://bugs.python.org/issue21239 Closes-Bug: #1467908 Change-Id: I321b5fed71dc73bd19b5099311c6f43640726cd4 commit 0a2238e34e72c17ca8a75e36b1f56e41a3ece74e Author: Sukhdev Kapur Date: Thu Jun 25 15:11:28 2015 -0700 Fix tenant-id in Arista ML2 driver to support HA router When HA router is created, the framework creates a network and does not specify the tenant-id. This casuse Arista ML2 driver to fail. This patch sets the tenant-id when it is not passed explicitly by by the network_create() call from the HA router framework. Even though original issue was discovered for network_create() it turns out the same issue applies for port_create() as well so all the methods are fixed in this patch Change-Id: Id03e26dac003fa589477ed78a4ed3c44cc2f708d Closes-Bug: 1468828 commit 334d9a33404f4c8438d105f91bff1a9fd9236513 Author: Assaf Muller Date: Thu Jun 25 16:34:09 2015 -0400 Log OVS agent configuration mismatch Change-Id: I55aef3bdc32dcee3436cb8b987fb796a4898b20e Closes-Bug: #1468893 commit c48e12b781c9ffd885ebc96283ecda2849fd1e22 Author: Cedric Brandily Date: Wed Jun 24 21:31:33 2015 +0200 Avoid env variable duplication in tox.ini Some environment variables are defined multiple times in tox.ini. This change defines "fake" tox jobs and refactors existing jobs to reduce duplicated environment variables. Change-Id: I0ccebea4fbfff8dda34d1ed348b96b3b8ebd59e2 commit 747738d36572079307f228a861a067ca0cd815c2 Author: Kevin Benton Date: Wed Jun 3 15:20:27 2015 -0700 Skip ARP protection if 0.0.0.0/0 in addr pairs Don't setup ARP protection on ports with allowed address pairs that allow them to use any IP address. This is necessary because OVS doesn't support the /0 prefix in rules that match on ARP headers. Related-Bug: #1461054 Closes-Bug: #1468009 Change-Id: I913a86f22b228aa11fa3dabd9493c3995198f7ec commit 61909ac515c337c94f55805641b1b7c725a95191 Author: Ihar Hrachyshka Date: Thu Jun 25 15:54:34 2015 +0200 linuxbridge: clean up README file It's weird that we suggest users to copy python files around instead of relying on generated console_scripts. Other configuration information located here is trivial and is documented elsewhere, f.e. [1]. [1]: http://docs.openstack.org/networking-guide/deploy_scenario1b.html Change-Id: Ie8dd37087599ff4b5e23f0ad01105f94f5b886ab commit 0af5abdb1f608a5e84a64627adf42dd8d5526560 Author: John Davidge Date: Thu Jun 25 15:12:59 2015 +0100 Fix tox errors in thirdparty-ci docs Fixes errors causing tox failures. Change-Id: I361ef791c0de1aac1304bb8ad979066400930434 Closes-Bug: #1468765 commit 9a6536de6e1a7fe9b2552adc142e254426b82b6f Author: Ihar Hrachyshka Date: Thu Jun 25 15:41:02 2015 +0200 Removed test_lib module It's not really needed. It was once used to allow some out-of-tox plugin specific testing scripts to inject configuration files into BaseTestCase. Now, our testing story does not have any notion of out-of-gate plugin specific testing, so let's just clean it up. Change-Id: If287a38e80016b1dba049a2b745bad7af40583a8 commit 2557c47668ad822810aad523643014c6a5d4a064 Author: Russell Bryant Date: Wed Jun 24 14:59:26 2015 -0400 Updated from global requirements This patch takes the latest global requirements update from change Ibcb49412a012f79be2f7fd697349ddbf43bd7b9b except takes out the update to setup.py which reverts the windows specific requirements. We are still working on getting the custom changes out of setup.py in change I3c07c279d33f6aed46c3a97dd9ba81251e51429a. Change-Id: Iee7612d39b520cf04e3b2ec503ec79d23f15f949 commit 2ecac909ba419f258e47b456196a1af7a87661ed Author: Cedric Brandily Date: Thu Jun 25 11:59:37 2015 +0000 Remove quantum untracked files from .gitignore This change removes obsolete quantum untracked files from .gitignore. Change-Id: I1ddf0b03d29066363f155dd5af8294efde5b0ef0 commit df06a326de39a6792e2e82eafa5cf50eb325b34e Author: Matthew Booth Date: Thu Jun 25 10:20:08 2015 +0100 Context class should initialise its own data This is a trivial cleanup. A superclass was initialising data which was only used in a subclass. Change-Id: I6930fdaef3dcb960f6baaedbd191e22b565f319e commit 2e1b0ea4032f05afef16efd451e2eea5df901d97 Author: Ihar Hrachyshka Date: Tue Jun 23 17:33:38 2015 +0200 ovsdb: attempt to enable connection_uri for native impl on startup The port is in most cases disabled, so to use it, we should first enable it, and it means that we should still rely on ovs-vsctl for that initial call. Closes-Bug: #1468259 Change-Id: I097b1c441df1f7f1785b8744f27809617bb21c14 commit 668b12c2c8a60ce20ecdad2193ede9371d5cc391 Author: Doug Wiegley Date: Mon Jun 1 20:58:41 2015 -0600 Move third-party CI policy under docs/policies Change-Id: Ib2ed587670f206283d735191b3a2580bf3d1a04f commit 3bf62772d39d8b3b8b518ae88a6fcea7414d6884 Author: Doug Wiegley Date: Mon Jun 1 20:31:01 2015 -0600 Remove lbaas API tests, which are now in the lbaas repo Change-Id: I2009ca3f102d0ca0db3f12af3012989f2a036c48 commit 1a480203b2531925d7520b62c94954064a26139d Author: Aaron Rosen Date: Wed Jun 24 10:28:18 2015 -0700 Only create one netaddr.IPNetwork object Change-Id: I8c6a08e0cf3b5b5386fe03af9f2174c663b8ac73 commit d9a23f882f0d78aaca34c3607d9ca9ad54ac063b Author: Aaron Rosen Date: Wed Jun 3 16:19:39 2015 -0700 Provide work around for 0.0.0.0/0 ::/0 for ipset Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if these addresses were inputted as allowed address pairs. This causes ipset to raise an error as it does not work with zero prefix sizes. To solve this problem we use two ipset rules to represent this: Ipv4: 0.0.0.0/1 and 128.0.0.1/1 IPv6: ::/1' and '8000::/1 All of this logic is handled via _sanitize_addresses() in the ipset_manager which is called to convert the input. Change-Id: I8c6a08e0cf3b5b5386fe03af9f2174c666b8ac75 Closes-bug: 1461054 commit 93d564223e8b76d10aa7b55f1b1d49f592d1c800 Author: Kevin Benton Date: Wed Jun 24 09:19:18 2015 -0700 Fix >80 char lines that pep8 failed to detect Change-Id: I602e0d484c5e00eb48b86c4c8c4eff0be195c3a5 commit 830e9114817765efc93c772dcbc735a6bb28a7ff Author: Anthony Chow Date: Tue Jun 23 22:05:23 2015 -0700 Deprecate "router_delete_namespaces" and "dhcp_delete_namespaces" These 2 configuration options are no longer be necessary. They are marked as deprecated in this release and will be removed in the next release. Change-Id: I4e02a291738b16c7c9b7600f0bc9a47fb1318569 Partial-Bug: #1418079 commit a84ef9ae54a7dfe6d9dee54a01b189dd40bce423 Author: Kevin Benton Date: Wed Jun 24 03:27:16 2015 -0700 Make DHCPv6 out of bounds API test deterministic The test_dhcp_stateful_fixedips_outrange API test was randomly picking an IP from last + 1 up to last + 10 in the allocation range. This made it fail randomly when there was an issue related to the subnet allocation having an off-by-one issue. This adjusts the test to just always test last +1 and +2. Related-Bug: #1468163 Change-Id: I641ab092e0ea0aae67ec717b492118a2f8a6f4fd commit f527f8cf426ee63b592225d5e691ac107085784d Author: Kevin Benton Date: Wed Jun 24 02:15:29 2015 -0700 Don't process network_delete events on OVS agent There is no reason to reclaim the local VLAN on a network_delete event since it will be reclaimed when the last port is deleted anyway. This method was racey with recent port creation events and lead to occasional traces when it would yank the local VLAN out from underneath an ongoing port wiring process. Change-Id: I5eee6175c053006b35b6efe274d27931a9d5d89f Closes-Bug: #1468251 commit 1d61c5f736b9df7253a1939fe55f1875f988d1f4 Author: Henry Gessau Date: Wed Jun 24 03:16:52 2015 +0000 Revert "Fix subnet creation failure on IPv6 valid gateway" Because it breaks tests.api.test_dhcp_ipv6.NetworksTestDHCPv6.test_dhcp_stateful_fixedips_outrange This reverts commit ee51ef72d37a02005a7733b7f2faf7236db850a1. Change-Id: Id02d9034ca809f194ff7551167bfda3559fb1200 commit 7eb9d9d316d35840706a767576ff083c9a04d781 Author: Cedric Brandily Date: Wed Jun 24 00:08:22 2015 +0200 Support oslo_db 1.12 oslo_db 1.12[1] decorates oslo_context.context.RequestContext with session management[2][3] and add a read-only attribute 'session'. Such feature breaks Brocade plugin and its unittests because they define on RequestContext the 'session' attribute which now is a read-only property. This change uses neutron.context instead of oslo_context.context in order to delegate session management to the neutron.context and remove read-only attribute set. A follow-up change will refactor neutron.context in order to use oslo_db 1.12 session management instead of homemade one. [1] https://github.com/openstack/oslo.db/releases/tag/1.12.0 [2] https://github.com/openstack/oslo.db/commit/\ fdbd928b1fdf0334e1740e565ab8206fff54eaa6 [3] https://github.com/openstack/oslo.db/blob/\ fdbd928b1fdf0334e1740e565ab8206fff54eaa6/oslo_db/sqlalchemy/\ enginefacade.py#L782 Closes-Bug: #1468128 Change-Id: I0e3331f9a383fa2562706eeadb229f55593b888c commit ad86291408fc74827c2bd31f89a2dce34f887823 Author: Cyril Roelandt Date: Tue Jun 23 15:28:34 2015 +0000 Python 3: do not use itertools.izip This no longer exists in Python 3. Use the zip function instead. Blueprint: neutron-python3 Change-Id: Id7d33ec3d27a27f17040d28bead10f2eb3b831bb commit d23a59f1c808c50575f49f9291bd70c6b3a5797a Author: Jeremy Stanley Date: Thu Jun 18 19:09:05 2015 +0000 Override opportunistic database tests to PyMySQL Set the OS_TEST_DBAPI_ADMIN_CONNECTION override variable so that oslo.db opportunistic detection will know to use PyMySQL until I12b32dc097a121bd43991bc38dd4d289b65e86c1 makes it the default behavior. This change removes previous code[1] enabling PyMySQL use. [1] Ic5c1d12ab75443e1cc290a7447eeb4b452b4a9dd Change-Id: Ic39feee0248f2ffabdba26f3779ab40a8f3838e6 Co-Authored-By: Victor Sergeyev Co-Authored-By: Cedric Brandily commit 04d44cee63f3fbba45956abd28f325d5ac3ca2d9 Author: Cedric Brandily Date: Tue Jun 23 20:00:30 2015 +0200 Extend default setenv instead of replacing it in tox.ini Some tox jobs[1] define their own setenv without extending/referencing default setenv, it disallows to define environment variables shared by all jobs. This change updates previous jobs[1] in order to extend instead of replacing default setenv and enable global environement variables (used in daughter change). One remark, this change sets VIRTUAL_ENV environment variable in updated jobs[1] but it has no effect on them. [1] (dsvm-)functional, (dsvm-)fullstack and api jobs Closes-Bug: #1468059 Change-Id: I99184f7375571fb8569a24ba04ae267108f5da08 commit b7dc34ef15061577158eeafc179915e5bde73c64 Author: Ihar Hrachyshka Date: Tue Jun 23 14:28:59 2015 +0200 Cleanup get_plugin_name() from the tree It does not seem to be used since Icehouse: the patch that removed its last usage is: 1b36e2077141749495bb32b423f3df8cbbd0eb40 I don't think we should have it as part of abstract interface for service plugins. Change-Id: If03f67a617efd3a7cadb96d1a86283ac14088a83 commit 277d89b67a6a8ea4f6a7bc216014d55ace5c1d2d Author: Pavel Bondar Date: Tue Jun 23 12:07:43 2015 +0300 Bulk move methods to ipam_backend_mixin.py ipam_backend_mixin contains methods common for both backends: pluggable and non-pluggable, so moving methods to make them accessible by backends. Next methods were moved from db_base_plugin_v2.py to ipam_backend_mixin.py: - _validate_subnet_cidr - _validate_network_subnetpools - _allocate_pools_for_subnet - _save_subnet This commit moves methods without any internal changes. All future changes and decomposition of these methods will be handled in next commits. Partially-Implements: blueprint neutron-ipam Change-Id: I1ec786754467fc9039d2276f084f1bceaab15635 commit c384b13ae6b83a8bad944972c60bdcbe6f4fa050 Author: Brian Haley Date: Thu Apr 16 16:20:01 2015 -0400 Add IPset cleanup script This will aid in removing stale IPsets when we change the prefix used in creating IPset names. Change-Id: Ia9ff79c34bd4c9124ec8663a8f616ded4f389f62 Partial-Bug: #1444201 commit 7e117c13fd3fb125c857dadfa2945799b39e1634 Author: Rawlin Peters Date: Thu Jun 18 11:22:13 2015 -0600 Optimize ipset usage in IptablesFirewallDriver Currently, IptablesFirewallDriver._update_ipset_members() iterates through a list of security group IDs and makes a call to IpsetManager.set_members() for each security group ID in the list. The problem is that set_members() is repeatedly called with the same arguments over and over again because the list of security group IDs contains duplicates. These duplicated calls are unnecessary because