We eagerly announce the release of: nova 18.2.2: Cloud computing fabric controller This release is part of the rocky stable release series. The source is available from: https://opendev.org/openstack/nova Download the package from: https://tarballs.openstack.org/nova/ Please report issues through: https://bugs.launchpad.net/nova/+bugs For more details, please see below. 18.2.2 ^^^^^^ Security Issues *************** * OSSA-2019-003: Nova Server Resource Faults Leak External Exception Details (CVE-2019-14433) This release contains a security fix for bug 1837877 where users without the admin role can be exposed to sensitive error details in the server resource fault "message". There is a behavior change where non-nova exceptions will only record the exception class name in the fault "message" field which is exposed to all users, regardless of the admin role. The fault "details", which are only exposed to users with the admin role, will continue to include the traceback and also include the exception value which for non-nova exceptions is what used to be exposed in the fault "message" field. Meaning, the information that admins could see for server faults is still available, but the exception value may be in "details" rather than "message" now. (https://security.openstack.org/ossa/OSSA-2019-003.html) (https://bugs.launchpad.net/nova/+bug/1837877) Bug Fixes ********* * Bug 1675791 has been fixed by granting image membership access to snapshot images when the owner of the server is not performing the snapshot/backup/shelve operation on the server. For example, an admin shelves a user's server and the user needs to unshelve the server so the user needs access to the shelved snapshot image. Note that only the image owner may delete the image, so in the case of a shelved offloaded server, if the user unshelves or deletes the server, that operation will work but there will be a warning in the logs because the shelved snapshot image could not be deleted since the user does not own the image. Similarly, if an admin creates a snapshot of a server in another project, the admin owns the snapshot image and the non-admin project, while having shared image member access to see the image, cannot delete the snapshot. The bug fix applies to both the "nova-osapi_compute" and "nova- compute" service so older compute services will need to be patched. Refer to the image API reference for details on image sharing: https://developer.openstack.org/api-ref/image/v2/index.html#sharing (https://launchpad.net/bugs/1675791) * Bug 1811726 is fixed by deleting the resource provider (in placement) associated with each compute node record managed by a "nova-compute" service when that service is deleted via the "DELETE /os-services/{service_id}" API. This is particularly important for compute services managing ironic baremetal nodes. (https://bugs.launchpad.net/nova/+bug/1811726) Changes in nova 18.2.1..18.2.2 ------------------------------ 72f9aa720f Don't generate service UUID for deleted services e0b91a5b1e Replace non-nova server fault message 3a1be7afd0 Avoid logging traceback when detach device not found 25fd08755e Fix python3 compatibility of rbd get_fsid 3624600094 Add functional regression test for bug 1778305 eadd78efe3 Add functional recreate test for bug 1764556 e3b68a1c8b Cleanup when hitting MaxRetriesExceeded from no host_available f292a92a89 Add functional regression test for bug 1837955 5f0497e595 Revert "[libvirt] Filter hypervisor_type by virt_type" 2b86a9cacc Avoid crashing while getting libvirt capabilities with unknown arch names 65d2e455e3 libvirt: move checking CONF.my_ip to init_host() d9892abd2f Revert resize: wait for events according to hybrid plug 5982c92fa8 docs: Correct issues with 'openstack quota set' commands 7793f4d759 doc: Fix a parameter of NotificationPublisher 00e5e3a744 Perf: Use dicts for ProviderTree roots e3cd1d9baa Fix type error on call to mount device cbf6a46d8f Drop source node allocations if finish_resize fails 9a977cb28c Add functional recreate test for regression bug 1825537 a85ce04fa3 Stabilize unshelve notification sample tests 0142cc840f Ignore hw_vif_type for direct, direct-physical vNIC types 5acbea506a Init HostState.failed_builds 4858074c89 Fix double word hacking test aa19788d78 Disable limit if affinity(anti)/same(different)host is requested e93bc57a73 libvirt: flatten rbd images when unshelving an instance 0ac4a97204 Grab fresh power state info from the driver 75985e25bc libvirt: Rework 'EBUSY' (SIGKILL) error handling code path 64d5278883 Delete resource providers for all nodes when deleting compute service 6ca6f6fce6 Share snapshot image membership with instance owner Diffstat (except docs and test files) ------------------------------------- nova/api/openstack/compute/services.py | 11 +- nova/compute/api.py | 31 ++- nova/compute/manager.py | 104 ++++++-- nova/compute/provider_tree.py | 27 +- nova/compute/utils.py | 41 ++- nova/conductor/manager.py | 32 ++- nova/db/sqlalchemy/api.py | 3 +- nova/image/glance.py | 34 ++- nova/network/model.py | 25 ++ nova/objects/migration.py | 3 + nova/objects/service.py | 2 +- nova/scheduler/host_manager.py | 1 + nova/scheduler/utils.py | 6 + .../functional/regressions/test_bug_1764556.py | 155 ++++++++++++ .../functional/regressions/test_bug_1778305.py | 61 +++++ .../functional/regressions/test_bug_1825537.py | 97 ++++++++ .../functional/regressions/test_bug_1837955.py | 104 ++++++++ .../unit/api/openstack/compute/test_services.py | 20 +- nova/virt/disk/mount/api.py | 2 +- nova/virt/fake.py | 7 + nova/virt/hyperv/snapshotops.py | 3 +- nova/virt/libvirt/driver.py | 135 +++++++--- nova/virt/libvirt/guest.py | 6 +- nova/virt/libvirt/imagebackend.py | 11 + nova/virt/libvirt/storage/rbd_utils.py | 4 +- nova/virt/libvirt/vif.py | 23 +- nova/virt/powervm/image.py | 1 - nova/virt/vmwareapi/images.py | 1 - nova/virt/zvm/driver.py | 1 - ...91-snapshot-member-access-c40bba36606618f7.yaml | 26 ++ ...1811726-multi-node-delete-2ba17f02c6171fbb.yaml | 10 + ...ve-fault-message-exposure-5360d794f4976b7c.yaml | 23 ++ 60 files changed, 1745 insertions(+), 263 deletions(-)