We contentedly announce the release of: nova 15.1.1: Cloud computing fabric controller This release is part of the ocata stable release series. Download the package from: https://tarballs.openstack.org/nova/ For more details, please see below. 15.1.1 ^^^^^^ Prelude ******* This release includes fixes for security vulnerabilities. Upgrade Notes ************* * Starting in Ocata, there is a behavior change where aggregate- based overcommit ratios will no longer be honored during scheduling for the FilterScheduler. Instead, overcommit values must be set on a per-compute-node basis in the Nova configuration files. If you have been relying on per-aggregate overcommit, during your upgrade, you must change to using per-compute-node overcommit ratios in order for your scheduling behavior to stay consistent. Otherwise, you may notice increased NoValidHost scheduling failures as the aggregate-based overcommit is no longer being considered. You can safely remove the AggregateCoreFilter, AggregateRamFilter, and AggregateDiskFilter from your "[filter_scheduler]enabled_filters" and you do not need to replace them with any other core/ram/disk filters. The placement query in the FilterScheduler takes care of the core/ram/disk filtering, so CoreFilter, RamFilter, and DiskFilter are redundant. Please see the mailing list thread for more information: http://lists.openstack.org/pipermail/openstack- operators/2018-January/014748.html Security Issues *************** * [CVE-2017-18191] Swapping encrypted volumes can lead to data loss and a possible compute host DOS attack. * Bug 1739593 (https://bugs.launchpad.net/nova/+bug/1739593) Bug Fixes ********* * The "delete_host" command has been added in "nova-manage cell_v2" to delete a host from a cell (host mappings). The "force" option has been added in "nova-manage cell_v2 delete_cell". If the "force" option is specified, a cell can be deleted even if the cell has hosts. * If scheduling fails during rebuild the server instance will go to ERROR state and a fault will be recorded. Bug 1744325 (https://bugs.launchpad.net/nova/+bug/1744325) * The libvirt driver now allows specifying individual CPU feature flags for guests, via a new configuration attribute "[libvirt]/cpu_model_extra_flags" -- only with "custom" as the "[libvirt]/cpu_model". Refer to its documentation in "nova.conf" for usage details. One of the motivations for this is to alleviate the performance degradation (caused as a result of applying the "Meltdown" CVE fixes) for guests running with certain Intel-based virtual CPU models. This guest performance impact is reduced by exposing the CPU feature flag 'PCID' ("Process-Context ID") to the *guest* CPU, assuming that it is available in the physical hardware itself. Note that besides "custom", Nova's libvirt driver has two other CPU modes: "host-model" (which is the default), and "host-passthrough". Refer to the "[libvirt]/cpu_model_extra_flags" documentation for what to do when you are using either of those CPU modes in context of 'PCID'. Changes in nova 15.1.0..15.1.1 ------------------------------ 1c6b2fc libvirt: Allow to specify granular CPU feature flags 02b27a0 Revert "Proper error handling by _ensure_resource_provider" 1150d4a only increment disk address unit for scsi devices b188492 Detach volumes when VM creation fails c407a69 Clean up volumes on boot failure 01c4230 Handle spawning error on unshelving db79797 Modify incorrect debug meaasge in _inject_data 0225a61 libvirt: Block swap volume attempts with encrypted volumes prior to Queens 862619b Increase cpu time for image conversion caca713 libvirt: Report the allocated size of preallocated file based disks 604954a Set error state after failed evacuation ea53d9f Pass the correct image to build_request_spec in conductor.rebuild_instance 590fd6d Functional test for regression bug #1713783 9c98fa4 Refactor a test method including 3 test cases c61ec9d Don't persist RequestSpec.retry 