[release-announce] [nova] nova 16.0.4 (pike)
no-reply at openstack.org
no-reply at openstack.org
Mon Dec 18 13:09:10 UTC 2017
We are psyched to announce the release of:
nova 16.0.4: Cloud computing fabric controller
This release is part of the pike release series.
Download the package from:
https://tarballs.openstack.org/nova/
For more details, please see below.
16.0.4
^^^^^^
Known Issues
************
* In 16.0.0 Pike release, quota limits are checked in a new fashion
after change 5c90b25e49d47deb7dc6695333d9d5e46efe8665 and a new
config option "[quota]/recheck_quota" has been added in change
eab1d4b5cc6dd424c5c7dfd9989383a8e716cae5 to recheck quota after
resource creation to prevent allowing quota to be exceeded as a
result of racing requests. These changes could lead to requests
blocked by over quota resulting in instances in the "ERROR" state,
rather than no instance records as before. Refer to
https://bugs.launchpad.net/nova/+bug/1716706 for detailed bug
report.
Security Issues
***************
* OSSA-2017-006: Nova FilterScheduler doubles resource allocations
during rebuild with new image (CVE-2017-17051)
By repeatedly rebuilding an instance with new images, an
authenticated user may consume untracked resources on a hypervisor
host leading to a denial of service. This regression was introduced
with the fix for `OSSA-2017-005`_ (CVE-2017-16239), however, only
Nova stable/pike or later deployments with that fix applied and
relying on the default FilterScheduler are affected.
The fix is in the *nova-api* and *nova-scheduler* services.
Note: The fix for errata in `OSSA-2017-005`_ (CVE-2017-16239) will
need to be applied in addition to this fix.
(https://security.openstack.org/ossa/OSSA-2017-006.html)
Bug Fixes
*********
* The fix for `OSSA-2017-005`_ (CVE-2017-16239) was too far-reaching
in that rebuilds can now fail based on scheduling filters that
should not apply to rebuild. For example, a rebuild of an instance
on a disabled compute host could fail whereas it would not before
the fix for CVE-2017-16239. Similarly, rebuilding an instance on a
host that is at capacity for vcpu, memory or disk could fail since
the scheduler filters would treat it as a new build request even
though the rebuild is not claiming *new* resources.
Therefore this release contains a fix for those regressions in
scheduling behavior on rebuild while maintaining the original fix
for CVE-2017-16239.
Note: The fix relies on a "RUN_ON_REBUILD" variable which is
checked for all scheduler filters during a rebuild. The reasoning
behind the value for that variable depends on each filter. If you
have out- of-tree scheduler filters, you will likely need to
assess whether or not they need to override the default value
(False) for the new variable.
* This release includes a fix for bug 1733886 which was a regression
introduced in the 2.36 API microversion where the "force" parameter
was missing from the "PUT /os-quota-sets/{tenant_id}" API request
schema so users could not force quota updates with microversion 2.36
or later. The bug is now fixed so that the "force" parameter can
once again be specified during quota updates. There is no new
microversion for this change since it is an admin-only API.
(https://bugs.launchpad.net/nova/+bug/1733886)
Docutils System Messages
************************
Changes in nova 16.0.3..16.0.4
------------------------------
6f5b312 Fix 'force' parameter in os-quota-sets PUT schema
fc225f1 [placement] Fix foreign key constraint error
fed660c Fix doubling allocations on rebuild
234ade2 Add regression test for rebuild with new image doubling allocations
4e36c4b Get original image_id from volume for volume-backed instance rebuild
6c1a088 Only query BDMs once in API during rebuild
c799165 Add regression test for rebuilding a volume-backed server
2db9f9d Fix ValueError if invalid max_rows passed to db purge
43dbbf8 Mention API behavior change when over quota limit
02af3d5 Downgrade log for keystone verify client fail
9502397 Vzstorage: synchronize volume connect
781a963 Fix TypeError of _get_project_id when project_id is None
ae56863 Fix incorrect known vcpuset when CPUPinningUnknown raised
2d79baf Fix binary name
b1aa3ed Fix ValueError when loading old pci device record
b29a461 Refined fix for validating image on rebuild
