[Openstack-security] [Bug 1329214] Fix merged to cinder (master)
OpenStack Infra
1329214 at bugs.launchpad.net
Wed Jun 10 05:25:02 UTC 2015
Reviewed: https://review.openstack.org/128920
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=66494f54112fdfa135b3974c75aa388c8d1fb49e
Submitter: Jenkins
Branch: master
commit be3d4604dc0566e0838959d998ff1d37755de6d3
Author: Tomoki Sekiyama <tomoki.sekiyama at hds.com>
Date: Tue Oct 14 19:09:44 2014 -0400
Fix LVM iSCSI driver tgtadm CHAP authentication
Currently CHAP Authentication in LVM iSCSI driver with tgtadm does not work.
This is because the tgtadm helper creates the target configuration file
with an 'IncomingUser' entry, which is ignored by tgtd.
This patch fixes it to 'incominguser'.
Change-Id: I14871985a2a916834122f849238f05b75726bc1a
Closes-Bug: #1329214
(cherry picked from commit e3563891545c801726d227f752cf99488ed5c7dd)
commit f7ee62cc58d8b642af67510a310f6259492a4508
Author: Mitsuhiro Tanino <mitsuhiro.tanino at hds.com>
Date: Tue Oct 14 12:41:41 2014 -0400
Export cinder volumes only if the status is 'in-use'
Currently, cinder volumes are exported both 'in-use' and 'available'
after restarting cinder-volume service.
This behavior was introduced following commit.
commit ffefe18334a9456250e1b6ff88b7b47fb366f374
Author: Zhiteng Huang <zhithuang at ebaysf.com>
Date: Sat Aug 23 18:32:57 2014 +0000
If the volumes are attached to nova instances, they should be exported
via tgtd after restarting cinder-volume.
But the volumes which are not attached to instances must not be exported
because everyone can connect these volumes.
This patch changes volume export behavior that exports a volume only if
the volume status is 'in-use'.
Change-Id: I4c598c240b9290c81bd8001e5a0720c8c329aeb9
Signed-off-by: Mitsuhiro Tanino <mitsuhiro.tanino at hds.com>
Closes-bug: #1381106
(cherry picked from commit e2f28b967910625432be0eab6a851adf53ac58ea)
commit 01e7c516852e53df661b2eedc970c327c1ff10ce
Author: Vipin Balachandran <vbala at vmware.com>
Date: Fri Oct 10 23:06:27 2014 +0530
Revert "Relocate volume to compliant datastore"
Commit 4be8913520f5e9fe4109ade101da9509e4a83360 introduced a regression
which causes failures during cinder volume re-attach. This patch reverts
commit 4be8913520f5e9fe4109ade101da9509e4a83360 as an immediate fix.
Closes-Bug: #1379830
Change-Id: I5dfbd45533489c3c81db8d256bbfd2f85614a357
(cherry picked from commit 48cb82971e0418f9a629e2b39d0433dc2c0e6919)
commit 900d49723f65e87658381ff955559f54ac98c487
Author: Andreas Jaeger <aj at suse.de>
Date: Thu Oct 9 12:25:28 2014 +0200
Updated translations
Commands run:-
$ python setup.py extract_messages
$ python setup.py update_catalog --no-fuzzy-matching \
--ignore-obsolete=true
$ source \
../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
$ setup_loglevel_vars
$ cleanup_po_files cinder
Change-Id: I73f3bdccb4be98df95fa853864e465f4d83a8884
commit 8e94aaa2b28b491314fe8642061ac73e3fe8e966
Author: Navneet Singh <singn at netapp.com>
Date: Thu Aug 28 16:03:41 2014 +0530
NetApp fix eseries unit test mock clean
This patch fixes the issue of mock not getting
cleaned for requests in unit tests.
Closes-Bug: #1353506
Change-Id: Iab401021d7f180ff1f2bf3ed79166699112cc367
(cherry picked from commit 140956515327494a53de6ad09c35690624248f0a)
commit aaecfcf15e6b9defde5822453f2ae97aaf959408
Author: John Griffith <john.griffith8 at gmail.com>
Date: Tue Oct 7 11:49:58 2014 -0600
Make sure device support Direct before setting
We added '-t none' option to the qemu-img convert operation
in image_utils.py a while back to accomodate a couple of
backend devices that didn't flush writes on disconnect.
(Change: I7a04f683add8c23b9125fe837c4048ccc3ac224d)
The only problem here is that some backend devices don't
support Direct mode and raise an exception and fail when
setting this option.
This patch adds a simple check using dd to see if the dest
supports the Direct flag and only sets '-t none' if the device
does in fact support it.
Additionally it was brought up that even yet other backends
are using file devices not blk devices. In their case setting
Direct will still work, however it's sub-optimal as qemu-convert
has internal mechanisms to make sure flushing etc are done
correctly and efficiently for those devices. So to accomodate
that particular use case I'm also adding a check if blk dev
that can be used for determining whether to set Direct for the
qemu-convert process.