0d111f1 Add regression test for persisted RequestSpec.retry from failed resize 5c43e76 Fix wrapping of neutron forbidden error a0599e4 libvirt: log vm and task state when vif plugging times out 286dd2c Only attempt a rebuild claim for an evacuation to a new host 1291d45 libvirt: mask InjectionInfo.admin_pass 2cfdb9c libvirt: Don't VIR_MIGRATE_NON_SHARED_INC without migrate_disks e0c1d46 Lazy-load instance attributes with read_deleted=yes fb54ccf unquiesce instance on volume snapshot failure d342222 Add 'delete_host' command in 'nova-manage cell_v2' 8430cbb Fix docs for IsolatedHostsFilter 88c51bd Handle volume-backed instances in IsolatedHostsFilter 3f3ccff Add regression test for BFV+IsolatedHostsFilter failure 6c91a3d Add release note for Aggregate[Core|Ram|Disk]Filter change 6b753f0 live-mig: keep disk device address same 0cac8fa add "--until-complete" option for nova-manage db archive_deleted_rows. b9f9e09 Don't wait for vif plug events during _hard_reboot e708878 Bumping functional test job timeouts 2efe3f6 Rollback instance.image_ref on failed rebuild 0b5006d Make sure that functional test triggered on sample changes 83fd8ac Set server status to ERROR if rebuild failed b476562 Fix false positive server group functional tests a0525f6 Stop _undefine_domain erroring if domain not found eae6aa8 libvirt: Re-initialise volumes, encryptors, and vifs on hard reboot 6a2882b Fix possible TypeError in VIF.fixed_ips b00b2fe Raise MarkerNotFound if BuildRequestList.get_by_filters doesn't find marker 5166061 Don't persist could-be-stale InstanceGroup fields in RequestSpec f70119c Don't try to delete build request during a reschedule 5267937 Fix an error in _get_host_states when deleting a compute node ff2231f Use instance.project_id when creating request specs for old instances c4d700d Use proper user and tenant in the owner section of libvirt.xml. 44912b5 Proper error handling by _ensure_resource_provider aa0e4eb Save updated libvirt domain XML after swapping volume b9c26ad Don't update RT in _allocate_network 1d61444 Handle exception on adding secgroup 09970fe Fix instance lookup in hide_server_addresses extension 53d35e2 libvirt: bandwidth param should be set in guest migrate e2c2b1d Fix joins in instance_get_all_by_host a8ec586 Fix test_instance_get_all_by_host 8c4db90 Avoid unnecessary lazy-loads in mutated_migration_context Diffstat (except docs and test files) ------------------------------------- .zuul.yaml | 26 + .../api/openstack/compute/hide_server_addresses.py | 5 +- nova/cmd/manage.py | 71 ++- nova/compute/api.py | 76 ++- nova/compute/manager.py | 68 ++- nova/conductor/manager.py | 67 ++- nova/conf/libvirt.py | 54 ++ nova/db/sqlalchemy/api.py | 5 +- nova/network/model.py | 7 +- nova/network/neutronv2/api.py | 2 +- nova/network/security_group/neutron_driver.py | 10 +- nova/objects/build_request.py | 5 +- nova/objects/instance.py | 13 +- nova/objects/request_spec.py | 33 +- nova/scheduler/filter_scheduler.py | 2 +- nova/scheduler/filters/isolated_hosts_filter.py | 5 +- nova/scheduler/host_manager.py | 12 +- nova/test.py | 3 + .../functional/regressions/test_bug_1713783.py | 127 +++++ .../functional/regressions/test_bug_1718512.py | 164 ++++++ .../functional/regressions/test_bug_1746483.py | 106 ++++ .../network/security_group/test_neutron_driver.py | 39 ++ nova/virt/block_device.py | 10 + nova/virt/disk/api.py | 10 + nova/virt/driver.py | 3 +- nova/virt/fake.py | 25 +- nova/virt/images.py | 2 +- nova/virt/libvirt/driver.py | 172 ++++-- nova/virt/libvirt/guest.py | 17 +- nova/virt/libvirt/migration.py | 15 +- nova/volume/encryptors/luks.py | 5 +- .../agg-resource-filters-6e24c92a69afa85f.yaml | 22 + .../notes/bug-1721179-87bc7b64215944c0.yaml | 8 + ...ug-1739593-cve-2017-18191-25fe48d336d8cf13.yaml | 9 + ...4325-rebuild-error-status-9e2da03f3f81fd6e.yaml | 7 + ...irt-cpu-model-extra-flags-a23085f58bd22d27.yaml | 21 + 64 files changed, 2354 insertions(+), 410 deletions(-)