they are idempotent. For instance, with a security group of 50 rules created in this manner: neutron security-group-rule-create $SECGRP --remote_group_id $SECGRP --protocol tcp --port_range_min $i --port_range_max $i Adding a server to that security group will cause 50 calls to IpsetManager.set_members() because the list of security group IDs is 50 of the same ID. Only one call to IpsetManager.set_members() is necessary per security group ID. This patch converts that list of security group IDs into a set, which eliminates the duplicate idempotent calls to IpsetManager.set_members() with the same arguments. This will affect performance by reducing the amount of file locking around ipset when adding servers to security groups. Change-Id: Id2c8c8c1093c8abcf1fd897b23b0358aeb55b526 Closes-Bug: 1466921 commit f44800f1eb649d83a338d320020d3479fc3b6790 Author: Cyril Roelandt Date: Mon Jun 22 14:59:59 2015 +0000 Python3: do not set Request.body to a text string In Python 3, Request.body must be set to a bytes object. Change-Id: I17785d1e9eb253a1c6cae300b207fb0a08873b0e Blueprint: neutron-python3 commit 408af3f7dab477517b1761aeda2b76384f5fffbe Author: Assaf Muller Date: Sun Jun 21 15:34:21 2015 -0400 Prepare for full stack CI job Related-Bug: #1467275 Change-Id: I90f4794f48ae151a888f37df26c087a7fdcd9d31 commit 76b4803530c0d5f47659aa519585178cc33cba46 Author: Oleg Bondarev Date: Tue Jun 2 16:14:40 2015 +0300 Fix callback registry notification for security group rule Some housekeeping was done in - SecurityGroupDbMixin: - create_rule_bulk() calls to create_rule(); - registry notification is in create_rule(); - separate validation for a single rule and for a group of rules - SecurityGroupServerRpcMixin: - overriden methods call to corresponding super class methods; Hopefully code is now self-documented enough Closes-Bug: #1461024 Change-Id: Ia75d7e206716bbe74aae89e4cebd0c2c40af68a8 commit 6da2d24ff44cbc8dd0ea8d2e6f72419a46026989 Author: Ihar Hrachyshka Date: Mon Jun 22 15:43:20 2015 +0200 Ease debugging alembic by passing proper scripts path in alembic.ini Otherwise, anyone who attempts to issue an alembic command with the file gets: FAILED: Path doesn't exist: '<...>/neutron/neutron/db/migration/alembic'. Please use the 'init' command to create a new scripts folder. Change-Id: I5b5f2802b478c8d8c327d24faa838f7a6859b979 commit fe6654b25044de7d7d15573c689a0f003c018e99 Author: Martin Roy Date: Thu Jun 18 13:45:02 2015 -0400 Use string exception casting everywhere Instead of the deprecated "message" member access, casting to a string invokes the __str__ method of the exception that is wired to return the message Added a test of the failure cases of IpRouteCommand::delete_gateway because they were missing Running unit and functional tests locally no longer shows the warning reported in the bug. Change-Id: Ia79f526aa973ece1145615d65349f860aa3fd465 Closes-Bug: #1466542 commit c3d65a0ed920110223e1b73d6982968552ca7716 Author: ChangBo Guo(gcb) Date: Tue Mar 3 17:08:48 2015 +0800 Switch to oslo_utils.uuidutils Get rid of oslo-incubator uuidutils Closes-Bug: #1467020 Depends-On: I2df519965883b05d5d58cdc4785c850b0685dc2c Depends-On: I9f8e98ad9517864a9ffdacf01c0a9a5aab554edb Depends-On: Ied0faac809a5b72b1cd466c8babc9ca5418692c3 Change-Id: Iebe491b981b4b7c02785412fadd27678bb5e47de commit ee51ef72d37a02005a7733b7f2faf7236db850a1 Author: David Edery Date: Sun Jun 21 15:59:49 2015 +0300 Fix subnet creation failure on IPv6 valid gateway Currently a valid IPv6 address gateway of the "*::ffff:ffff:ffff:ffff" pattern is failing due to netaddr.broadcast returning value for both IPv6 and IPv4 addresses. IPv6 has no broadcast address so the fix checks if the gateway is the subnet broadcast address only in the case of IPv4 subnet Change-Id: I849f95b30343d0b1c90cf91203df220bf731d8d5 Closes-Bug: 1466322 commit b9e551936410eca647b48c48f49f2b2be5d2d4a4 Author: Pavel Bondar Date: Fri Jun 19 17:58:57 2015 +0300 Decompose _create_subnet_from_pool Moved validations into separate methods: - _validate_pools_with_subnetpool Verifies that allocation pools are set only for specific subnet request. For any subnet request allocation pools can not be set manually - _validate_ip_version_with_subnetpool Verifies that subnet has the same ip version as subnet pool Partially-Implements: blueprint neutron-ipam Change-Id: I63f6aa2a0c94c3437fa624ac800943976f4fc50f commit 29bb401973af81f4a4b8a667f8b7445e19e017da Author: Pavel Bondar Date: Thu Jun 18 15:24:44 2015 +0300 Move _delete_port Pluggable ipam implementation will do additional actions on port deletion (deallocate ip using ipam driver). Existing _delete_port code will be resused. Moving _delete_port to ipam_backend_mixin to make this code accessible and extendable by both backends (pluggable and non pluggable). This commit is a preparation step before pluggable ipam implementation can be used. Partially-Implements: blueprint neutron-ipam Change-Id: If6cd623aad9e5501a26e5fb8cdecd5f55e85cd05 commit c0ef7a8f4546cd3c081a61c742dd9ed70ec2c147 Author: Pavel Bondar Date: Thu Jun 18 14:52:24 2015 +0300 Decompose create_port and save_subnet This commit is a preparation step for enabling pluggable ipam. Some actions in create_port and save_subnet are specific for non pluggable ipam implementation. - create_port Moved allocation ips for port and storing results into separate method _allocate_ips_for_port_and_store. Moved to ipam_non_pluggable_backend, since pluggable implementation will be different due to rollback on failure logic included. - save_subnet Moved saving allocation pools into new method _save_allocation_pools. Moved to ipam_non_pluggable_backend, since pluggable ipam implementation does not need to save IPAvailabilityRange (availability ranges are maintained by ipam driver for pluggable case) Partially-Implements: blueprint neutron-ipam Change-Id: I4a3e5d7f3aa54630279d9589225a509c96ed2186 commit ee14186fbb2486f9088103e9621bc366cc64c552 Author: Henry Gessau Date: Sun Jun 21 01:30:05 2015 -0400 Allow setting Agents description to None Fix the validator for the 'description' attribute of Agents, allowing it to be set to None. Fix an API test that had two problems: 1. It was not restoring the description to the agent it had updated 2. It was retoring the description to '' instead of None. Closes-Bug: #1466642 Change-Id: I50723e1346be0953d26216ba24907bac008ccfb6 commit d0d62927e661c84003845a61d2b991a54e723ed4 Author: Darragh O'Reilly Date: Sat Jun 20 11:55:27 2015 +0000 Fix RPC version to be a string The RPC version was being passed as a float which caused an exception. Change-Id: I2a2888fcafcc426009fc841b81049a22e072ce75 Closes-Bug: #1467087 commit 35654ec23ef9db6bda313ea300ab76c287a98ceb Author: Gal Sagie Date: Mon May 25 15:20:05 2015 +0300 Decompose DVR CSNAT L3 Agent from Compute Node L3 Agent Currently the same dvr router class is used both by the L3 Agent in the compute nodes that is responsible for the virtual routers namespace and the fip namespace and also used by the centralized SNAT L3 Agent in the network node. This is the first step to decompose the two into different classes. The above means that we have one class of DVR router which is used for two jobs (the virtual router namespace wiring and the fips wiring in the compute node in one hand and the centralized snat wiring in the other) The end goal of this patch is to separate the two into different classes which will also help maintaining it and also help projects that want to use one but not the other (for example only use the centralized SNAT behaviour with there own DVR implementation) Change-Id: I581a097b9e7c49f20d0eb0e4ca66a25e90d9511b Partial-Bug: #1458541 Partially-Implements: blueprint dvr-router-code-decompose commit 0e48d9d203619f50adae94ddb6bbccd28f381737 Author: Davanum Srinivas Date: Sun Jun 7 10:10:18 2015 -0400 cleanup openstack-common.conf and sync updated files Periodic update of latest files from oslo-incubator Change-Id: Ie7eb02e4e9277c18abfb438b6cf710e0aa426b15 commit 74b0c53da5d7e4305606c100becf34966d8af350 Author: Oleg Bondarev Date: Thu Jun 11 13:38:55 2015 +0300 Fix l3 agent to not create already deleted router In case router is deleted during l3 agent resync, the "deleted" event is processed with higher priority, then resync event for the router may be processed which will recreate already deleted router. This happens due to timestamp not being properly updated for deleted router in router processor. The fix adds timestamp update for deleted router. Functional test will be updated in a follow-up patch Logging was improved to make debugging a bit easier. Closes-Bug: #1455439 Change-Id: I2d060064acccc10591a3d90be9011f116548cfce commit 4f5171d2cedb32fdc5a59d241e7ae91c7284b75c Author: Cyril Roelandt Date: Fri Jun 19 13:24:34 2015 +0000 Python3: do not use '+' on dict_items objects In Python 3, dict.items() returns an iterator. Iterators cannot be added. Blueprint: neutron-python3 Change-Id: I487178ebceae9946cb53dea1e847d7715f4577f3 commit b336b7c438f3f5d4ee8d23d6bb2d2cf8fe1657f4 Author: Jakub Libosvar Date: Fri Jun 19 15:52:35 2015 +0200 Disable keepalived process in keepalived func test Previously, keepalived process itself was disabled that lead to respawning of keepalived by KeepalivedManager. This patch disables KeepalivedManager in cleanup thus no respawn happens. Closes-Bug: #1466873 Change-Id: If5524116e5d4fc41600920d31481282c5b797f7b commit a4b17cbb80b48c8e4bcd7cc005139f8e66066d68 Author: Cyril Roelandt Date: Thu Jun 18 11:52:28 2015 +0000 Python3: do not use im_self/im_func/func_closure One should use __self__, __func__ and __closure__ instead, as they work with both Python 2 and 3. Change-Id: I2b2847cfd5b4fa70e45387ff369240227ce9e526 Blueprint: neutron-python3 commit 432567f9477eadd840e407c5c057fc664e46d731 Author: Pavel Bondar Date: Wed Jun 17 15:48:09 2015 +0300 Add request factory for pluggable IPAM Pluggable IPAM implementation requires separation between requesting address/subnet and it's actual allocation, which can happen on third-party IPAM servers. Request factory stands for simplifying building right request from input. Added AddressRequestFactory and SubnetRequestFactory. AddressRequestFactory creates instance of AnyAddressRequest or SpecificAddressRequest depending on presence of ip address in input. SubnetRequestFactory creates instance of AnySubnetRequest or SpecificSubnetRequest depending on input. get_subnet_request_factory and get_address_request_factory can be redefined on driver level to use custom request factories. Partially-Implements: blueprint neutron-ipam Change-Id: Iedc0cfa326d60810099148f0ef8a1edac9e8aa12 commit 870fb38b1c7ddd5ddb399e6ff13a4f7992f8f9a6 Author: Cyril Roelandt Date: Fri Jun 19 13:59:46 2015 +0200 Python3: use dict.keys() instead of dict.iterkeys() The "keys" method works on both Python 2 and 3, and the performance impact should be negligible. Change-Id: I4771797859666000921e4e38cc5de72a8c084ca0 Blueprint: neutron-python3 commit 538a7bf3c73d968185590d81a9b3a6523190aeb4 Author: Salvatore Orlando Date: Tue Jun 9 03:41:07 2015 -0700 NSX QoS ext: RXTX factor can be decimal In Nova flavors it is ok to specify a decimal RXTX factor. For this reason when applying QoS to a port Neutron should not convert this factor to an integer value, but simply ensure it's a valid float number and positive. Partial-Bug: #1463363 Change-Id: I983123ef7fd8f1b52b358aff3b579459fce63033 commit 5aaae68e5148f01e78a5e6013dce797dd42c1917 Author: Pavel Bondar Date: Thu Jun 18 14:17:58 2015 +0300 Move _add_auto_addrs_on_network_ports Moved to ipam_non_pluggable_backend.py since implementation is specific for non pluggable ipam backend. Pluggable implementation will additionally include rollback on failure actions. This commit is a preparation step for using pluggable ipam. More changes in this methods are expected to be done by following patches. Partially-Implements: blueprint neutron-ipam Change-Id: I1876846526e370a7fcfa05b9a23fd9065973f111 commit 6669ee9af6bd635ae7efbc2f02e10914549ef708 Author: Lucas Alvares Gomes Date: Thu Apr 9 14:02:36 2015 +0100 DHCP agent: Set an "ipxe" tag to work with Ironic Ironic expects neutron to have an "ipxe" tag for the option 175 which is sent by iPXE/gPXE when booting a node. The problem is that up to now this tag was not created by Neutron, causing the nodes deployed with Ironic + iPXE to fail to boot. This patch is creating this tag