We joyfully announce the release of: nova 30.1.0 This release is part of the dalmatian release series. The source is available from: https://opendev.org/openstack/nova Download the package from: https://tarballs.openstack.org/nova/ Please report issues through: https://bugs.launchpad.net/nova/+bugs For more details, please see below. 30.1.0 ^^^^^^ Security Issues *************** * Nova has documented that the "update volume attachment" API PUT /servers/{server_id}/os-volume_attachments/{volume_id} should not be called directly for a very long time. "When updating volumeId, this API is typically meant to only be used as part of a larger orchestrated volume migration operation initiated in the block storage service via the os-retype or os- migrate_volume volume actions. Direct usage of this API to update volumeId is not recommended and may result in needing to hard reboot the server to update details within the guest such as block storage serial IDs. Furthermore, updating volumeId via this API is only implemented by certain compute drivers." As an admin only api, direct usage has always been limited to admins or service like "watcher". This longstanding recommendation is now enforced as a security hardening measure and restricted to only cinder. The prior warning alluded to the fact that directly using this api can result in a guest with a de-synced definition of the volume serial. Before this change it was possible for an admin to unknowingly put a VM in an inconsistent state such that a future live migration may fail or succeed and break tenant isolation. This could not happen when the api was called by cinder so Nova has restricted that api exclusively to that use-case. see: https://bugs.launchpad.net/nova/+bug/2112187 for details. Bug Fixes ********* * Fixes an issue seen when using bare metal (Ironic) instances where an instance could fail to delete. See Bug 2019977 for more details. (https://bugs.launchpad.net/nova/+bug/2019977) * During the Caracal cycle the libvirt driver was enhanced to support using device aliases to detach devices from a domain. I1dfe4ad3df81bc810835af9b09cfc6c06e9a5388 This introduced a regression for instance with vgpus. A prior bugfix https://bugs.launchpad.net/nova/+bug/1942345 addressed the symptom without correcting the underlying problem. A related bug for mdev devices was later reported. https://bugs.launchpad.net/nova/+bug/2074219 When this feature was added nova introduced a helper method to get device via the alias because the libvirt api does not provide one natively. That helper function assumed all devices would have an alias attribute. That assumption was not valid and had now been corrected. As a result detaching a volume from an instance with vgpus should now be possible and this class of bug should no longer happen. * Fixed an issue where the instance rebuild option failed for Ironic instances. The problem was caused by an incorrect parameter order in the "add_instance_info_to_node" function, which was introduced by commit *93b90d2b* <https://review.opendev.org/c/openstack/nova/+/923910>. For more details, see *bug 2092570* <https://bugs.launchpad.net/nova/+bug/2092570>. * Bug #2095364: Fixed the List Server API and the List Server Detail API 500 Internal Server Error issue in v2.96 or later API microversion if one or more instance has no request spec object. One usecase was when cloud user tried to create instance which exceeded their quota, the request does not create instance request spec. Once the no request spec instance is created in cloud user project, the server list API and the list server details API return 500 Internal Server Error for the project until the cloud user deletes the no request spec object instance. After this fix, the v2.96 or later returns *null* at the *pinned_availability_zone* value if not specified. (https://launchpad.net/bugs/2095364) * "Nova" now strictly enforces that only "cinder" can call the "update volume attachment" aka "swap volume" api. This is part of addressing a security hardening gap identified as part of bug: https://bugs.launchpad.net/nova/+bug/2112187 * Nova now allows to use a hyphen in the "[cinder]catalog_info" service-type field, so in particular the official "block-storage" type is now valid. Bug 2092194 (https://bugs.launchpad.net/nova/+bug/2092194) * Fix displaying the reason messages from the Ironic validate node operation that is called just before the instance is deployed on the bare metal node. The message from Ironic is now correctly logged. Fixes *bug 2100009 <https://bugs.launchpad.net/nova/+bug/2100009>_*. * When live migration fails during