[openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"

Kashyap Chamarthy kchamart at redhat.com
Tue Sep 20 10:48:49 UTC 2016

The said patch in question fixes a CVE[x] in stable/liberty.

We currently have two options, both of them have caused an impasse with
the Nova upstream / stable maintainers.  We've had two-ish months to
mull over this.  I'd prefer to get this out of a limbo, & bring this to
a logical conclusion.

The two options at hand:

(1) Nova backport from master (that also adds a check for the presence
    of 'ProcessLimits' attribute which is only present in
    oslo.concurrency>=2.6.1; and a conditional check for 'prlimit'
    parameter in qemu_img_info() method.)
    https://review.openstack.org/#/c/327624/ -- "virt: set address space
    & CPU time limits when running qemu-img"

(2) Or bump global-requirements for 'oslo.concurrency'

    https://review.openstack.org/#/c/337277/5 -- Bump
    'global-requirements' for 'oslo.concurrency' to 2.6.1

Both patches have had long (and useful) discussion about their merits /
demerits in the review comments in context of stable backports.  If you
have sometime, I'd recommend going through the comments in both the
reviews provides all the context, current disagreements.

[x] https://bugs.launchpad.net/nova/+bug/1449062 -- 
    qemu-img calls need to be restricted by ulimit (CVE-2015-5162)


More information about the OpenStack-dev mailing list