when launching the dnsmasq process. DocImpact Change-Id: I45a0f51365b37e7d85848fcdcbcf7aa6a1dddfed Closes-Bug: #1442123 commit 735f193668d61dd7c09f710e555ab91d1d91abe6 Author: Pavel Bondar Date: Wed Jun 17 18:47:11 2015 +0300 Remove _check_ip_in_allocation_pool _check_ip_in_allocation_pool is not used anywhere in neutron. Cleaning up unused code from db_base_plugin_v2.py. Caller was removed over a year ago in change Ib31550fa9000fc75768a327cb6cc1c419e06568f Partially-Implements: blueprint neutron-ipam Change-Id: I41b7254835c308dda679ee2a5ebbccba528fd108 commit e3710f59481b4f9c3430228e8f074c845e93fbe7 Author: shihanzhang Date: Mon Jun 15 14:51:16 2015 +0800 Don't delete DVR namespace if there are still ports on this node Skip deleting DVR namespaces if they contain ports in the BUILD or DOWN status. Change-Id: I026f2014ede800c0f4532ca15f1fccdaa59d5b61 Closes-bug: #1464527 commit 345ffb99ef92f567562c178c57b9c110740a3767 Author: Doug Wiegley Date: Thu Jun 18 18:13:43 2015 -0600 Updated from global requirements Since we can't merge proposal bot at the moment, due to a conflict with setup.py, at least get our reqs files up to snuff. Change-Id: Ie313c81502dfe17a4afdcfdba4e207b9866e1399 commit 42826a0e64b3499cda065fd9ffdf0b5af5754c85 Author: Ihar Hrachyshka Date: Mon Jun 15 16:06:21 2015 +0200 Fixed the only sphinx warning in docs We made previous attempt to get rid of all warnings, but it turned out that gate does not execute tox's docs job but runs build_sphinx directly. The latter behaviour should be fixed, but while at it, we should prepare neutron job to be executed in gate by cleaning up all warnings. Closes-Bug: #1466554 Change-Id: I8c265eae2175425568479116d1faef7d87fdcc02 commit 63e318f5f8159f108cf1e7a82c952fa5f882870f Author: Moshe Levi Date: Thu Jun 11 12:24:03 2015 +0300 Fix SR-IOV mech driver to set port status to down when agent is required SR-IOV mech driver has 2 modes agent and agent-less. Currently in both modes port status are active. This patch update the port status to down when using agent mode. This will allow the SR-IOV agent to get port update notification and apply its additional functionality when launching vm. Co-Authored-By: Berezovsky Irena Closes-Bug: #1464186 Change-Id: Ibd9b31b4f2393b8732253d5cbfd36e8b5614860d commit cdde9a3aeb929e80aa3c251a44060b8174ab7b6c Author: venkata anil Date: Thu Jun 18 10:03:12 2015 +0000 read_hosts_file_leases shouldn't parse stateless IPv6 Error when _read_hosts_file_leases tries to parse stateless IPv6 entry in hosts file TRACE neutron.agent.dhcp.agent ip = host[2].strip('[]') TRACE neutron.agent.dhcp.agent IndexError: list index out of range Neutron creates entries in dhcp host file for each subnet of a port. Each of these entries will have same mac address as first field, and may have client_id, fqdn, ipv4/ipv6 address for dhcp/dhcpv6 stateful, or tag as other fields. For dhcpv6 stateless subnet with extra_dhcp_opts, host file will have only mac address and tag. So _read_hosts_file_leases shouldn't check for ip address for this entry in host file. Closes-bug: #1465330 Change-Id: Iad6605ac5c7bcd6ec9204352037ed021f5007738 commit 31f846c1b9fa17d1812f78dffe1dcf883da52bab Author: shihanzhang Date: Fri Jan 30 09:50:52 2015 +0800 Fix 'router_gateway' port status can't be updated when it creates a ovs bridge without parameter 'bridge-id', it's default 'bridge-id' is None, so ovs agent should also deal with these ovs bridges, for example if ancillary bridge br-ex does not be handled, the 'router_gateway' port status can't be updated. Change-Id: If428eadadfd36a9b19ea75920120e48ac49659f2 Closes-Bug: #1416181 commit 2db459f284002e45497d768a8a53c9b43d045d45 Author: Doug Hellmann Date: Tue Jun 16 19:49:15 2015 +0000 Update version for Liberty Update the version for Liberty, switching from date-based versioning to pre-versioning using SemVer. See http://lists.openstack.org/pipermail/openstack-dev/2015-May/065211.html and http://lists.openstack.org/pipermail/openstack-dev/2015-June/067082.html for details. Change-Id: I6a35fa0dda798fad93b804d00a46af80f08d475c commit 98d0be2f82523a40e630cf08dd8479b4cbb48add Author: armando-migliaccio Date: Wed Jun 17 11:33:56 2015 -0700 Add networking-sfc to the list of affiliated Neutron projects The project is being bootstrapped in [1,2], this change reflects that in the sub_projects doc. [1] I3825a1e02713f45e2c769eaa8fd0f1ab48d14372 [2] Iec53129d7c19620d690e71032c83907f03c66d9f Change-Id: I7c235bfe444bbb9afc7d4d8c92704c9bfc09ab49 commit 315b10dc9fa7b8d889a24e0c6cdf72f5341d92d5 Author: armando-migliaccio Date: Wed Jun 17 11:31:01 2015 -0700 Minor improvements to sub_projects document Let's remove the empty table, to cut down the risk of inconsistency, and further explain what the list of affiliated project is for. Change-Id: I3c8970db8de4fc211233903e8220cda72d47e193 commit 53209ca19ac2116d293b6fbc7b31254cb27a3ecb Author: Cyril Roelandt Date: Wed Jun 17 14:25:56 2015 +0000 Python 3: do not use cmp(), nor sorted(..., cmp=...) * The "cmp" function has been removed, so we must not use it any more; * The "cmp" keyword argument of the "sorted" function has been removed, so replace it with "key=functool.cmp_to_key". Change-Id: Ic39d29dc1002a68f36f04c32e53a36bc826dce78 Blueprint: neutron-python3 commit 4a73ab99c9fcc63adbbb41d4a9b9ba8669afdc61 Author: Miguel Angel Ajo Date: Tue Jun 16 13:48:26 2015 +0200 Move get_inteface_by_ip from LinuxBridge class to ip_lib get_interface_by_ip is moved fro LinuxBridgeManager to ip_lib as a more generic get_device_by_ip. System-faking unit tests have been switched for functional testing that also performs a negative test. This can be reused in the openvswitch-agent code to validate local_ip reusing the LinuxBridge logic. Change-Id: I9237871a6e24dd99556c71844624be510e20d289 Related-Bug: #1464178 Related-Bug: #1408603 commit 76dd333167920f447bdbedbbee10fdab593abe5b Author: Vladislav Belogrudov Date: Wed Jun 17 14:02:22 2015 +0300 Fix cisco_csr_identifier_map.ipsec_site_conn_id Some database engines require exact match of sizes of foreign keys and referenced fields. Foreign key ipsec_site_conn_id of table cisco_csr_identifier_map is varchar(64) but it references field id varchar(36) of table ipsec_site_connections. This gives error while running migration scripts in such databases. This fix only applies to new installations. Existing databases will be corrected by migration scripts introduced in https://review.openstack.org/190569 - they will take care of resizing the field and adjusting the model. Change-Id: I6cc9625a2d96d1330b06eb727cc7fa5363c697b8 Depends-On: I384a9bbaba05ef94174b666bdcfb276eedc74134 Closes-Bug: #1463806 commit 7a7377681133785e12a296ff7077b039708da97d Author: Thomas Morin Date: Wed Jun 17 12:13:35 2015 +0200 fix rootwrap debug filter for ping all NeutronDebugAgent.ping_all calls ping with "-c 1 -w ' so the filter should accept this order, and not only "-w .. -c ..". Not changing the existing filter to not break other tools that might use -w -c in that order. Change-Id: I5b3d67dfcdc15c53ac3bf2fb39de29fd97e98a19 commit 7d704db18ec7635328bfce7dc6e936151f264f1f Author: Aman Kumar Date: Tue Jun 16 23:16:24 2015 -0700 Refactor rpc_loop() in ovs neutron agent This patch segregates the port_info recieved by scan_ports and scan_ancillary_ports. This refactoring is basically required for this patch set: https://review.openstack.org/#/c/165023/ Co-Authored-By: Romil Gupta Change-Id: I9b43c230cda9d2659ad0e806bebe8a3dc12826ec Partial-Bug: #1329223 commit 4e77442d529d9803ff90de905b846af940eaf382 Author: Kevin Benton Date: Sat Jun 13 18:45:19 2015 -0700 Add deadlock retry to API and ML2 RPC port update With the switch to the pymsql SQL driver, eventlet will now yield during database transactions. This greatly increased our probability of multiple coroutines running transactions on the same table that result in deadlocks. These deadlocks could result from many things including the following: * a coroutine holding a pessimistic "SELECT for UPDATE" lock when another tries to update the locked records * two coroutines both issue update statements using a WHERE clause invalidated by the other update (e.g. from a compare and swap approach) * two coroutines insert records that, when combined, violate a unique constraint on the table in a master-master Galera deployment * any two workers using "SELECT for UPDATE" in a master-master Galera deployment (write-set certification failure translates to deadlock) This problem is exacerbated by the switch to multiple API and RPC workers, each of which can lead to most of the errors above even without the switch to pymysql. This patch adds a deadlock retry decorator to the delete, create, and update methods at the HTTP API layer. Additionally, it adds a decorator to the update_port_status AMQP API in ML2 since it updates the port table, which is a heavily locked table by ML2 making it a prime candidate for deadlocks. Nova has had relied on the deadlock retry mechanism for quite some time now. We were limping along by not using additional workers and by relying on the unyielding nature of the MySQL C driver to serialize everything. Closes-Bug: #1464612 Change-Id: I635cc49ca69f589f99ab145d4d51e511b24194d2 commit 95b6a74af10e2150b017647028de8454ef1cda2f Author: Aaron Rosen Date: Tue Jun 16 17:23:09 2015 -0700 ovsdb: session.rpc never initialized Previously, if idl.Transaction.commit_block() returned a status of TRY_AGAIN we would check self.api.idl._session.rpc.status which would result in an attribute error as rpc is None. This patch fixes this attribute error by removing this unneeded check. In addtion, the force_reconnect() is also removed as ovs.jsonrpc handles reconnecting automatically for us. Change-Id: Ibf3ce5cd3432845f8938a1d83637ecf59b14b5ca Closes-bug: 1465889 commit fc0c3a83659a86453acd5745a5632729b99cb3de Author: Rawlin Peters Date: Mon Jun 15 10:57:02 2015 -0600 Remove duplicated debug logging around locking Currently, iptables_manager.py does extra unnecessary logging about lock acquisition and release. It uses lockutils.lock() which passes do_log=True by default, which causes lockutils.lock() to do debug logging about lock acquisition/release. IptablesManager itself also writes debug log info about lock acquisition and release. This change will eliminate unnecessary duplicate logging in order to reduce log noise about locking. This change is also related to https://github.com/harlowja/fasteners/commit/f88f2fea7fe250b7d26cdcbc84633ccbbc68eeee which reduces the logging level in the underlying lock implementation used by oslo.concurrency. That change along with this one will remove the duplicate debug logging about locking in iptables_manager.py and also in ipset_manager.py. Change-Id: If6f4a7101f3783ad83645e28bbb5c577dd403d3b Closes-Bug: 1464727 commit 8f2014ea556404fb99c78add1e46b80c718cf491 Author: Aman Kumar Date: Tue Jun 16 05:32:44 2015 -0700 Refactor scan_ports() and update_ancillary_ports() in OVS Neutron Agent Used a helper method which contains the common code from scan_ports() and update_ancillary_ports(). And also renamed the name of update_ancillary_ports() method to scan_ancillary_ports() to have parity between normal ports and ancillary ports. Added unit tests for scan_ancillary_ports. Co-Authored-By: Romil Gupta Partial-Bug: #1329223 Change-Id: I8b3e00a9371d5a03cc8b4be24bf20eec10bef5df commit 4f46d2ae3a089f36512fae3bf49f155927095922 Author: Cyril Roelandt Date: Tue Jun 16 13:38:13 2015 +0000 Python3: do not change the size of a dict while iterating over it This does not work in Python3, so we have to store the items first. Change-Id: I7d8641f980fe62d2900559433d5060a6281a97f8 Blueprint: neutron-python3 commit 0488ac707493575e084f02273df2c4ec598541ba Author: Elena Ezhova Date: Mon Jun 1 12:34:41 2015 +0300 Refactor TestRpcWorker and TestWorkerService TestRpcWorker and TestWorkerService have a duplicate test_reset. This patch introduces a base class from which tests for service workers can inherit. Change-Id: Ic4690c3b066b03c2fbb463f1329208ad1307d83d commit fca84f69659e4e81790de405213f31e80fd8c239 Author: Ann Kamyshnikova Date: Tue Jun 2 18:45:51 2015 +0300 Juno_initial migration Havana was deprecated with the kilo release, and icehouse will be deprecated with the liberty release, so havana_inital migration should be removed and replaced with juno_initial. Closes-bug: #1461103 Change-Id: I2e6802c9ab64d164bd888278d555dfeeaf47257b