Change-Id: I34127ac373ceadcfb6fc2662628b1a91eb7b0046
Closes-Bug: 1375487
(cherry picked from commit c42273fbc1983b146180c82b8a34b0d832a6f431)
commit a8cec39f8243fd4ee6c0a16fc0620d4b0980c749
Author: Juan Zuluaga <juan.c.zuluaga at oracle.com>
Date: Wed Sep 24 18:51:07 2014 -0400
ZFSSA iSCSI vol create fails with vol type option
Vol create with volume-type option is not working since
volume_backend_name contains the class name as
predefined string. No matter what was specified in cinder.conf
as volume_backend_name, volume creation failed.
Multi-backend option and using extra specs to create custom volumes
won't work.
The fix is to look whether volume_backend_name is part of the
configuration or falls into the class name in case there is
no backend name.
Closes-Bug: 1373621
DocImpact
(cherry picked from commit 5c61d57d3693523e9cbf11bf0b5b09bafe699247)
Change-Id: I1bc501dd4c5689d96c7beb720b64112df1770232
commit 04cd35fd88768ec0f5d23619cec2df4981ee7d8c
Author: Sean McGinnis <sean_mcginnis at dell.com>
Date: Fri Sep 26 15:21:35 2014 -0500
Handle eqlx SSH connection close on abort.
EqualLogic array CLI operation timeout causes the
SSH thread to be aborted. This would cause SSH
sessions to be orphaned and hit a max connection
limit on the array. This fix catches these aborts
and makes sure the connection is closed.
Change-Id: I9392fd5dd79eb44f252bf50217f17cc473e6f2f0
Closes-Bug: 1374613
(cherry picked from commit 5cb23b67c53437fc51a6b37acac477fba4d6a7ab)
commit 787b328518b2eec8275956835ae16488644e7d87
Author: Juan Zuluaga <juan.c.zuluaga at oracle.com>
Date: Tue Sep 16 11:23:36 2014 -0400
ZFSSA iSCSI driver cannot add multple initiators to a group
All initiators defined in zfssa_initiator property would be
added to the group.
Also fixed some typos related to initiators error messages.
Change-Id: Iec6c90702e5aafa153b4a7f1e429974ac450afc0
Closes-Bug: #1369750
(cherry picked from commit f94d671e627dd7b5143422ffe739418fcfb51a70)
commit c566767d6a5041d1d86b1e199028d78772ebc508
Author: Patrick East <patrick.east at purestorage.com>
Date: Tue Sep 30 11:47:42 2014 -0700
Fix race condition in ISCSIConnector _disconnect_volume_multipath_iscsi
This is a similar issue as seen in
https://bugs.launchpad.net/cinder/+bug/1375382
The list of devices returned by driver.get_all_block_devices() in
_disconnect_volume_multipath_iscsi will potentially contain broken
symlinks as the SCSI devices have been deleted from calling
self._linuxscsi.remove_multipath_device(device_realpath) right before
_disconnect_volume_multipath_iscsi but the udev rule for the symlink
may not yet have completed.
Adding in a check to os.path.exists() will ensure that we will not
consider the broken symlinks as an “in use” device.
Change-Id: I79c9627e9b47127d3765fcec5b7e3bacef179630
Closes-Bug: #1375946
(cherry picked from commit 4541521de576297d9b7d4115b040ff54773d9d50)
commit 40eff25fce9a350d1872b083503e4306242961de
Author: Clinton Knight <cknight at netapp.com>
Date: Fri Sep 26 12:07:44 2014 -0400
Deprecate / obsolete NetApp volume extra specs
The NetApp Data ONTAP (Cluster-mode) NFS & iSCSI drivers for Juno support
the Cinder pools feature, but the drivers are reporting two qualified
extra specs that must be converted to unqualified extra specs in order to
be used by the Cinder scheduler's capability filter. Furthermore, there
are four extra specs that must be deprecated due to having the pools
feature. Warnings will be logged during volume creation if any of the
obsolete or deprecated extra specs are seen in the volume type.
Change-Id: I4dbd667610e481356304a12b8dae84cff61aa9d9
Closes-bug: 1374630
(cherry picked from commit 4cb4be4122a44dc99d6f29f065cdd32ae86273ce)
commit 2601acaec8d3c154f7638db0e7dad307d0efcc48
Author: Vincent Hou <sbhou at cn.ibm.com>
Date: Fri Sep 12 16:10:02 2014 +0800
IBM Storwize driver: Retype the volume with correct empty QoS
* Currently for Storwzie driver, if the new type does not have QoS
configurations, the old QoS configurations remain in the volume after
retyping it. It should be retyped into a volume with empty QoS for the
Storwize driver.
* Refactor three dicts into one for better maintainance of the QoS keys
for Storwize driver.