pre_live_migration on the destination, during rollback Cinder volumes will now be disconnected from the destination locally instead of remotely over RPC from the source. This should ensure that only connection_info for the destination will be used to disconnect volumes from the destination. See bug #1899835 (https://bugs.launchpad.net/nova/+bug/1899835) for more details. * With this change, operators can now resize the instance flavor swap to a smaller swap size, it can be expand and shrunk down to 0 using the same resize API. For more details see: bug 1552777 (https://bugs.launchpad.net/nova/+bug/1552777) * Bug #2091033: Fixed calls to libvirt "listDevices()" and "listAllDevices()" from potentially blocking all other greenthreads in "nova-compute". Under certain circumstances, it was possible for the "nova-compute" service to freeze with all other greenthreads blocked and unable to perform any other activities including logging. This issue has been fixed by wrapping the libvirt "listDevices()" and "listAllDevices()" calls with "eventlet.tpool.Proxy". (https://bugs.launchpad.net/nova/+bug/2091033) Changes in nova 30.0.0..30.1.0 ------------------------------ 6fcc9e2dd9 restrict swap volume to cinder 574c19ab8b Use dict object for request_specs_dict in the _list_view 706642bde3 Add ServersViewBuilderTestV296 unit test class 5b10871e21 Fix detaching devices by alias with mdevs 7e7652f433 Add repoducer test for bug 2074219 88e49dd65c [tool] Fix backport validator for non-SLURP 4cb106fc71 live migration: Avoid volume rollback mismatches e05052a3ff Amend functional reproducer for bug 1899835 89c9a9cab4 Libvirt: updates resource provider trait list 50e97805ae ironic: fix logging of validation errors 137097dc93 Allow hyphen in cinder catalog_info service-type 4a17d63535 Fix parameter order in add_instance_info_to_node a8de6737d2 Fix device type when booting from ISO image c4f4ae784f libvirt: Fix regression of listDevices() return type 173defb64c Reproducer for bug 2098892 c008126257 Update InstanceNUMACell version in more cases 7ff108b5fb Update InstanceNUMACell version after data migration 82b5bd6a7e Reproduce bug/2097359 1b28f649fe ironic: Fix ConflictException when deleting server 22981123dc libvirt: Wrap un-proxied listDevices() and listAllDevices() 3d3ada4bce Update Nova bdm with updated swap info 684586f3cb Revert "[libvirt] Live migration fails when config_drive_format=iso9660" 89c07d7353 Route shared storage RPC to evac dest at startup 19c7a6e392 Reproduce bug 2085975 in functional 2dce2e277b [doc]Add `socket` option to [pci]alias numa_policy 59d6cb3b49 Revert "Test live migration between hosts with differnet cpu_shared_sets" ea0f46f80d [doc]Fix the device_spec config doc about placement bef7768ee5 Update TOX_CONSTRAINTS_FILE for stable/2024.2 59a44217e6 Update .gitreview for stable/2024.2 Diffstat (except docs and test files) ------------------------------------- .gitreview | 1 + .zuul.yaml | 23 -- api-ref/source/os-volume-attachments.inc | 20 +- api-ref/source/parameters.yaml | 1 + nova/api/openstack/compute/views/servers.py | 25 +- nova/api/openstack/compute/volumes.py | 6 + nova/compute/manager.py | 156 ++++++--- nova/conf/cinder.py | 2 +- nova/conf/pci.py | 7 +- nova/objects/instance_numa.py | 75 ++++- nova/test.py | 11 +- .../functional/regressions/test_bug_1899835.py | 125 +++++++- .../functional/regressions/test_bug_1943431.py | 49 +-- .../functional/regressions/test_bug_2062425.py | 22 +- .../functional/regressions/test_bug_2074219.py | 66 ++++ .../functional/regressions/test_bug_2085975.py | 131 ++++++++ .../functional/regressions/test_bug_2098892.py | 52 +++ .../functional/regressions/test_bug_2112187.py | 67 ++++ .../unit/api/openstack/compute/test_servers.py | 121 +++++++ .../unit/api/openstack/compute/test_volumes.py | 81 +++-- nova/virt/ironic/driver.py | 48 +-- nova/virt/libvirt/blockinfo.py | 32 +- nova/virt/libvirt/driver.py | 37 ++- nova/virt/libvirt/guest.py | 2 +- nova/virt/libvirt/host.py | 21 +- .../notes/bug-2019977-4afe7658394130b8.yaml | 7 + .../notes/bug-2074219-937d6404c1cbb04c.yaml | 17 + ...rameter-order-in-add_instance_info_to_node.yaml | 7 + .../notes/bug-2095364-ffbf67c0ae3f53b5.yaml | 15 + .../notes/bug-2112187-e1c1d40f090e421b.yaml | 36 +++ ...inder-catalog-info-hyphen-842f02febcfff041.yaml | 7 + ...nic-validate-node-message-6a8b1eedbddd06fd.yaml | 7 + ...e-live-migration-rollback-7de399d9b3979f79.yaml | 9 + .../notes/resize-swap-size-1e15e67c436f4b95.yaml | 10 + ...xied-libvirt-list-devices-7cd218c1a33535c9.yaml | 11 + tools/check-cherry-picks.sh | 7 +- tox.ini | 2 +- 52 files changed, 1790 insertions(+), 440 deletions(-)