commit 037f3111cd3968ff00593387daf2b832761e5ef4 Author: Ihar Hrachyshka Date: Tue Jun 16 09:21:42 2015 +0200 docs: added job to well known tox envlist This is to make 'tox -l' return the job name in its output (needed to allow run-docs.sh script in project-config to determine whether the job is present, to rely on it when generating docs in gate). Change-Id: I80eb169b7b4e5a3490586722c64394dbb724928d commit 9fc422a93a00f4126e91fa79ffcd43903ea9c8ac Author: Sean M. Collins Date: Mon Jun 15 13:51:05 2015 -0400 API Extensions: inherit from the ExtensionDescriptor For consistency in the codebase, API extensions should inherit from the abstract base class ExtensionDescriptor. Change-Id: Id4829c265866e80c042c433bebcc01383e1e7417 commit 34aa030847ed24ad6ca7759459cbe9a6d0f43db3 Author: Henry Gessau Date: Mon Jun 15 14:47:21 2015 -0400 Remove fossilized remains Clean up ancient stuff that hasn't been touched in over 3 years. Change-Id: I67fcd85027fb6614cafe8d92ddbf8c24aed58a4f commit f88f3dc8d6f7240d6c0d9d5006345b3a797ae067 Author: Pavel Bondar Date: Wed Jun 10 16:18:40 2015 +0300 Refactor update_port in db_base_plugin_v2 This commit is a preparation step for using pluggable IPAM. - moved validations into _validate_port_for_update; - updating ip addresses for port is backend specific, so moved into _update_port_with_ips in ipam_non_pluggable_backend; - writing port changes to db is common for both backends, so moved into _update_db_port in ipam_backend_mixin; - updated to use namedtuple to track add/original/remove ips; - added _make_fixed_ip_dict to exclude keys other than ip_address and subnet_id; Partially-Implements: blueprint neutron-ipam Change-Id: I1110e88f372b1d0cc7ec72049ba69a6d548da867 commit a89f99c6b700b1c6f918fe359c7271ac25ed4bc4 Author: Pavel Bondar Date: Wed Jun 10 14:56:58 2015 +0300 Refactor _update_ips_for_port This commit is a preparation step for using pluggable IPAM. _update_ips_for_port was refactored and split into two methods: - _get_changed_ips_for_port This method contains calculations common for pluggable and non-pluggable IPAM implementation, was moved to ipam_backend_mixin. - _update_ips_for_port This method is specific for non-pluggable IPAM implementation, so it was moved to ipam_non_pluggable_backend_common. Other changes: - _update_ips_for_port now returns namedtuple with added, removed, original ips (previously added and original ips were returned). List of removed ips is required by pluggable IPAM implementaion to apply rollback-on-failure logic; - removed unused port_id argument from _update_ips_for_port argument list; Partially-Implements: blueprint neutron-ipam Change-Id: Id50b6227c8c2d94c35473aece080a6f106a5dfd8 commit a8619e9bd1247e8ec494c456aee9ee7163231f62 Author: Cyril Roelandt Date: Mon Jun 15 15:07:28 2015 +0000 Python 3: use dict.values instead of dict.itervalues This works with both Python 2 and 3, and should not have any performance impact. Change-Id: I2a14945c60de513b91c6f022ff5dcc503ce2a8ad Blueprint: neutron-python3 commit 62faedddf2b0315484a04bd9092e96a3a828e46a Author: Ihar Hrachyshka Date: Mon Jun 15 16:15:11 2015 +0200 Put output of docs job into doc/build/html This is the path where jenkins/scripts/run-docs.sh that is used by gate to generate project documentation expects to see the output. Change-Id: Id276fa59edb33f7789ab06055300b4dc2385472a commit ad1c7a35dec614a26de0a426950fa005df5f489d Author: Sean M. Collins Date: Wed Jun 10 10:23:44 2015 -0400 Remove get_namespace from API extensions Based on the conversation on the ML. http://lists.openstack.org/pipermail/openstack-dev/2015-June/066219.html APIImpact DocImpact Closes-Bug: #1464023 Depends-On: 6f900fc429bf24cb31e0d2f149aa732055fd5956 Change-Id: I3c406910991c33cf959c5345d76153eabe3ace2d commit b370c69b75fe38cd285512f9516ce428e8a806dd Author: Cedric Brandily Date: Tue Jun 9 16:00:58 2015 +0000 Ensure no "db" related functional/fullstack tests are skipped in the gate Currently neutron uses MySQLTestCase[1] and PostgreSQLOpportunisticTestCase[2] for functional and fullstack tests using a real MySQL/PostgreSQL database. These classes skip tests when the db is unavailable (db not installed/configured, missing packages, etc.) which is fine when tests are runned by developers but not when runned by the gate jobs. This change updates MySQLTestCase[1] and defines PostgreSQLTestCase[1] as PostgreSQL oslo.db test class wrapper: when the db is unavailable, these classes ensure tests will: * fail in the gate (dsvm-functional, dsvm-fullstack jobs), * be skipped by default otherwise (functional, fullstack jobs). [1] neutron.tests.common.base [2] oslo_db.sqlalchemy.test_base Closes-Bug: #1404093 Change-Id: I77b12e728ce9a7b0222c3df081842635f6375a3e commit 278a5fce29504c43d669feed210f7b3627616e22 Author: Cedric Brandily Date: Wed Jun 10 22:35:11 2015 +0200 Use PyMySQL in MySQL related functional/fullstack tests mysql-python driver has been replaced by PyMySQL driver[1] in neutron code but MySQL related functional/fullstack tests try to use mysql-python driver because of MySQLOpportunisticTestCase[2] and tests are skipped because mysql-python driver is no more available. This change provides a backend implementation for mysql+pymysql, a base base testcase MySQLTestCase[2] using mysql+pymysql implementation (currently oslo.db provides none of them but will in the future) and replaces MySQLOpportunisticTestCase with MySQLTestCase. [1] I73e0fdb6eca70e7d029a40a2f6f17a7c0797a21d [2] neutron.tests.common.base Closes-Bug: #1463980 Change-Id: Ic5c1d12ab75443e1cc290a7447eeb4b452b4a9dd commit 1318437a0caf38e695a819848832a955fef7d909 Author: Eugene Nikanorov Date: Fri Jun 5 01:46:22 2015 +0400 Skip rescheduling networks if no DHCP agents available This eliminates the problem of unscheduled networks in case of communication failure between agents and servers which can occur if messaging queue service fails. Change-Id: Ied4fa301fc3d475bee25c47f3a01c2381ae9a01e Closes-Bug: #1461714 commit bb846c89ee120662eabdd4b0136fac82de076777 Author: Russell Bryant Date: Fri Jun 12 21:26:37 2015 -0400 Reflect project moves from stackforge to openstack. Several git repos were just moved from stackforge to openstack. Reflect the move in various places where the URL was in docs and comments. In passing, also change URLs to git.openstack.org instead of github, as that is the official home of all of these repos. Change-Id: I6c79a192d6604cef01e88d5b305fcc2b0f9c6b30 Co-Authored-By: Kyle Mestery Signed-off-by: Russell Bryant Signed-off-by: Kyle Mestery commit 1710f7c72f2c509d1009ee36ba4f66b298967fe9 Author: Kobi Samoray Date: Thu Jun 4 15:49:13 2015 +0300 VMWare NSXv: Add distributed URL locking to ini NSXv plugin supports distributed locking using tooz library. This patch adds the required parameter to the ini file. DocImpact Depends-On: Icbcec938c1c5ae7a528350f2f283388b81fa66b7 Change-Id: I8a7c36d044c4be29b0dfa3fbb8e9379723cebd61 commit 9952abaab182f3ec701aad2397d6f3fcc0bacc7f Author: Pavel Bondar Date: Mon Jun 8 14:15:30 2015 +0300 Decompose db_base_plugin_v2.py with changes This commit is a preparation step for using pluggable IPAM. 1. Moved get_subnets functionality to db_base_plugin_common to make it accessible by ipam backends. 2. Reworked update_subnet routine: - moved db part into update_db_subnet; Partially-Implements: blueprint neutron-ipam Change-Id: Idb8f54d9fccaad1137222d156590c37d86aa576b commit a5bf502fab57453a1aedd3a53ce89eaf464e1cd9 Author: Cedric Brandily Date: Fri Jun 12 21:11:02 2015 +0200 Remove duplicate tunnel id check in sync_allocations Currently, gre/vxlan sync_allocations and _parse_tunnel_ranges both check tunnel id values. This change removes the check in gre/vxlan sync_allocations as they duplicate _parse_tunnel_ranges check and is less fine. Change-Id: I5827468aeaec5d6c79d469132b129aeb7da171e2 commit 901e6ae6fb05d65ccfc4a6602de4160c3a34031e Author: Akihiro Motoki Date: Sat Jun 13 02:14:17 2015 +0900 Remove meaningless no_delete from L3 test no_delete parameter was removed in Kilo and it no longer has any effect. Change-Id: Idf0f3ac24b3978392222efbf465cc9e6cfd5d346 commit ba2c44ef000221f8a18274a9569838d8c26014c0 Author: armando-migliaccio Date: Fri Jun 12 08:58:05 2015 -0700 Revert "Revert "Set default of api_workers to number of CPUs"" This reverts commit 12a564cf03e612dda36df26df8d28dfc75f1af6e. We should re-enable this feature on a controlled basis so that we can flush out any outstanding issue we may have. Related-bug: #1432189 Change-Id: I2cfd93fdb032b461022b729347390ff8636ccdeb commit 89a83bf199e7ea75c04f3205ff77987feed13184 Author: rossella Date: Thu Jun 11 10:43:36 2015 +0200 OVSNeutronAgent pass the config as parameter Instead of using the global cfg.CONF, pass the config as parameter. This is very useful to test the agent without having to override the global config. Change-Id: I45534d79e044da9f2be4d596a58310fb28b7bf22 commit 7e0222409dab6223579efea34ba0d3ccf93e11d3 Author: Pavel Bondar Date: Thu Jun 11 17:23:41 2015 +0300 Refactor _update_subnet_allocation_pools Moved _update_subnet_allocation_pools to ipam_backend_mixin.py. Call _rebuild_availability_ranges with self to make it overridable on upper level (from non-pluggable backend). Partially-Implements: blueprint neutron-ipam Change-Id: If7b1e720f88a2f0177b6772a015ae216f19ee22d commit 5ff082bcfe12647036e5b033bfc2bac514acdb42 Author: Dane LeBlanc Date: Tue Feb 24 15:47:01 2015 -0500 Stop sending gratuitous arp when ip version is 6 This fix prevents calls to the arping utility for IPv6 addresses, thereby eliminating errors reported by arping for IPv6 addresses. The assumption is that NDP, DAD, and RAs are sufficient for address resolution and duplicate address detection for IPv6, and that unsolicited Neighbor Advertisements (NAs) are not required for OpenStack services. If this turns out not to be the case for some service/feature, then a separate bug should be filed to add support for unsolicited NAs for that service. Change-Id: I14f869b7d488d7e691f7316eafcab3064e12cda6 Closes-Bug: 1357068 commit 1552f311532fdbd03a79ecfc1fae488b072c5a14 Author: Ann Kamyshnikova Date: Tue Jun 9 11:30:06 2015 +0300 Fix Enum usage in 589f9237ca0e_cisco_n1kv_ml2_driver_tables PostgreSQL is more sensitive with types than MySQL, it creates a separate type when a Enum is created. In migration 589f9237ca0e type profile_type is trying to be created, but the type with such name was already created in havana_initial migration. The solution for this is not to create type in 589f9237ca0e migration when dialect is PostgreSQL and use already created. Closes-bug: #1463301 Change-Id: I66e74d50cc70673de8635616076779cc20cde113 commit cd56a657a19a5a756d191c614becfd3e386b3c80 Author: OpenStack Proposal Bot Date: Thu Jun 11 06:03:07 2015 +0000 Imported Translations from Transifex For more information about this automatic import see: https://wiki.openstack.org/wiki/Translations/Infrastructure Change-Id: If91f3ac94562cc5130dd5ea5ac5d71aec64b74e3 commit 7b51521e31f896d0095510b52644b728aaadca5a Author: Kevin Benton Date: Wed Jun 10 21:45:41 2015 -0700 power grab The current core reviewers hierarchy didn't have a place for the parts of ML2 that weren't related to agent communication. For now we can put all of ML2 under the built-in control-plane until we decide it needs to be put somewhere else. Change-Id: Ic4924e0041c4cbb955d8fac0f96ec56406d6466e commit 1c29fab7cb3e586be72dd7910e2022b45c809c5f Author: Brian Haley Date: Thu Jun 4 23:54:31 2015 -0400 Change ensure_dir to not check directory exists first I224be69168ede8a496a5f7d59b04b722f4de7192 added an EEXIST check, so no need to check if the directory is already there, just try and create it. Change-Id: Iba51fc8263bf59326489319d0dd3f69af00a8eeb commit 7c331be77fb6a835f1fb79c674d8d6c39c7eb357 Author: armando-migliaccio Date: Wed Jun 10 16:53:25 2015 -0700 Document existence of br-tun and br-int in the OVS agent Question about the use of the two bridges has come up in the past multiple times, so let's fill the gap in the developer documentation. A user-facing documentation patch will have to follow up, if we want to be very thorough. Change-Id: I6dac0f9bdaf7b3b7bff8745d4103ccc71df61a0a commit 9c8a19ba4032f98ecbffe53c4e731587550ded96 Author: Cedric Brandily Date: Wed Jun 10 22:08:45 2015 +0200 Correct indentation in neutron.api.v2.attributes This change corrects subnetpool resource definition indentation