DocImpact
Change-Id: I2b2801a4ef72ef02c11392ed00b56f5263a8a7e4
Closes-Bug: #1368595
(cherry picked from commit 26de1b1d829849665dae921b8be739194b84515d)
commit d5efe6703297761215907eeaf703cec040e6ad25
Author: Tristan Cacqueray <tristan.cacqueray at enovance.com>
Date: Fri Oct 3 19:57:01 2014 +0000
Sync latest processutils from oslo-incubator
An earlier commit (Ia92aab76fa83d01c5fbf6f9d31df2463fc26ba5c) failed
to address ssh_execute(). This change set addresses ssh_execute.
------------------------------------------------
oslo-incubator head:
commit 4990535fb5f3e2dc9b397e1a18c1b5dda94ef1c4
Merge: 9f5c700 2a130bf
Author: Jenkins <jenkins at review.openstack.org>
Date: Mon Sep 29 23:12:14 2014 +0000
Merge "Script to list unreleased changes in all oslo projects"
-----------------------------------------------
The sync pulls in the following changes (newest to oldest):
6a60f842 - Mask passwords in exceptions and error messages (SSH)
-----------------------------------------------
Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
Closes-Bug: #1377981
(cherry picked from commit 5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567)
commit c70ef7d8d4d9479fe5d3f4a8387c4eac1dca274d
Author: OpenStack Proposal Bot <openstack-infra at lists.openstack.org>
Date: Mon Oct 6 16:09:05 2014 +0000
Updated from global requirements
Change-Id: I116f04494e596e470f8fec242466ac5fe21b222c
commit 79afa849658f689a9105473fdfba1d993684d3df
Author: Lucian Petrut <lpetrut at cloudbasesolutions.com>
Date: Tue Sep 30 11:58:22 2014 +0300
Windows SMBFS: Handle volume_name in _qemu_img_info
The volume_name is now parsed to the _qemu_img_info wrapper. As
this method is not prone to security issues because this driver
does not support raw images (at least not yet), we don't have to
perform any checks on the backing image file path.
Thus, this method simply ignores this argument that will be parsed
by the base class methods.
Related-Bug: #1350504
Change-Id: I801a6338250ec2dc631c4058543f7d0088b3e4d4
(cherry picked from commit 5e0ce63d6df39dcad5a0ef35553369e49c67dfb8)
commit 608ecf565f99b9840095ecff424e396c4bae631a
Author: Eric Harney <eharney at redhat.com>
Date: Tue Sep 9 16:20:24 2014 -0400
Refuse invalid qcow2 backing files
Don't allow qcow2 files that are pointing to backing files outside of:
volume-<id>
volume-<id>.<snap-id>
volume-<id>.tmp-snap-<snap-id>
(optionally prefixed with /mnt/path)
Closes-Bug: #1350504
Change-Id: Ic89cffc93940b7b119cfcde3362f304c9f2875df
(cherry picked from commit dca3c8323cf8cf12aa8ce4ba21f647ce631e8153)
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1329214
Title:
tgtadm iscsi chap does not work
Status in Cinder:
Fix Released
Status in OpenStack Security Notes:
In Progress
Bug description:
When using LVMISCSIDriver and iscsi_helper tgtadm, it should support chap unidirectional authentication because target configuration file and db.volume has record chap user and chap passwd.
By testing, I found that tgtadm iscsi chap does not work.
Is it a security bug for iscsi_helper tgtadm?
My detail test work is as follows.
1. Test details as follows without modify the source code:
1) Devstack all in one server A(10.250.10.190); another testing server B(10.250.10.191)
2) create a vm VM-A and a cinder volume VOLUME-A, attach VOLUME-A to VM-A
3) server B directly login the iscsi target that server-A export and get VOLUME-A sucessfully .
iscsiadm -m discovery -t sendtargets -p 10.250.10.190
iscsiadm -m node -T iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e -p 10.250.10.190 -l --login
2. Test details as follows with modify the source code:
1) add creating user/passwd and binding user to tid code before leaving the function TgtAdm:create_iscsi_target.
type, name, passwd = chap_auth.split()
self._execute('tgtadm',
'--lld',
'iscsi',
'--mode',
'account',
'--op',
'new',
'--user',
name,
'--password',
passwd)
self._execute('tgtadm',
'--lld',
'iscsi',
'--mode',
'account',
'--op',
'bind',
'--tid',
tid,
'--user',
name
)
2) try to login VOLUME-A as the steps in item 1, it reported an authorization error as follows.
root at devaio1:/etc/iscsi# iscsiadm -m node -T iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e -p 10.250.10.190 -l --login
Logging in to [iface: default, target: iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e, portal: 10.250.10.190,3260] (multiple)
iscsiadm: Could not login to [iface: default, target: iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e, portal: 10.250.10.190,3260].
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1329214/+subscriptions
More information about the Openstack-security
mailing list