We are psyched to announce the release of: nova 16.0.4: Cloud computing fabric controller This release is part of the pike release series. Download the package from: https://tarballs.openstack.org/nova/ For more details, please see below. 16.0.4 ^^^^^^ Known Issues ************ * In 16.0.0 Pike release, quota limits are checked in a new fashion after change 5c90b25e49d47deb7dc6695333d9d5e46efe8665 and a new config option "[quota]/recheck_quota" has been added in change eab1d4b5cc6dd424c5c7dfd9989383a8e716cae5 to recheck quota after resource creation to prevent allowing quota to be exceeded as a result of racing requests. These changes could lead to requests blocked by over quota resulting in instances in the "ERROR" state, rather than no instance records as before. Refer to https://bugs.launchpad.net/nova/+bug/1716706 for detailed bug report. Security Issues *************** * OSSA-2017-006: Nova FilterScheduler doubles resource allocations during rebuild with new image (CVE-2017-17051) By repeatedly rebuilding an instance with new images, an authenticated user may consume untracked resources on a hypervisor host leading to a denial of service. This regression was introduced with the fix for `OSSA-2017-005`_ (CVE-2017-16239), however, only Nova stable/pike or later deployments with that fix applied and relying on the default FilterScheduler are affected. The fix is in the *nova-api* and *nova-scheduler* services. Note: The fix for errata in `OSSA-2017-005`_ (CVE-2017-16239) will need to be applied in addition to this fix. (https://security.openstack.org/ossa/OSSA-2017-006.html) Bug Fixes ********* * The fix for `OSSA-2017-005`_ (CVE-2017-16239) was too far-reaching in that rebuilds can now fail based on scheduling filters that should not apply to rebuild. For example, a rebuild of an instance on a disabled compute host could fail whereas it would not before the fix for CVE-2017-16239. Similarly, rebuilding an instance on a host that is at capacity for vcpu, memory or disk could fail since the scheduler filters would treat it as a new build request even though the rebuild is not claiming *new* resources. Therefore this release contains a fix for those regressions in scheduling behavior on rebuild while maintaining the original fix for CVE-2017-16239. Note: The fix relies on a "RUN_ON_REBUILD" variable which is checked for all scheduler filters during a rebuild. The reasoning behind the value for that variable depends on each filter. If you have out- of-tree scheduler filters, you will likely need to assess whether or not they need to override the default value (False) for the new variable. * This release includes a fix for bug 1733886 which was a regression introduced in the 2.36 API microversion where the "force" parameter was missing from the "PUT /os-quota-sets/{tenant_id}" API request schema so users could not force quota updates with microversion 2.36 or later. The bug is now fixed so that the "force" parameter can once again be specified during quota updates. There is no new microversion for this change since it is an admin-only API. (https://bugs.launchpad.net/nova/+bug/1733886) Docutils System Messages ************************ Changes in nova 16.0.3..16.0.4 ------------------------------ 6f5b312 Fix 'force' parameter in os-quota-sets PUT schema fc225f1 [placement] Fix foreign key constraint error fed660c Fix doubling allocations on rebuild 234ade2 Add regression test for rebuild with new image doubling allocations 4e36c4b Get original image_id from volume for volume-backed instance rebuild 6c1a088 Only query BDMs once in API during rebuild c799165 Add regression test for rebuilding a volume-backed server 2db9f9d Fix ValueError if invalid max_rows passed to db purge 43dbbf8 Mention API behavior change when over quota limit 02af3d5 Downgrade log for keystone verify client fail 9502397 Vzstorage: synchronize volume connect 781a963 Fix TypeError of _get_project_id when project_id is None ae56863 Fix incorrect known vcpuset when CPUPinningUnknown raised 2d79baf Fix binary name b1aa3ed Fix ValueError when loading old pci device record b29a461 Refined fix for validating image on rebuild ec20e1a Update bindep.txt for doc