in neutron.api.v2.attributes. Change-Id: I6738ff6b73bd0b943cec32f14ccb8946ba28d2e3 commit fd85b3ead32cd988e93f1d33d219ffd52cd77a51 Author: Cyril Roelandt Date: Wed Jun 10 10:20:58 2015 +0000 Python3: replace 'unicode' with 'six.text_type' In Python 3, 'unicode' does not exist; 'six.text_type' should be used instead. Change-Id: I71011b4beee9817a61278eb473804cfb798de74a Blueprint: neutron-python3 commit c34ce7c9845cc56f981e0ee8714d1f9345df5852 Author: Saksham Varma Date: Tue Apr 7 18:12:02 2015 -0700 Moving out the cisco n1kv section to stackforge Since most of the n1kv plugin code resides in stackforge/networking-cisco repo, it's best to move the n1kv section there Change-Id: Ic1388980dea0d27dfa5e84869f1f20cc9bff78e5 Closes-Bug: #1441400 commit 27df3e9fb98407e94bdeb9df493a9a3a0be639ca Author: Cedric Brandily Date: Mon Jun 1 22:29:39 2015 +0200 Ensure no "agent" functional tests are skipped in the gate Some "agent" functional tests[1] can be skipped if some requirements are not satisfied in order to allow developers to run functional tests on various environments. These tests should not be skipped in the gate. This change defines the decorator no_skip_on_missing_deps[2] to ensure no "agent" functional tests are skipped in the gate. More precisely no_skip_on_missing_deps transforms a skipTest into an error in: * dsvm-functional and dsvm-fullstack jobs, * functional and fullstack jobs when OS_FAIL_ON_MISSING_DEPS is evaluated as True. The change enlarges OS_FAIL_ON_MISSING_DEPS environment variable scope (ie: missing dependencies + system requirements). [1] in neutron.tests.functional [2] in neutron.tests.common.base Change-Id: Iacd4a5ef249fc1d7c75135ead9d0cf99d8a98a06 Closes-Bug: #1459844 commit ca63dfd0f39c7d691247c146b7529937c5804c9e Author: Romil Gupta Date: Wed Jun 10 09:43:56 2015 -0700 Remove useless pass from methods in type_tunnel.py The pass is useless because there is a docstring in the methods. Generally considered as uncovered by coverage tool. Change-Id: Id1275c51e9adb865a3da9f0db007f3092b55b140 commit 87fecfcc50f371d8dd593b3cd372da9db56f39c6 Author: Sean M. Collins Date: Wed Jun 10 10:29:33 2015 -0400 Make Vlantransparent extension inherit from ExtensionDescriptor Change-Id: Ic615578a1fe1d401b53d0b44ff5275d9518b97fd commit eeacb95e65a749ce3a032246c36d10cad9df22b1 Author: Ihar Hrachyshka Date: Wed Jun 10 13:10:54 2015 +0200 Actually allow to pass TRACE_FAILONLY to ostestr The comment below suggests to use TRACE_FAILONLY to fail quickly when running unit tests, while tox 2.0 does not allow to pass envvars from the cli caller unless they are explicitly mentioned in passenv= directive. Change-Id: I6861498e7609b0c21fad844009420ea9734e2352 commit 1c124a309bc941c078b8bb622ea248a3ed3829e1 Author: Ihar Hrachyshka Date: Tue Jun 9 11:28:10 2015 +0200 Switch to os-testr to control testr It's a nice wrapper spinned out recently from tempest-lib that should cover all our needs that we currently fulfill with pretty_tox.sh. Change-Id: I2268ed45ab628fe5dcab657d6287594847ab587c commit da42745c466c14e6dbe58cdbc830ae5d1c8bb114 Author: Jakub Libosvar Date: Tue Jun 9 16:08:50 2015 +0000 Introduce functions using arping executable The arpinger is gonna be used in the next changeset introducing connection testers. Change-Id: I90ae32c2f52f1debfb11ae2a08b2828ee2be04cc commit 328b72cf8c5f514434de0b73c9137bde52b5eeea Author: Kevin Benton Date: Wed Jun 10 07:04:25 2015 +0000 Revert "Defer segment lookup in NetworkContext object" This reverts commit e61865807c4c8ff959a7746fe3e17f1ae574c9d0. This patch likely violated the idea of a NetworkContext being a snapshot of the network at the time it was created. This needs a different approach. Change-Id: I20b132a0181d35b0517330fb7fbf293c3e979d0e commit e33d92c894df4664d01d040ba4305c7cb4ef6e27 Author: Fawad Khaliq Date: Tue Jun 9 22:18:18 2015 -0700 Added networking-plumgrid in plugin requirements Closes-Bug: 1463665 Change-Id: I7152dedd83659ee51274be31ef305af9e82d695a commit f08e9f1f53efa97e07f21ca72a940fcbeb4570e5 Author: Jeremy Stanley Date: Wed May 20 01:03:59 2015 +0000 Switch from MySQL-python to PyMySQL As discussed in the Liberty Design Summit "Moving apps to Python 3" cross-project workshop, the way forward in the near future is to switch to the pure-python PyMySQL library as a default. https://etherpad.openstack.org/p/liberty-cross-project-python3 Change-Id: I73e0fdb6eca70e7d029a40a2f6f17a7c0797a21d commit 6886655b491aede40aa9f4a0bd4c6d402d5a7a78 Author: Salvatore Orlando Date: Tue Apr 28 04:59:35 2015 -0700 Context: Remove logic for read_deleted and deprecate it The read_deleted parameter in the Context object is simply unused. This patch removes associated logic, and for what is worth, adds deprecation warnings against explicit usage of read_deleted when creating a context instance, generate an admin context, and elevating a context instance. Change-Id: Ic69d22dc229ebe8fac1f6be0c4860d19732505b1 Closes-Bug: #1449462 commit 303f37f4e0c84f90e40b95731a828fc6ce8a0bbf Author: Cyril Roelandt Date: Mon Jun 8 16:09:49 2015 +0000 Python 3: use next() instead of iterator.next() The latter only works in Python 2. Also define a __next__ method in the classes that define a next method. Change-Id: Iaa1a1e500facab50d8bcdffda39ccad3f2e4e9bb Blueprint: neutron-python3 commit 9143ce10e422bd17c4817dfe08163879e0e5a4ca Author: Ihar Hrachyshka Date: Thu Apr 23 12:12:52 2015 +0200 Consume oslo.policy Some non intrusive changes to tests are needed, so that we don't rely on library symbols that are now private (f.e. parse_rule). Closes-Bug: #1458945 Change-Id: I90326479e908042fec9ecb25fa19a8dd5b15e7d8 commit 66fece4f84e62f14fb59a721b37986784976d0c4 Author: Ihar Hrachyshka Date: Thu Apr 23 14:03:52 2015 +0200 policy: cleanup deprecation code to handle old extension:xxx rules It served and warned users for enough time (since Icehouse) to be sure everyone was notified about the need to update their policy file. Change-Id: I240b935741e49fbf65c0b95715af04af4b2a73e7 commit 53ec63c430d123cd1ed4acd3b94537e9cb380bcd Author: Romil Gupta Date: Thu Jun 4 04:21:14 2015 -0700 Fix a regression in "Separate ovs-ofctl using code as a driver" change The tunnels are not getting established between Network Node and Compute Nodes in non DVR mode with l2pop enabled and throws the AttributeError: add_tunnel_port. This fixes a regression in change Ie1224f8a1c17268cd7d1c474ed82fdfb8852eaa8. Co-Authored-By: YAMAMOTO Takashi Closes-Bug: #1461486 Change-Id: I1106fd3dd32f6f827eb25dec4815ff1120af96f0 commit 753196480d9cca10c5b91dfa8221e89f658fa110 Author: Jakub Libosvar Date: Wed May 27 13:54:06 2015 +0000 Break Pinger class to functions As the class served only for storing parameters that can be passed as actual function parameters, there is no reason for class. Change-Id: I553b4d6daeb78d495cda09894582a3d885b5d1b5 commit 6d0d72973152bb45587437c80d4ffe0fe7bba761 Author: Elena Ezhova Date: Tue Apr 7 14:58:13 2015 +0300 Handle SIGHUP: neutron-server (multiprocess) and metadata agent All launchers implemented in common.service require each service to implement reset method because it is called in case a process receives a SIGHUP. This change adds the reset method to neutron.service.RpcWorker and neutron.wsgi.WorkerService which are used to wrap rpc and api workers correspondingly. Now neutron-server running in multiprocess mode (api_workers > 0 and rpc_workers > 0) and metadata agent don't die on receiving SIGHUP and support reloading policy_path and logging options in config. Note that reset is called only in case a service is running in daemon mode. Other changes made in the scope of this patch that need to be mentioned: * Don't empty self._servers list in RpcWorker's stop method When a service is restarted all services are gracefully shutdowned, resetted and started again (see openstack.common.service code). As graceful shutdown implies calling service.stop() and then service.wait() we don't want to clean self._servers list because it would be impossible to wait for them to stop processing requests and cleaning up their resources. Otherwise, this would lead to problems with rpc after starting the rpc server again. * Create a duplicate socket each time WorkerService starts When api worker is stopped it kills the eventlet wsgi server which internally closes the wsgi server socket object. This server socket object becomes not usable which leads to "Bad file descriptor" errors on service restart. Added functional and unit tests. DocImpact Partial-Bug: #1276694 Change-Id: I75b00946b7cae891c6eb192e853118e7d49e4a24 commit ea35b299f06050608f3e7bb6fbc880006ed31024 Author: Kevin Benton Date: Wed Jun 3 18:25:14 2015 -0700 Allow update_port_status to take network param Allow the update_port_status function to take a network as an optional parameter to skip calling get_network again if the caller has already done so. Closes-Bug: #1463656 Change-Id: I994f3abdb1b0ad3b2766f409b206ad4a8b2309b6 commit d0be7bc57f573d5696108b571c731decfbde9f0b Author: Ihar Hrachyshka Date: Tue Jun 9 12:46:54 2015 +0200 Make pep8 job succeed when /etc/neutron/neutron.conf is not installed Currently, if /etc/neutron/neutron.conf is not installed in the system, neutron-db-manage fails in oslo.config code when trying to determine the default configuration file to use. Test job should not rely on any contents inside /etc/. Instead, pass --config-file with test-only configuration explicitly into the utility. neutron.conf.test was renamed into neutron.conf since for some reason oslo.config does not support a name that does not have .conf at its filename end. Change-Id: I719829fc83a7b20a49c338aaf1dbef916dcc768c commit 826428dc8aeef124c2251624ae34fdc003e69ca4 Author: YAMAMOTO Takashi Date: Tue Jun 9 19:00:40 2015 +0900 Add a comment on _check_update_has_security_groups Despite of its name, _check_update_has_security_groups can handle create requests as well. There are plugins actually using it for create. eg. ml2, vmware Change-Id: I3c26ad0ac00b12ce24096bfc27606797af2d9098 commit 6b13cc5275df53c765c450d570521c425c3345d9 Author: Ihar Hrachyshka Date: Tue Jun 9 10:57:29 2015 +0200 Enable all deprecation warnings for test runs We would like to catch all deprecation warnings during test runs to be notified in advance about potential problems with next library releases we depend on. Change-Id: I876d8c4de88618b01898ab537a44920789d8178e commit 734e77365b0f241a3cea0f3c9dfb1d5fcf6eac8c Author: Salvatore Orlando Date: Fri Apr 17 15:00:20 2015 -0700 Remove get_admin_roles and associated logic get_admin_roles was introduced so that contextes generated from within plugins could be used for policy checks. This was the case up to the Havana release as several plugins invoked the policy engine directly to authorize requests. This was an incorrect behaviour and has now been fixed, meaning that get_admin_roles is no longer need and can be safely removed. This will result in a leaner and more reliable codebase. Indeed the function being removed here was the cause of several bugs where the policy engine was initialized too early in the server bootstrap process. While this patch removes the feature it does not remove the load_admin_roles parameter from context.get_admin_context. Doing so will break other projects such as neutron-lbaas. The parameter is deprecated by this patch and an appropriate warning emitted. As a consequence neutron's will now no longer perform policy checks when context.is_admin=True. This flag is instead set either when a context is explicitly created for granting admin privileges, or when Neutron is operating in noauth mode. In the latter case every request is treated by neutron as an admin request, and get_admin_roles is simply ensuring the appropriate roles get pushed into the context so that the policy engine will grant admin rights to the request. This behaviour is probably just a waste of resource; also it is not adding anything from a security perspective. On the other hand not performing checks when context.is_admin is True should not pose a security threat either in noauth mode or with the keystone middleware. In the former case the software keeps operating assuming admin rights for every requests, whereas in the latter case the keystone middleware will always supply a context with the appropriate roles, and there is no way for an attacker to trick keystonemiddleware into generating a context for which is_admin=True. Finally, this