We are ecstatic to announce the release of: nova 31.1.0 This release is part of the epoxy release series. The source is available from: https://opendev.org/openstack/nova Download the package from: https://tarballs.openstack.org/nova/ Please report issues through: https://bugs.launchpad.net/nova/+bugs For more details, please see below. 31.1.0 ^^^^^^ Security Issues *************** * Nova has documented that the "update volume attachment" API PUT /servers/{server_id}/os-volume_attachments/{volume_id} should not be called directly for a very long time. "When updating volumeId, this API is typically meant to only be used as part of a larger orchestrated volume migration operation initiated in the block storage service via the os-retype or os- migrate_volume volume actions. Direct usage of this API to update volumeId is not recommended and may result in needing to hard reboot the server to update details within the guest such as block storage serial IDs. Furthermore, updating volumeId via this API is only implemented by certain compute drivers." As an admin only api, direct usage has always been limited to admins or service like "watcher". This longstanding recommendation is now enforced as a security hardening measure and restricted to only cinder. The prior warning alluded to the fact that directly using this api can result in a guest with a de-synced definition of the volume serial. Before this change it was possible for an admin to unknowingly put a VM in an inconsistent state such that a future live migration may fail or succeed and break tenant isolation. This could not happen when the api was called by cinder so Nova has restricted that api exclusively to that use-case. see: https://bugs.launchpad.net/nova/+bug/2112187 for details. Bug Fixes ********* * Fixed the issue bug 2098496 where nova assigned more PCI hostdevs to a VM than the flavor requested via the pci_passthrough:alias extra_spec. This only affected systems where both "[filter_scheduler]pci_in_placement" and "[pci]report_in_placement" were set to True. This only affected systems where the PCI alias requested type-VF devices and a single PF device on the compute node supported more than one VFs and "[pci]device_spec" configuration allowed nova to use multiple VFs from a single PF. * "Nova" now strictly enforces that only "cinder" can call the "update volume attachment" aka "swap volume" api. This is part of addressing a security hardening gap identified as part of bug: https://bugs.launchpad.net/nova/+bug/2112187 Changes in nova 31.0.1..31.1.0 ------------------------------ 76fe0294ff restrict swap volume to cinder 72cbe56a03 Ignore metadata tags in pci/stats _find_pool logic Diffstat (except docs and test files) ------------------------------------- api-ref/source/os-volume-attachments.inc | 20 ++-- nova/api/openstack/compute/volumes.py | 6 ++ nova/pci/stats.py | 47 +++++++++ .../functional/regressions/test_bug_1943431.py | 49 ++------- .../functional/regressions/test_bug_2098496.py | 64 ++---------- .../functional/regressions/test_bug_2112187.py | 67 ++++++++++++ .../unit/api/openstack/compute/test_volumes.py | 81 +++++++++------ ...i-hostdevs-than-requested-0139018213f1be96.yaml | 12 +++ .../notes/bug-2112187-e1c1d40f090e421b.yaml | 36 +++++++ 13 files changed, 394 insertions(+), 144 deletions(-)