builds 2c70ee8 Document the real behavior of notify_on_state_change 0ad8476 Fix quobyte test_validate_volume_no_mtab_entry 4402da8 Modify incorrect debug meaasge in _inject_data 2486f34 libvirt: Don't VIR_MIGRATE_NON_SHARED_INC without migrate_disks fa47da0 libvirt: bandwidth param should be set in guest migrate bb7628f Set regex flag on ostestr command for osprofiler tests a89ff72 Log consumer uuid when retrying claims in the scheduler ece825b doc: fix flavor notes aabf0b0 Fix race in delete allocation in ServerMovingTests 8f76540 placement: avoid returning duplicated alloc_reqs when no sharing rp Diffstat (except docs and test files) ------------------------------------- bindep.txt | 7 +- .../v2.36/quotas-show-defaults-get-resp.json | 15 +++ .../v2.36/quotas-show-detail-get-resp.json | 55 +++++++++ .../os-quota-sets/v2.36/quotas-show-get-resp.json | 15 +++ .../v2.36/quotas-update-force-post-req.json | 6 + .../v2.36/quotas-update-force-post-resp.json | 14 +++ .../v2.36/quotas-update-post-req.json | 5 + .../v2.36/quotas-update-post-resp.json | 14 +++ .../v2.36/user-quotas-show-get-resp.json | 15 +++ .../v2.36/user-quotas-update-post-req.json | 6 + .../v2.36/user-quotas-update-post-resp.json | 14 +++ nova/api/openstack/common.py | 2 +- .../openstack/compute/rest_api_version_history.rst | 6 + nova/api/openstack/compute/schemas/quota_sets.py | 2 +- nova/api/openstack/identity.py | 3 +- nova/api/openstack/wsgi_app.py | 6 +- nova/cmd/manage.py | 4 +- nova/compute/api.py | 50 ++++++-- nova/conf/notifications.py | 15 ++- nova/objects/numa.py | 4 +- nova/objects/pci_device.py | 7 +- nova/objects/resource_provider.py | 5 + nova/scheduler/client/report.py | 4 +- nova/scheduler/filter_scheduler.py | 10 ++ nova/scheduler/filters/__init__.py | 22 +++- nova/scheduler/filters/affinity_filter.py | 12 ++ .../aggregate_image_properties_isolation.py | 2 + .../filters/aggregate_instance_extra_specs.py | 2 + .../filters/aggregate_multitenancy_isolation.py | 2 + nova/scheduler/filters/all_hosts_filter.py | 2 + nova/scheduler/filters/availability_zone_filter.py | 2 + .../filters/compute_capabilities_filter.py | 2 + nova/scheduler/filters/compute_filter.py | 2 + nova/scheduler/filters/core_filter.py | 2 + nova/scheduler/filters/disk_filter.py | 4 + nova/scheduler/filters/exact_core_filter.py | 2 + nova/scheduler/filters/exact_disk_filter.py | 2 + nova/scheduler/filters/exact_ram_filter.py | 2 + nova/scheduler/filters/image_props_filter.py | 2 + nova/scheduler/filters/io_ops_filter.py | 2 + nova/scheduler/filters/isolated_hosts_filter.py | 2 + nova/scheduler/filters/json_filter.py | 3 + nova/scheduler/filters/metrics_filter.py | 2 + nova/scheduler/filters/num_instances_filter.py | 2 + nova/scheduler/filters/numa_topology_filter.py | 2 + nova/scheduler/filters/pci_passthrough_filter.py | 2 + nova/scheduler/filters/ram_filter.py | 2 + nova/scheduler/filters/retry_filter.py | 4 + nova/scheduler/filters/trusted_filter.py | 2 + nova/scheduler/filters/type_filter.py | 4 + nova/scheduler/host_manager.py | 9 +- nova/scheduler/utils.py | 13 ++ .../quotas-update-force-resp.json.tpl | 20 --- .../v2.36/quotas-show-defaults-get-resp.json.tpl | 15 +++ .../v2.36/quotas-show-detail-get-resp.json.tpl | 55 +++++++++ .../v2.36/quotas-show-get-resp.json.tpl | 15 +++ .../v2.36/quotas-update-force-post-req.json.tpl | 6 + .../v2.36/quotas-update-force-post-resp.json.tpl | 14 +++ .../v2.36/quotas-update-post-req.json.tpl | 5 + .../v2.36/quotas-update-post-resp.json.tpl | 14 +++ .../v2.36/user-quotas-show-get-resp.json.tpl | 15 +++ .../v2.36/user-quotas-update-post-req.json.tpl | 6 + .../v2.36/user-quotas-update-post-resp.json.tpl | 14 +++ .../functional/regressions/test_bug_1732947.py | 88 ++++++++++++++ .../unit/virt/libvirt/volume/test_vzstorage.py | 5 +- nova/virt/libvirt/driver.py | 7 +- nova/virt/libvirt/guest.py | 17 ++- nova/virt/libvirt/volume/vzstorage.py | 19 +-- ...ne-validate-image-rebuild-6d730042438eec10.yaml | 20 +++ ...ubled-allocations-rebuild-23e4d3b06eb4f43f.yaml | 18 +++ ...-os-quota-sets-force-2.36-5866924621ecc857.yaml | 12 ++ ...quota-api-behavior-change-fc2cbbf7c79b5ae3.yaml | 12 ++ tox.ini | 4 +- 90 files changed, 1157 insertions(+), 95 deletions(-)