patch also does some non-trivial changes in test_l3.py as some tests were mocking context.to_dict ignoring the is_admin flag. Closes-Bug: #1446021 Change-Id: I8a5c02712a0b43f3e36a4f14620ebbd73fbfb03f commit 89c0875178f22651109a85d3c522d80324368caf Author: Gal Sagie Date: Mon Jun 8 14:27:47 2015 +0300 Add documentations for VXLAN Tunnels The VXLAN type driver is currently supported, this patch add description and links for more information to the user. Change-Id: Idb221ca4cce1a3a27bebe5ae6fc1e6ab5d030836 commit e61865807c4c8ff959a7746fe3e17f1ae574c9d0 Author: Kevin Benton Date: Wed Jun 3 19:03:29 2015 -0700 Defer segment lookup in NetworkContext object Avoid call to get network segments for network context objects until a caller actually tries to lookup the segments. This optimizes cases where the user of a port context never looks at the segments of the associated network context (e.g. update_port_status). Closes-Bug: #1463254 Change-Id: I7e95f81d9a3ef26ccdb18c6bfdf9adc29523aa79 commit d0bbfc090bb25f1e05b98f0ad70c18209b87ed6b Author: Zhenguo Niu Date: Tue Jun 9 08:28:45 2015 +0800 Fix typos in docs Change-Id: I71aeb8f1e5fc5f3e330e593a463858dd65e6093b commit b322ebae09cc59ed0a860ea6e39ed9b6fa6c5c12 Author: yuyangbj Date: Wed May 13 14:07:36 2015 +0800 Fixes bulk insertion of data to ml2_port_binding We should use schema definition to insert bulk of data to table. Closes-Bug: #1454566 Change-Id: I66b3ee8c2f9fa6f04b9e89dc49d1a3d277d63191 commit 3a5a8a62c372f3a516caa59fd655dcf923a82519 Author: Kyle Mestery Date: Mon Jun 8 15:27:23 2015 +0000 Add Neutron PTL Office Hours To ensure a weekly oppurtunity to sync between the PTL and the Lieutenants, officially setup Neutron PTL Office Hours. Depends-On: Ia5c8090e90939097104cb95c0aa3b883f7b4dd9b Change-Id: Iab3c21764937ebb3a1d0553b3a3d42b5c44bf3cc Signed-off-by: Kyle Mestery commit 00899b56213753d523842f29d50353a067df6064 Author: Cyril Roelandt Date: Mon Jun 8 14:42:18 2015 +0000 Python3: Enable all working tests in tox.ini Thanks to the recent Python3-related changes, these tests can now be run on Python 3. Change-Id: I7f689e221e59128012d46da2c90e61d5206fe828 Blueprint: neutron-python3 commit 725543684cbe0df0edc4b6924f85e63e1628fa92 Author: rossella Date: Thu Mar 5 09:24:10 2015 +0000 Add get_events to OVSDB monitor OVSDB monitor can generate the events that the OVS agent needs to process (device added or updated). Instead of notifying only that a change occurred and that polling is needed, pass the events to the agent Change-Id: I3d17bf995ad4508c4c6d089de550148da1465fa1 Partially-Implements: blueprint restructure-l2-agent commit b239f75644bfdfec86f8a8efdabd6b11b766e822 Author: shihanzhang Date: Tue May 26 16:42:44 2015 +0800 Update ipset members when corresponding sg member is empty if a security group has a rule with 'remote-group-id', the ports in this security group should update its relevant ipset member when the remote-group members is empty. Change-Id: I980ebfd8f6537f803d9d5cbf21ca33f727fea3b3 Closes-bug: #1458786 commit 127de06c7e09e1468f2855a3033fb6193a6b9365 Author: Cedric Brandily Date: Wed May 6 22:40:39 2015 +0200 Clean only floating-ip related connection states Currently init_l3 deletes connection states related to ALL ips deleted in init_l3 but it's required only when floating-ips are deleted[1]. This change deletes only connection states related to floating-ips deleted in init_l3 ... it avoids to delete connection states in dhcp agents and on router internal ports! [1] look at change Ia9bd7ae243a0859dcb97e2fa939f7d16f9c2456c Closes-Bug: #1452434 Related-Bug: #1334926 Change-Id: Icfcfc585df6fd41de1e1345fd731e4631a6950ce commit 713ba0e8d7ce59eaff41518360530b2e7831c322 Author: Carl Baldwin Date: Thu Jun 4 22:25:44 2015 +0000 Refactor awkward logic in setup_dhcp_port I noticed this logic as I was reviewing another patch set [1]. I didn't like removing subnet ids from dhcp_enabled_subnet_ids and I wasn't too keen on the ips_need_removal semantics that were kind of forced by the existing structure of the code. I hope you find this alternative much clearer. I like straight-forward code with less indentation that doesn't use awkward booleans like ips_needs_removal. [1] https://review.openstack.org/#/c/157697/6 Change-Id: I8bd3d6924a855ea08f8096e66bd3bfbb165a4da3 commit 45b28ddfe8ac23871e65feb4132d5f048c783222 Author: Vincent Legoll Date: Fri Jun 5 13:05:48 2015 +0200 Fix typo in test class name Make "Redering" -> "Rendering" Change-Id: Ieedb446fa1e06705eb70293d83350d4dfd57d2db Signed-off-by: Vincent Legoll commit 359b7c971a88f6dff64e8e4d558210a880f3ee0f Author: Ian Wienand Date: Thu May 7 14:59:38 2015 +1000 Ensure netfilter is enabled for bridges Since security-groups use iptables rules on Linux bridges, we need to ensure that netfilter is enabled for bridges. Unfortunately, there seems to be a long history of distributions having differing defaults for this, best described in [1]. It seems at the moment everyone has to discover this for themselves; packstack found it in Ia8c86dcb31810a8d6b133a161388604fde9bead4, then fuel found the same thing in I8582c24706c3a7253e00569eef275f116d765bca and then finally someone else hit it and put it into documentation with I4ed3cec03a1b3a7d56dfe18394154ec1b2db6791. I just spent a long time figuring it out too when deploying with devstack. Rather than having yet another fix in devstack, I don't see why neutron shouldn't be ensuring the setting is correct when it starts up -- without these settings enabled, security-groups are silently broken. This does that, and modifies test-cases to check we make the calls. [1] http://wiki.libvirt.org/page/Net.bridge-nf-call_and_sysctl.conf Change-Id: If2d316eb8c422dc1e4f34b17a50b93dd72993a99 commit 3682e3391f188845d0c7f382f0ccd4b38db3904e Author: Cedric Brandily Date: Mon May 4 23:36:19 2015 +0200 Ensure non-overlapping cidrs in subnetpools without galera _get_allocated_cidrs[1] locks only allocated subnets in a subnetpool (with mysql/postgresql at least). It ensures we don't allocate a cidr overlapping with existent cidrs but nothing disallows a concurrent subnet allocation to create a subnet in the same subnetpool. This change replaces the lock on subnetpool subnets by a lock on the subnetpool itself. It disallows to allocate concurrently 2 subnets in the same subnetpool and ensure non-overlapping cidrs in the same subnetpool. Moreover this change solves a trouble with postgresql which disallows to lock an empty select with an outer join: it happens on first subnet allocation in a subnetpool when no specific cidr is provided. Moving the lock ensures the lock is done on a non-empty select. But this change does not ensure non-overlapping cidrs in subnetpools with galera because galera doesn't support SELECT FOR UPDATE locks. A follow-up change will (try to?) remove locks from subnet allocation[1] in order to ensure non-overlapping cidrs in subnetpools also with galera. [1] in neutron.ipam.subnet_alloc.SubnetAllocator Closes-Bug: #1451558 Partial-Bug: #1451576 Change-Id: I73854f9863f44621ae0d89c5dc4893ccc16d07e4 commit 3d2543d710c7071ffeb5c9857ac30a4d95695a7b Author: dql Date: Mon Mar 9 12:52:11 2015 +0800 fix DHCP port changed when dhcp-agent restart When DHCP server is started, the periodic task is running before loading cache state.The method port_update_end need to use the cache information, but the cache information has not been loaded. Change-Id: I0d1da11bb559b7f0f9d4428b82573fb26916a933 Closes-Bug: #1420042 commit 6d15bf48ee27ceab64e88f81ba6433058313759a Author: Cedric Brandily Date: Sat May 9 00:52:29 2015 +0200 Remove from BridgeDevice homemade execute in namespace Currently BridgeDevice[1] defines homemade execute with namespace support but could use IPWrapper. This change replaces homemade implementation with IPWrapper use to respect DRY principle. [1] neutron.agent.linux.bridge_lib Change-Id: I12d4d40432e57ce8b6960276c41321c1efd98705 commit 7260e0e3fc2ea479e80e0962624aca7fd38a1f60 Author: Henry Gessau Date: Mon Apr 27 09:59:21 2015 -0400 Run radvd as root During the refactoring of external process management radvd lost its root privileges. Closes-bug: 1448813 Change-Id: I84883fe81684afafac9b024282a03f447c8f825a (cherry picked from commit a5e54338770fc074e01fa88dbf909ee1af1b66b2) commit 4e71c48bbfd5e8b8c59f0c45ade52ba8eddc8b63 Author: rossella Date: Thu Jan 15 16:15:23 2015 +0100 Add devices to update in RPC call security_groups_provider_updated When a security_groups_provider_updated is received then a global refresh of the firewall is performed. This can be avoided if the plugins pass as parameter of the call the devices that belongs to the network updated. Partially-Implements: blueprint restructure-l2-agent Change-Id: I1e78f3a5ec7e5c5bcba338a0097566422411ef7e commit d37e566dcadf8a540eb5f84b668847fa192393a1 Author: Kevin Benton Date: Fri Apr 24 00:35:31 2015 -0700 Don't resync on DHCP agent setup failure There are various cases where the DHCP agent will try to create a DHCP port for a network and there will be a failure. This has primarily been caused by a lack of available IP addresses in the allocation pool. Trying to fix all availability corner cases on the server side will be very difficult due to race conditions between multiple ports being created, the dhcp_agents_per_network parameter, etc. This patch just stops the resync attempt on the agent side if a failure is caused by an IP address generation problem. Future updates to the subnet will cause another attempt so if the tenant does fix the issue they will get DHCP service. Change-Id: I0896730126d6dca13fe9284b4d812cfb081b6218 Closes-Bug: #1447883 (cherry picked from commit db9ac7e0110a0c2ef1b65213317ee8b7f1053ddc) commit 38211ae67cb76ade85b08c028b6e88bfc867afc9 Author: Ihar Hrachyshka Date: Mon Apr 20 17:06:38 2015 +0200 tests: confirm that _output_hosts_file does not log too often I3ad7864eeb2f959549ed356a1e34fa18804395cc didn't include any regression unit tests to validate that the method won't ever log too often again, reintroducing performance drop in later patches. It didn't play well with stable backports of the fix, where context was lost when doing the backport, that left the bug unfixed in stable/juno even though the patch was merged there [1]. The patch adds an explicit note in the code that suggests not to add new log messages inside the loop to avoid regression, and a unit test was added to capture it. Once the test is merged in master, it will be proposed for stable/juno inclusion, with additional changes that would fix the regression again. Related-Bug: #1414218 Change-Id: I5d43021932d6a994638c348eda277dd8337cf041 (cherry picked from commit 3b74095a935f6d2027e6bf04cc4aa21f8a1b46f2) commit 53b3e751f3c7b32bed48c14742d3dd3a1178d00d Author: Maru Newby Date: Thu Apr 9 17:00:57 2015 +0000 Double functional testing timeout to 180s The increase in ovs testing is resulting in job failure due to timeouts in test_killed_monitor_respawns. Giving the test more time to complete should reduce the failure rate. Change-Id: I2ba9b1eb388bfbbebbd6b0f3edb6d5a5ae0bfead Closes-Bug: #1442272 (cherry picked from commit 81098620c298394e1a98127ceeba7f297db2d906) commit 0536ec113bc438265ba547bb8a8006aa96e646e3 Author: watanabe.isao Date: Wed Apr 15 15:48:08 2015 +0900 Restrict subnet create/update to avoid DHCP resync As we know, IPs in subnet CIDR are used for 1) Broadcast port 2) Gateway port 3) DHCP port if enable_dhcp is True, or update to True 4) Others go into allocation_pools Above 1) to 3) are created by default, which means if CIDR doesn't have that much of IPs, subnet create/update will cause a DHCP resync. This fix is to add some restricts to the issue: A) When subnet create, if enable_dhcp is True, /31 and /32 cidrs are forbidden for IPv4 subnets while /127 and /128 cidrs are forbidden for IPv6 subnets. B) When subnet update, if enable_dhcp is changing to True and there are no more IPs in allocation_pools, the request should be denied. Change-Id: I2e4a4d5841b9ad908f02b7d0795cba07596c023d Co-authored-by: Andrew Boik Closes-Bug: #1443798 (cherry picked from commit 0c1f96ad5a6606c1205bd50ea944c3a383892cde) commit cbfb3e487d97998ec49d7faa751bc26202da7d0e Author: Kevin Benton Date: Mon Apr 20 22:26:22 2015 -0700 Only update MTU in update code for MTU The ML2 create_network_db was re-passing in the entire network with extensions like vlan_transparency present that was causing