We are ecstatic to announce the release of: cinder 22.1.0: OpenStack Block Storage This release is part of the antelope release series. The source is available from: https://opendev.org/openstack/cinder Download the package from: https://tarballs.openstack.org/cinder/ Please report issues through: https://bugs.launchpad.net/cinder/+bugs For more details, please see below. 22.1.0 ^^^^^^ Known Issues ************ * For security reasons (Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555)) manually deleting an attachment, manually doing the "os-terminate_connection", "os- detach" or "os-force_detach" actions will no longer be allowed in most cases unless the request is coming from another OpenStack service on behalf of a user. Upgrade Notes ************* * Nova must be configured to send service tokens (https://docs.openstack.org/cinder/latest/configuration/block- storage/service-token.html) **and** cinder must be configured to recognize at least one of the roles that the nova service user has been assigned in keystone. By default, cinder will recognize the "service" role, so if the nova service user is assigned a differently named role in your cloud, you must adjust your cinder configuration file ("service_token_roles" configuration option in the "keystone_authtoken" section). If nova and cinder are not configured correctly in this regard, detaching volumes will no longer work (Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555)). Critical Issues *************** * Detaching volumes will fail if Nova is not configured to send service tokens (https://docs.openstack.org/cinder/latest/configuration/block- storage/service-token.html), please read the upgrade section for more information. (Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555)). Security Issues *************** * As part of the fix for Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555), cinder now rejects user attachment delete requests for attachments that are being used by nova instances to ensure that no leftover devices are produced on the compute nodes which could be used to access another project's volumes. Terminate connection, detach, and force detach volume actions (calls that are not usually made by users directly) are, in most cases, not allowed for users. Bug Fixes ********* * Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555): Fixed issue where a user manually deleting an attachment, calling terminate connection, detach, or force detach, for a volume that is still used by a nova instance resulted in leftover devices on the compute node. These operations will now fail when it is believed to be a problem. Changes in cinder 22.0.0..22.1.0 -------------------------------- dd6010a9f Reject unsafe delete attachment calls 5975376ba [Pure Storage] Add check for new error message 63e6dfdb0 Update url of "Unity Replication White Paper" Diffstat (except docs and test files) ------------------------------------- api-ref/source/v3/attachments.inc | 15 ++ api-ref/source/v3/volumes-v3-volumes-actions.inc | 55 ++++++ cinder/compute/nova.py | 7 + cinder/exception.py | 7 + cinder/volume/api.py | 98 +++++++++++ cinder/volume/drivers/pure.py | 6 +- .../drivers/dell-emc-unity-driver.rst | 4 +- .../configuration/block-storage/service-token.rst | 46 +++-- .../redirect-detach-nova-4b7b7902d7d182e0.yaml | 43 +++++ 17 files changed, 510 insertions(+), 27 deletions(-)
participants (1)
-
no-reply@openstack.org