We joyfully announce the release of: nova 23.0.2: Cloud computing fabric controller This release is part of the wallaby stable release series. The source is available from: https://opendev.org/openstack/nova Download the package from: https://tarballs.openstack.org/nova/ Please report issues through: https://bugs.launchpad.net/nova/+bugs For more details, please see below. 23.0.2 ^^^^^^ Security Issues *************** * A vulnerability in the console proxies (novnc, serial, spice) that allowed open redirection has been patched. The novnc, serial, and spice console proxies are implemented as websockify servers and the request handler inherits from the python standard SimpleHTTPRequestHandler. There is a known issue in the SimpleHTTPRequestHandler which allows open redirects by way of URLs in the following format: http://vncproxy.my.domain.com//example.com/%2F.. which if visited, will redirect a user to example.com. The novnc, serial, and spice console proxies will now reject requests that pass a redirection URL beginning with "//" with a 400 Bad Request. (https://bugs.launchpad.net/nova/+bug/1927677) (https://bugs.python.org/issue32084) Bug Fixes ********* * Improved detection of anti-affinity policy violation when performing live and cold migrations. Most of the violations caused by race conditions due to performing concurrent live or cold migrations should now be addressed by extra checks in the compute service. Upon detection, cold migration operations are automatically rescheduled, while live migrations have two checks and will be rescheduled if detected by the first one, otherwise the live migration will fail cleanly and revert the instance state back to its previous value. * Bug 1851545 (https://bugs.launchpad.net/nova/+bug/1851545), wherein unshelving an instance with SRIOV Neutron ports did not update the port binding's "pci_slot" and could cause libvirt PCI conflicts, has been fixed. Important: Constraints in the fix's implementation mean that it only applies to instances booted **after** it has been applied. Existing instances will still experience bug 1851545 after being shelved and unshelved, even with the fix applied. * To fix device detach issues in the libvirt driver the detach logic has been changed from a sleep based retry loop to waiting for libvirt domain events. During this change we also introduced two new config options to allow fine tuning the retry logic. For details see the description of the new "[libvirt]device_detach_attempts" and "[libvirt]device_detach_timeout" config options. (https://bugs.launchpad.net/nova/+bug/1882521) Changes in nova 23.0.1..23.0.2 ------------------------------ fef0305abe Move 'check-cherry-picks' test to gate, n-v check 5d65680095 libvirt: Set driver_iommu when attaching virtio devices to SEV instance c45bedd98d zuul: Replace grenade and nova-grenade-multinode with grenade-multinode 8b62a4ec9b Error anti-affinity violation on migrations 46aa3f4ec7 Honor [neutron]http_retries in the manual client bf7254b794 Update SRIOV port pci_slot when unshelving 3625d5336a Test SRIOV port move operations with PCI conflicts 83ca8b3563 Neutron fixture: don't clobber profile and vif_details if empty 5ede75c65e Stop leaking ceph df cmd in RBD utils 4709256142 Reject open redirection in the console proxy 8f018d754d rbd: Get rbd_utils unit tests running again 8b50f48ed2 Consolidate device detach error handling ebf1ceb7d6 Move instance power state check to _detach_with_retry 14596ca30f libvirt: Remove dead error handling code 9f90c7268c Follow up type hints for a634103 3fcd11a403 Enable mypy on libvirt/guest.py 5f488d8cd1 Move the guest.get_disk test to test_guest 30317e6b3f Replace blind retry with libvirt event waiting in detach Diffstat (except docs and test files) ------------------------------------- .zuul.yaml | 46 +- gate/live_migration/hooks/ceph.sh | 208 ---- gate/live_migration/hooks/nfs.sh | 50 - gate/live_migration/hooks/utils.sh | 11 - mypy-files.txt | 1 + nova/compute/manager.py | 124 +- nova/conf/libvirt.py | 24 + nova/console/websocketproxy.py | 23 + nova/network/neutron.py | 86 +- nova/storage/rbd_utils.py | 9 +- .../functional/libvirt/test_pci_sriov_servers.py | 116 ++ nova/virt/libvirt/designer.py | 10 +- nova/virt/libvirt/driver.py | 559 ++++++--- nova/virt/libvirt/guest.py | 139 +-- nova/virt/libvirt/migration.py | 9 +- playbooks/legacy/nova-grenade-multinode/post.yaml | 15 - playbooks/legacy/nova-grenade-multinode/run.yaml | 65 -- playbooks/legacy/nova-live-migration/post.yaml | 15 - playbooks/legacy/nova-live-migration/run.yaml | 60 - .../notes/bug-1821755-7bd03319e34b6b10.yaml | 11 + .../notes/bug-1851545-781c358939d96cea.yaml | 12 + ...roxy-reject-open-redirect-4ac0a7895acca7eb.yaml | 19 + ...event-based-device-detach-23ac037004d753b1.yaml | 11 + tools/check-cherry-picks.sh | 5 - tox.ini | 12 +- 39 files changed, 2180 insertions(+), 1347 deletions(-)