ec20e1a Update bindep.txt for doc builds
2c70ee8 Document the real behavior of notify_on_state_change
0ad8476 Fix quobyte test_validate_volume_no_mtab_entry
4402da8 Modify incorrect debug meaasge in _inject_data
2486f34 libvirt: Don't VIR_MIGRATE_NON_SHARED_INC without migrate_disks
fa47da0 libvirt: bandwidth param should be set in guest migrate
bb7628f Set regex flag on ostestr command for osprofiler tests
a89ff72 Log consumer uuid when retrying claims in the scheduler
ece825b doc: fix flavor notes
aabf0b0 Fix race in delete allocation in ServerMovingTests
8f76540 placement: avoid returning duplicated alloc_reqs when no sharing rp
Diffstat (except docs and test files)
-------------------------------------
bindep.txt | 7 +-
.../v2.36/quotas-show-defaults-get-resp.json | 15 +++
.../v2.36/quotas-show-detail-get-resp.json | 55 +++++++++
.../os-quota-sets/v2.36/quotas-show-get-resp.json | 15 +++
.../v2.36/quotas-update-force-post-req.json | 6 +
.../v2.36/quotas-update-force-post-resp.json | 14 +++
.../v2.36/quotas-update-post-req.json | 5 +
.../v2.36/quotas-update-post-resp.json | 14 +++
.../v2.36/user-quotas-show-get-resp.json | 15 +++
.../v2.36/user-quotas-update-post-req.json | 6 +
.../v2.36/user-quotas-update-post-resp.json | 14 +++
nova/api/openstack/common.py | 2 +-
.../openstack/compute/rest_api_version_history.rst | 6 +
nova/api/openstack/compute/schemas/quota_sets.py | 2 +-
nova/api/openstack/identity.py | 3 +-
nova/api/openstack/wsgi_app.py | 6 +-
nova/cmd/manage.py | 4 +-
nova/compute/api.py | 50 ++++++--
nova/conf/notifications.py | 15 ++-
nova/objects/numa.py | 4 +-
nova/objects/pci_device.py | 7 +-
nova/objects/resource_provider.py | 5 +
nova/scheduler/client/report.py | 4 +-
nova/scheduler/filter_scheduler.py | 10 ++
nova/scheduler/filters/__init__.py | 22 +++-
nova/scheduler/filters/affinity_filter.py | 12 ++
.../aggregate_image_properties_isolation.py | 2 +
.../filters/aggregate_instance_extra_specs.py | 2 +
.../filters/aggregate_multitenancy_isolation.py | 2 +
nova/scheduler/filters/all_hosts_filter.py | 2 +
nova/scheduler/filters/availability_zone_filter.py | 2 +
.../filters/compute_capabilities_filter.py | 2 +
nova/scheduler/filters/compute_filter.py | 2 +
nova/scheduler/filters/core_filter.py | 2 +
nova/scheduler/filters/disk_filter.py | 4 +
nova/scheduler/filters/exact_core_filter.py | 2 +
nova/scheduler/filters/exact_disk_filter.py | 2 +
nova/scheduler/filters/exact_ram_filter.py | 2 +
nova/scheduler/filters/image_props_filter.py | 2 +
nova/scheduler/filters/io_ops_filter.py | 2 +
nova/scheduler/filters/isolated_hosts_filter.py | 2 +
nova/scheduler/filters/json_filter.py | 3 +
nova/scheduler/filters/metrics_filter.py | 2 +
nova/scheduler/filters/num_instances_filter.py | 2 +
nova/scheduler/filters/numa_topology_filter.py | 2 +
nova/scheduler/filters/pci_passthrough_filter.py | 2 +
nova/scheduler/filters/ram_filter.py | 2 +
nova/scheduler/filters/retry_filter.py | 4 +
nova/scheduler/filters/trusted_filter.py | 2 +
nova/scheduler/filters/type_filter.py | 4 +
nova/scheduler/host_manager.py | 9 +-
nova/scheduler/utils.py | 13 ++
.../quotas-update-force-resp.json.tpl | 20 ---
.../v2.36/quotas-show-defaults-get-resp.json.tpl | 15 +++
.../v2.36/quotas-show-detail-get-resp.json.tpl | 55 +++++++++
.../v2.36/quotas-show-get-resp.json.tpl | 15 +++
.../v2.36/quotas-update-force-post-req.json.tpl | 6 +
.../v2.36/quotas-update-force-post-resp.json.tpl | 14 +++
.../v2.36/quotas-update-post-req.json.tpl | 5 +
.../v2.36/quotas-update-post-resp.json.tpl | 14 +++
.../v2.36/user-quotas-show-get-resp.json.tpl | 15 +++
.../v2.36/user-quotas-update-post-req.json.tpl | 6 +
.../v2.36/user-quotas-update-post-resp.json.tpl | 14 +++
.../functional/regressions/test_bug_1732947.py | 88 ++++++++++++++
.../unit/virt/libvirt/volume/test_vzstorage.py | 5 +-
nova/virt/libvirt/driver.py | 7 +-
nova/virt/libvirt/guest.py | 17 ++-
nova/virt/libvirt/volume/vzstorage.py | 19 +--
...ne-validate-image-rebuild-6d730042438eec10.yaml | 20 +++
...ubled-allocations-rebuild-23e4d3b06eb4f43f.yaml | 18 +++
...-os-quota-sets-force-2.36-5866924621ecc857.yaml | 12 ++
...quota-api-behavior-change-fc2cbbf7c79b5ae3.yaml | 12 ++
tox.ini | 4 +-
90 files changed, 1157 insertions(+), 95 deletions(-)
More information about the Release-announce
mailing list