issues in the base update function it was calling. This corrects the behavior by having it only update the MTU, which is the only thing it was intending to update in the first place. Change-Id: I723c5c138e0830de98f6024c7635ec65065e9346 Closes-Bug: #1446784 (cherry picked from commit f85de393c469d1e649a1c1e5ee1b683246442351) commit 9bc812e92fb27b297ccfe960267dcab173aea6c9 Author: OpenStack Proposal Bot Date: Thu Apr 23 02:15:06 2015 +0000 Updated from global requirements Change-Id: I514c65fac38ef0e534e7401a5f3643b1906adea7 commit 407be289360ec6dabbbe14d9b18dae7c9fa2db79 Author: Kawaguchi Date: Tue Apr 21 13:27:52 2015 +0900 Fix typo acomplished => accomplished Change-Id: I73722e9984917a5a8c4e74207cf14d4040a7cf2f Related-Bug: #1390035 commit b339391bcb223c0f03d30f36dea47d13adb12c71 Author: mathieu-rohon Date: Sat Mar 7 13:30:49 2015 +0100 ML2: Change port status only when it's bound to the host Currently, nothing prevents the port status to be changed to BUILD state when get_device_details() is sent by a host that doesn't own the port. In some cases the port might stay in BUILD state. This could happen during a live-migration, or for multi-hosted ports such as HA ports. This commit allows the port status modification only if the port is bound to the host that is asking for it. Closes-Bug: #1439857 Closes-Bug: #1438040 Closes-Bug: #1416933 Change-Id: I9b3673f453abbafaaa4f78542fcfebe8dc93f2bb (cherry picked from commit 9b53b82ce7dad551ebc0f02ff667d5345fb7e139) commit f7ae3a04b541767c638fc4c8ff1e0db78ab94996 Author: Andreas Jaeger Date: Mon Apr 20 11:07:37 2015 +0200 Release Import of Translations from Transifex Manual import of Translations from Transifex. This change also removes all po files that are less than 66 per cent translated since such partially translated files will not help users. This updates also recreates all pot (translation source files) to reflect the state of the repository. This change needs to be done manually since the automatic import does not handle the proposed branches and we need to sync with latest translations. Change-Id: I1b7bd1773bcd12ab282e77ee0dc41c27846fb66b commit e2f6902315de76a1020aa87ea161c8fdc6697ed7 Author: Swaminathan Vasudevan Date: Tue Apr 14 21:34:33 2015 -0700 Fixes race condition and boosts the scheduling performance This patch fixes a race-condition that occurs when the scheduler tries to check for dvr serviceable ports before it schedules a router when a subnet is associated with a router. Sometimes the dhcp port creation is delayed and so the router is not scheduled to the l3-agent. Also it boosts the scheduling performance on dvr-snat node for scheduling a router. This patch will provide a work around to fix this race condition and to boost the scheduling performance by scheduling a router on a dvr-snat when dhcp is enabled on the provided subnet, instead of checking all the available ports on the subnet. Closes-Bug: #1442494 Change-Id: I089fefdd8535bdc9ed90b3230438ab0bfb6aab4f (cherry picked from commit c65d3ab6ad4589e6e4a6b488d2eb5d1e4cfee138) commit a6b2c22dcea73754dbfd0ef39c60ad28ab2dbb73 Author: Kevin Benton Date: Mon Mar 30 23:52:56 2015 -0700 Set IPset hash type to 'net' instead of 'ip' The previous hash type was 'ip' and this caused a major issue with the allowed address pairs extension since it results in CIDRs being passed to ipset. When the hash type is 'ip', a CIDR is completely enumerated into all of its addresses so 10.100.0.0/16 results in ~65k entries. This meant a single allowed_address_pairs entry could easily exhaust an entire set. This patch changes the hash type to 'net', which is designed to handle a CIDRs as a single entry. This patch also changes the names of the ipsets because creating an ipset with different parameters will cause an error and our ipset manager code isn't robust enough to handle that at this time. There is another ongoing patch to fix that but it won't be ready in time.[1] The related bug was closed by increasing the set limit, which did alleviate the problem. However, this change would also address the issue because the gate tests run an allowed address pairs extension test with the CIDR mentioned above. 1. I59e2e1c090cb95ee1bd14dbb53b6ff2c5e2713fd Related-Bug: #1439817 Closes-Bug: #1444397 Change-Id: I8177699b157cd3eac46e2f481f47b5d966c49b07 (cherry picked from commit a38b5df5cd3c47672705aad4c30e789ae11ec958) commit 8b8095e43a143426c501669167490d7867a55749 Author: Kevin Benton Date: Tue Mar 31 08:53:56 2015 -0700 Revert "Add ipset element and hashsize tunables" This reverts commit b5b919a7a3569ccb93c3d7d523c1edfaeddb7cb9. The current ipset manager code isn't robust enough to handle ipsets that already exist with different parameters. This reverts the ability to change the parameters so we don't break upgrades to Kilo. Conflicts: neutron/agent/linux/ipset_manager.py neutron/tests/unit/agent/linux/test_ipset_manager.py Change-Id: I538714df52424f0502cb75daea310517d1142c42 Closes-Bug: #1444201 (cherry picked from commit 03be14a569d240865dabff8b4c30385abf1dbe62) commit 2add4e5ad4d12c817737d04ddb973b3aeeb25af3 Author: Kevin Benton Date: Thu Apr 16 16:27:38 2015 -0700 Update .gitreview to point to stable/kilo This is the stable/kilo branch. When people make changes here it's highly likely that they want to propose them to stable/kilo on gerrit. Change-Id: Ie61a9f0c0b0b4896da33a201e42b1c4bc4bae49b commit ffc48f286e1756302d9259dc514dd562d3c251ba Author: Henry Gessau Date: Thu Apr 16 13:38:46 2015 -0400 Add Kilo release milestone Change-Id: Id7d969c92b7c757b766760681357ac13c8079ca3 commit 1dc98e414f200a78a6b1dc78f222c588646e6935 Author: Dane LeBlanc Date: Thu Apr 9 10:32:33 2015 -0400 IPv6 SLAAC subnet create should update ports on net If ports are first created on a network, and then an IPv6 SLAAC or DHCPv6-stateless subnet is created on that network, then the ports created prior to the subnet create are not getting automatically updated (associated) with addresses for the SLAAC/DHCPv6-stateless subnet, as required. Change-Id: I88d04a13ce5b8ed4c88eac734e589e8a90e986a0 Closes-Bug: 1427474 Closes-Bug: 1441382 Closes-Bug: 1440183 (cherry picked from commit bd1044ba0e9d7d0f4752c891ac340b115f0019c4) commit 55536a4ecb6c71e5451b8a9664d87e32146f071d Author: Ihar Hrachyshka Date: Fri Apr 10 15:07:33 2015 +0200 Removed ml2_conf_odl.ini config file The file is already packaged into decomposed networking-odl repo [1]. [1]: https://git.openstack.org/cgit/stackforge/networking-odl/tree/etc/neutron/plugins/ml2/ml2_conf_odl.ini Closes-Bug: #1442615 Change-Id: Ic280454190aab4e3b881cde15a882808b652861e (cherry picked from commit b3334eca0ae9f9c64ccd646035e69081f669e3e4) commit 40783cee5e520173a4cc37c23dd97be2d37b65fd Author: Angus Lees Date: Mon Mar 2 17:06:54 2015 +1100 Ensure tests run under python2.7 tox uses whatever python version that tox ran with as the default python version for environments (py27,py3x, etc are given a more specific default). Debian's python-tox (for example) uses python3, but we require python2.7 - and a naive `apt-get install python-tox; tox -epep8` fails with py3-related errors on Debian. This change explicitly sets `basepython = python2.7` in several testing environments that would otherwise have used the default basepython. Change-Id: I377ac6d72dec5b85c105d8a1a74f6974efb84dcf ** Tags added: in-feature-qos ** Bug watch added: Python Roundup #21239 http://bugs.python.org/issue21239 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1334926 Title: floatingip still working once connected even after it is disociated Status in OpenStack Neutron (virtual network service): Fix Released Status in neutron icehouse series: Fix Released Status in OpenStack Security Notes: Fix Released Bug description: After we create an SSH connection to a VM via its floating ip, even though we have removed the floating ip association, we can still access the VM via that connection. Namely, SSH is not disconnected when the floating ip is not valid To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1334926/+subscriptions From 1334926 at bugs.launchpad.net Tue Jun 30 02:34:51 2015 From: 1334926 at bugs.launchpad.net (OpenStack Infra) Date: Tue, 30 Jun 2015 02:34:51 -0000 Subject: [Openstack-security] [Bug 1334926] Re: floatingip still working once connected even after it is disociated References: <20140627021809.32583.22324.malonedeb@soybean.canonical.com> Message-ID: <20150630023451.6997.38450.malone@gac.canonical.com> Reviewed: https://review.openstack.org/196920 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7f759c077f8f860c13db92d2ea6b353ef6b70900 Submitter: Jenkins Branch: feature/pecan commit 8123144fadd7c5d5e6e56a76ea860512619a2cf6 Author: Moshe Levi Date: Sun Jun 28 14:37:14 2015 +0300 Fix Consolidate sriov agent and driver code This patch add mising __init to mech_sriov/mech_driver/ and update the setup.cfg to the new agent entrypoint Trivial Fix Change-Id: I53a527081feb78472f496675bbb3c5121d38a14a commit 8942fccf02e6e179d47582fdb2792a1ca972da21 Author: Assaf Muller Date: Mon Jun 29 11:38:51 2015 -0400 Remove failing SafeFixture tests The fixtures 1.3 release attempted to fix the fixtures resource leak issue, but failed to do so completely. Our own SafeFixture is still needed: The 1.3 release broke our SafeFixture tests, but not the usage of SafeFixture itself. This patch removes those failing tests for now to unbreak the gate. Jakub reported a bug on fixtures 1.3: https://bugs.launchpad.net/python-fixtures/+bug/1469759 We will continue to use SafeFixture until that bug is fixed in fixtures, at which point we will be able to require fixtures > 1.3. Change-Id: I59457c3bb198ff86d5ad55a1e623d008f0034b8f Closes-Bug: #1469734 commit 71dffb0a2c1720cd8233a329d32958a0160dd6f5 Author: Kevin Benton Date: Mon Jun 29 08:27:41 2015 +0000 Revert "Removed test_lib module" This reverts commit 9a6536de6e1a7fe9b2552adc142e254426b82b6f. We pulled all of the plugins out of the tree, many of which still inherit from neutron test classes. This change then stated that we no longer support testing other plugins. I think this is a bit premature and should have been discussed under the subject "Neutron plugins can't use neutron plugin unit tests" or something similar. Change-Id: I68318589f010b731574ea3bfa8df98492bab31fc commit b20fd81dbd497e058384a0af065dd0f1fdc4c728 Author: Jakub Libosvar Date: Fri Jun 5 14:32:51 2015 +0000 Refactor NetcatTester class Following capabilities were added: - used transport protocol is passed as a constant instead of bool - src port for testing was added - connection can be established explicitly - change constructor parameters of NetcatTester As a part of removing bool for protocol definition get_free_namespace_port() was also modified to match the behavior. Change-Id: Id2ec322e7f731c05a3754a65411c9a5d8b258126 commit 83e37980dcd0b2bad6d64dd2cb23bcd2891cafca Author: jingliuqing Date: Sat Jun 27 13:41:54 2015 +0800 Use REST rather than ReST Change-Id: I06c9deaab58c5ec13bfeec39fb8fd4b1fe21f42d commit 1b60df85ba3ad442c2e4e7e52538e1b9a1bf9378 Author: Kevin Benton Date: Thu Jun 25 18:34:38 2015 -0700 Add a double-mock guard to the base test case Use mock to patch mock with a check to prevent multiple active patches to the same target. Multiple patches to the same target result in non-deterministic behavior when stopall() tries to undo the patches.