We joyfully announce the release of: cinder 20.3.0: OpenStack Block Storage This release is part of the yoga stable release series. The source is available from: https://opendev.org/openstack/cinder Download the package from: https://tarballs.openstack.org/cinder/ Please report issues through: https://bugs.launchpad.net/cinder/+bugs For more details, please see below. 20.3.0 ^^^^^^ Known Issues ************ * For security reasons (Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555)) manually deleting an attachment, manually doing the "os-terminate_connection", "os- detach" or "os-force_detach" actions will no longer be allowed in most cases unless the request is coming from another OpenStack service on behalf of a user. Upgrade Notes ************* * Nova must be configured to send service tokens (https://docs.openstack.org/cinder/latest/configuration/block- storage/service-token.html) **and** cinder must be configured to recognize at least one of the roles that the nova service user has been assigned in keystone. By default, cinder will recognize the "service" role, so if the nova service user is assigned a differently named role in your cloud, you must adjust your cinder configuration file ("service_token_roles" configuration option in the "keystone_authtoken" section). If nova and cinder are not configured correctly in this regard, detaching volumes will no longer work (Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555)). Critical Issues *************** * Detaching volumes will fail if Nova is not configured to send service tokens (https://docs.openstack.org/cinder/latest/configuration/block- storage/service-token.html), please read the upgrade section for more information. (Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555)). Security Issues *************** * As part of the fix for Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555), cinder now rejects user attachment delete requests for attachments that are being used by nova instances to ensure that no leftover devices are produced on the compute nodes which could be used to access another project's volumes. Terminate connection, detach, and force detach volume actions (calls that are not usually made by users directly) are, in most cases, not allowed for users. Bug Fixes ********* * Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555): Fixed issue where a user manually deleting an attachment, calling terminate connection, detach, or force detach, for a volume that is still used by a nova instance resulted in leftover devices on the compute node. These operations will now fail when it is believed to be a problem. Changes in cinder 20.2.0..20.3.0 -------------------------------- a66f4afa2 Reject unsafe delete attachment calls Diffstat (except docs and test files) ------------------------------------- api-ref/source/v3/attachments.inc | 15 ++ api-ref/source/v3/volumes-v3-volumes-actions.inc | 55 ++++++ cinder/compute/nova.py | 7 + cinder/exception.py | 7 + cinder/volume/api.py | 98 +++++++++++ .../configuration/block-storage/service-token.rst | 46 +++-- .../redirect-detach-nova-4b7b7902d7d182e0.yaml | 43 +++++ 15 files changed, 504 insertions(+), 23 deletions(-)