We are psyched to announce the release of: nova 29.3.0 This release is part of the caracal release series. The source is available from: https://opendev.org/openstack/nova Download the package from: https://tarballs.openstack.org/nova/ Please report issues through: https://bugs.launchpad.net/nova/+bugs For more details, please see below. 29.3.0 ^^^^^^ Security Issues *************** * Nova has documented that the "update volume attachment" API PUT /servers/{server_id}/os-volume_attachments/{volume_id} should not be called directly for a very long time. "When updating volumeId, this API is typically meant to only be used as part of a larger orchestrated volume migration operation initiated in the block storage service via the os-retype or os- migrate_volume volume actions. Direct usage of this API to update volumeId is not recommended and may result in needing to hard reboot the server to update details within the guest such as block storage serial IDs. Furthermore, updating volumeId via this API is only implemented by certain compute drivers." As an admin only api, direct usage has always been limited to admins or service like "watcher". This longstanding recommendation is now enforced as a security hardening measure and restricted to only cinder. The prior warning alluded to the fact that directly using this api can result in a guest with a de-synced definition of the volume serial. Before this change it was possible for an admin to unknowingly put a VM in an inconsistent state such that a future live migration may fail or succeed and break tenant isolation. This could not happen when the api was called by cinder so Nova has restricted that api exclusively to that use-case. see: https://bugs.launchpad.net/nova/+bug/2112187 for details. Bug Fixes ********* * Bug #2095364: Fixed the List Server API and the List Server Detail API 500 Internal Server Error issue in v2.96 or later API microversion if one or more instance has no request spec object. One usecase was when cloud user tried to create instance which exceeded their quota, the request does not create instance request spec. Once the no request spec instance is created in cloud user project, the server list API and the list server details API return 500 Internal Server Error for the project until the cloud user deletes the no request spec object instance. After this fix, the v2.96 or later returns *null* at the *pinned_availability_zone* value if not specified. (https://launchpad.net/bugs/2095364) * "Nova" now strictly enforces that only "cinder" can call the "update volume attachment" aka "swap volume" api. This is part of addressing a security hardening gap identified as part of bug: https://bugs.launchpad.net/nova/+bug/2112187 Changes in nova 29.2.2..29.3.0 ------------------------------ 5a92bb594f restrict swap volume to cinder 64594ec320 Use dict object for request_specs_dict in the _list_view ea00e28452 Add ServersViewBuilderTestV296 unit test class Diffstat (except docs and test files) ------------------------------------- api-ref/source/os-volume-attachments.inc | 20 ++-- api-ref/source/parameters.yaml | 1 + nova/api/openstack/compute/views/servers.py | 25 +++-- nova/api/openstack/compute/volumes.py | 6 + .../functional/regressions/test_bug_1943431.py | 49 ++------- .../functional/regressions/test_bug_2112187.py | 67 ++++++++++++ .../unit/api/openstack/compute/test_servers.py | 121 +++++++++++++++++++++ .../unit/api/openstack/compute/test_volumes.py | 81 +++++++++----- .../notes/bug-2095364-ffbf67c0ae3f53b5.yaml | 15 +++ .../notes/bug-2112187-e1c1d40f090e421b.yaml | 36 ++++++ 13 files changed, 367 insertions(+), 98 deletions(-)