[1] 1. http://bugs.python.org/issue21239 Change-Id: I3dd3d561a0267d80f464c15d69a4258b0a5e8aba Closes-Bug: #1468998 commit 78700ba70620f7b53b5ae71332cca853f5afa467 Author: Kevin Benton Date: Thu Jun 25 22:08:41 2015 -0700 Remove duplicated mock patch of ip_lib The functional tests for agents were patching ip_lib in the function to configure an agent, so any tests that relied on multiple agents would patch ip_lib multiple times. Partial-Bug: #1468998 Change-Id: Ibccf586dea870ec222369c0876f17f8eaf9a1aca commit f242b171e910da460b8d98182dc10c5840c2c7d0 Author: Kyle Mestery Date: Thu Jun 25 20:36:47 2015 +0000 Consolidate sriov agent and driver code In preparation for decomposing the built-in reference implementation, this commits consolidates the sriov agent and driver code into a coherent place for it's life in the new repository. I've also given the unit tests a new home. DocImpact UpgradeImpact Partially-Implements: blueprint reference-implementation-split Partial-Bug: #1468433 Closes-Bug: #1427317 Change-Id: Ic8b5215de76e191030228bc28773cd6535e889d8 Signed-off-by: Kyle Mestery commit 724c78071da28bae838a4145a9d4cea42f853048 Author: Kyle Mestery Date: Wed Jun 24 19:12:06 2015 +0000 Restructure agent code in preparation for decomp This commit moves the L2 agents (Linuxbridge and OVS) into the ML2 directory, while at the same time also moving the ML2 server bits into toplevel directories. It also moves the configuration files and unit tests. We also move the l2pop RPC mixin while here as well. DocImpact UpgradeImpact Partially-Implements: blueprint reference-implementation-split Partial-Bug: #1468433 Closes-Bug: #1427317 Change-Id: If6feca7b7a6bdd6c3c6feb929fa26fb4b1f72770 Signed-off-by: Kyle Mestery commit 82fddfbb651911c7cb6818428ff7604c9745499c Author: sridhargaddam Date: Mon Jun 22 14:13:56 2015 +0000 Fix ip_lib get_gateway for default gateway on an iface Currently get_gateway() of IpRouteCommand class always assumes the presence of gateway_ip when default_route is seen. Since we can also have interface routes without the gw_ip, this patch fixes the issue by parsing the output accordingly. Closes-Bug: #1467531 Change-Id: Icf988994b61cbdeb1261c5a0887f29ced41ada07 commit 3c45132f256082252ae8726b560f807686620216 Author: Waldemar Znoinski Date: Fri Jun 26 09:28:51 2015 +0000 fixing typo in gerrit query link in third party policies doc Change-Id: Iaef37a58f85439a1a6c5c1ae071a223865479a8e commit bd3604277f6a550d8757aa96a3164a189ab3af6d Author: Kevin Benton Date: Wed Jun 24 06:50:48 2015 -0700 Use last address in v6 allocation pool generation This reverts commit 1d61c5f736b9df7253a1939fe55f1875f988d1f4, which reverted ee51ef72d37a02005a7733b7f2faf7236db850a1 due to an issue with the allocation pools being mis-aligned with the last address of a v6 subnet. IPv6 does not have a subnet broadcast address so the last IP address can be used as a regular address. This patch tweaks the automatic allocation pool generation to include that last address on v6 networks. This was found because NetworksTestDHCPv6.test_dhcp_stateful_fixedips_outrange makes the assumption that the default generated pools cover the entire usable address space. Related-Bug: #1466322 Closes-Bug: #1468163 Change-Id: I5a2518c819757cd1fb43244901fe3e2f6c576b34 commit e120bad02841ed54ed071d82bffc47671f612137 Author: Pavel Bondar Date: Thu Jun 25 16:52:08 2015 +0300 Extend SubnetRequestFactory to access subnet dict SubnetRequestFactory incorporates logic for preparing arguments and building right request. Subnet dict, context and subnetpool are used to make decision on what kind of reqest should be created. SubnetRequestFactory can be overriden on ipam driver level, it allows to easily extend existent Request model. Partially-Implements: blueprint neutron-ipam Change-Id: I9de120381172657a527bb35990d25525c41939ab commit ba7d673d1ddd5bfa5aa1be5b26a59e9a8cd78a9f Author: Kevin Benton Date: Thu Jun 25 18:31:38 2015 -0700 Remove duplicated call to setup_coreplugin The test case for vlan_transparent was calling setup_coreplugin before calling the super setUp method which already calls setup_coreplugin. This was causing duplicate core plugin fixtures which resulted in patching the dhcp periodic check twice. Change-Id: Ide4efad42748e799d8e9c815480c8ffa94b27b38 Partial-Bug: #1468998 commit e64062efa3b793f7c4ce4ab9e62918af4f1bfcc9 Author: Kevin Benton Date: Thu Jun 25 18:29:37 2015 -0700 Remove double mock of dhcp agent periodic check The test case for the periodic check was patching a target that the core plugin fixture already patched out. This removes that and exposes the mock from the fixture so the test case can reference it. Change-Id: I3adee6a875c497e070db4198567b52aa16b81ce8 Partial-Bug: #1468998 commit 25ae0429a713143d42f626dd59ed4514ba25820c Author: Kevin Benton Date: Thu Jun 25 18:24:10 2015 -0700 Remove double fanout mock The test_mech_driver was duplicating a fanout mock already setup in the setUp routine. Change-Id: I5b88dff13113d55c72241d3d5025791a76672ac2 Partial-Bug: #1468998 commit 993771556332d9b6bbf7eb3f0300cf9d8a2cb464 Author: Kevin Benton Date: Thu Jun 25 17:55:16 2015 -0700 Remove double callback manager mocks setup_test_registry_instance() in the base test case class gives each test its own registry by mocking out the get_callback_manager. The L3 agent test cases were duplicating this. Partial-Bug: #1468998 Change-Id: I7356daa846524611e9f92365939e8ad15d1e1cd8 commit 0be1efad93734f11cd63fb3b7bd2983442ce1268 Author: Kevin Benton Date: Thu Jun 25 16:57:30 2015 -0700 Remove ensure_dirs double-patch test_spawn_radvd called mock.patch on ensure_dirs after the setup method already patched it out. This causes issues when mock.patch.stopall() is called because the mocks are stored as a set and are unwound in a non-deterministic fashion.[1] So some of the time they will be undone correctly, but others will leave a monkey-patched in mock, causing the ensure_dir test to fail. 1. http://bugs.python.org/issue21239 Closes-Bug: #1467908 Change-Id: I321b5fed71dc73bd19b5099311c6f43640726cd4 commit 6a1f8388d3f0ebd791aa1c466f5310efec5e83cc Author: Pavel Bondar Date: Tue Jun 23 14:01:29 2015 +0300 Decompose _save_subnet Moved allocation pool generation and validation into separate method. Partially-Implements: blueprint neutron-ipam Change-Id: Ibe241c7b6389e444145b0600f8fcee28e478bc62 commit 0a2238e34e72c17ca8a75e36b1f56e41a3ece74e Author: Sukhdev Kapur Date: Thu Jun 25 15:11:28 2015 -0700 Fix tenant-id in Arista ML2 driver to support HA router When HA router is created, the framework creates a network and does not specify the tenant-id. This casuse Arista ML2 driver to fail. This patch sets the tenant-id when it is not passed explicitly by by the network_create() call from the HA router framework. Even though original issue was discovered for network_create() it turns out the same issue applies for port_create() as well so all the methods are fixed in this patch Change-Id: Id03e26dac003fa589477ed78a4ed3c44cc2f708d Closes-Bug: 1468828 commit 334d9a33404f4c8438d105f91bff1a9fd9236513 Author: Assaf Muller Date: Thu Jun 25 16:34:09 2015 -0400 Log OVS agent configuration mismatch Change-Id: I55aef3bdc32dcee3436cb8b987fb796a4898b20e Closes-Bug: #1468893 commit c48e12b781c9ffd885ebc96283ecda2849fd1e22 Author: Cedric Brandily Date: Wed Jun 24 21:31:33 2015 +0200 Avoid env variable duplication in tox.ini Some environment variables are defined multiple times in tox.ini. This change defines "fake" tox jobs and refactors existing jobs to reduce duplicated environment variables. Change-Id: I0ccebea4fbfff8dda34d1ed348b96b3b8ebd59e2 commit 747738d36572079307f228a861a067ca0cd815c2 Author: Kevin Benton Date: Wed Jun 3 15:20:27 2015 -0700 Skip ARP protection if 0.0.0.0/0 in addr pairs Don't setup ARP protection on ports with allowed address pairs that allow them to use any IP address. This is necessary because OVS doesn't support the /0 prefix in rules that match on ARP headers. Related-Bug: #1461054 Closes-Bug: #1468009 Change-Id: I913a86f22b228aa11fa3dabd9493c3995198f7ec commit 61909ac515c337c94f55805641b1b7c725a95191 Author: Ihar Hrachyshka Date: Thu Jun 25 15:54:34 2015 +0200 linuxbridge: clean up README file It's weird that we suggest users to copy python files around instead of relying on generated console_scripts. Other configuration information located here is trivial and is documented elsewhere, f.e. [1]. [1]: http://docs.openstack.org/networking-guide/deploy_scenario1b.html Change-Id: Ie8dd37087599ff4b5e23f0ad01105f94f5b886ab commit 0af5abdb1f608a5e84a64627adf42dd8d5526560 Author: John Davidge Date: Thu Jun 25 15:12:59 2015 +0100 Fix tox errors in thirdparty-ci docs Fixes errors causing tox failures. Change-Id: I361ef791c0de1aac1304bb8ad979066400930434 Closes-Bug: #1468765 commit 9a6536de6e1a7fe9b2552adc142e254426b82b6f Author: Ihar Hrachyshka Date: Thu Jun 25 15:41:02 2015 +0200 Removed test_lib module It's not really needed. It was once used to allow some out-of-tox plugin specific testing scripts to inject configuration files into BaseTestCase. Now, our testing story does not have any notion of out-of-gate plugin specific testing, so let's just clean it up. Change-Id: If287a38e80016b1dba049a2b745bad7af40583a8 commit 2557c47668ad822810aad523643014c6a5d4a064 Author: Russell Bryant Date: Wed Jun 24 14:59:26 2015 -0400 Updated from global requirements This patch takes the latest global requirements update from change Ibcb49412a012f79be2f7fd697349ddbf43bd7b9b except takes out the update to setup.py which reverts the windows specific requirements. We are still working on getting the custom changes out of setup.py in change I3c07c279d33f6aed46c3a97dd9ba81251e51429a. Change-Id: Iee7612d39b520cf04e3b2ec503ec79d23f15f949 commit 4b4cedaf853664535c05d47c99c920e74d1deb3a Author: Cedric Brandily Date: Thu Jun 11 22:12:01 2015 +0200 Define SafeFixture base fixture Currenty useFixture(myfixture)[1] ensures to call myfixture.cleanUp only if myfixture.setUp succeed. This change defines a workaround to ensure cleanUp call even if setUp fails until testtools/fixtures support it: SafeFixture[2] which ensures cleanUp call if setUp fails and replaces fixtures.Fixture use by SafeFixture. This workaround will be removed when the bug will fixed in testtools and fixtures[3]. [1] testtools.TestCase.useFixture, fixtures.Fixture.useFixture [2] neutron.tests.tools [3] see related bugs Change-Id: I875934e8dde321a450c83fb95d175affd1f3bb83 Closes-Bug: #1464410 Partial-Bug: #1453888 Related-Bug: #1456353 Related-Bug: #1456370 commit 2ecac909ba419f258e47b456196a1af7a87661ed Author: Cedric Brandily Date: Thu Jun 25 11:59:37 2015 +0000 Remove quantum untracked files from .gitignore This change removes obsolete quantum untracked files from .gitignore. Change-Id: I1ddf0b03d29066363f155dd5af8294efde5b0ef0 commit df06a326de39a6792e2e82eafa5cf50eb325b34e Author: Matthew Booth Date: Thu Jun 25 10:20:08 2015 +0100 Context class should initialise its own data This is a trivial cleanup. A superclass was initialising data which was only used in a subclass. Change-Id: I6930fdaef3dcb960f6baaedbd191e22b565f319e commit 2e1b0ea4032f05afef16efd451e2eea5df901d97 Author: Ihar Hrachyshka Date: Tue Jun 23 17:33:38 2015 +0200 ovsdb: attempt to enable connection_uri for native impl on startup The port is in most cases disabled, so to use it, we should first enable it, and it means that we should still rely on ovs-vsctl for that initial call. Closes-Bug: #1468259 Change-Id: I097b1c441df1f7f1785b8744f27809617bb21c14 commit 668b12c2c8a60ce20ecdad2193ede9371d5cc391 Author: Doug Wiegley Date: Mon Jun 1 20:58:41 2015 -0600 Move third-party CI policy under docs/policies Change-Id: Ib2ed587670f206283d735191b3a2580bf3d1a04f commit 3bf62772d39d8b3b8b518ae88a6fcea7414d6884 Author: Doug Wiegley Date: Mon Jun 1 20:31:01 2015 -0600 Remove lbaas API tests, which are now in the lbaas repo Change-Id: I2009ca3f102d0ca0db3f12af3012989f2a036c48 commit 1a480203b2531925d7520b62c94954064a26139d Author: Aaron Rosen Date: Wed Jun 24 10:28:18 2015 -0700 Only create one netaddr.IPNetwork object Change-Id: I8c6a08e0cf3b5b5386fe03af9f2174c663b8ac73 commit d9a23f882f0d78aaca34c3607d9ca9ad54ac063b Author: Aaron Rosen Date: Wed Jun 3 16:19:39 2015 -0700 Provide work around for 0.0.0.0/0 ::/0 for ipset Previously, the ipset_manager would pass in 0.0.0.0/0 or ::/0 if these addresses were inputted as allowed address pairs. This causes ipset to raise an error as it does not work with zero prefix sizes. To solve this problem we use two ipset rules to represent this: Ipv4: 0.0.0.0/1 and 128.0.0.1/1 IPv6: ::/1' and '8000::/1 All of this logic is handled via _sanitize_addresses() in the ipset_manager which is called to convert the input. Change-Id: I8c6a08e0cf3b5b5386fe03af9f2174c666b8ac75 Closes-bug: 1461054 commit 93d564223e8b76d10aa7b55f1b1d49f592d1c800 Author: Kevin Benton Date: Wed Jun 24 09:19:18 2015 -0700 Fix >80 char lines that pep8 failed to detect Change-Id: I602e0d484c5e00eb48b86c4c8c4eff0be195c3a5 commit 830e9114817765efc93c772dcbc735a6bb28a7ff Author: Anthony Chow Date: Tue Jun 23 22:05:23 2015 -0700 Deprecate "router_delete_namespaces" and "dhcp_delete_namespaces" These 2 configuration options are no longer be necessary. They are marked as deprecated in this release and will be removed in the next release. Change-Id: I4e02a291738b16c7c9b7600f0bc9a47fb1318569 Partial-Bug: #1418079 commit a84ef9ae54a7dfe6d9dee54a01b189dd40bce423 Author: Kevin Benton