[release-announce] cinder 20.3.0 (yoga)
no-reply at openstack.org
no-reply at openstack.org
Wed May 17 11:19:39 UTC 2023
We joyfully announce the release of:
cinder 20.3.0: OpenStack Block Storage
This release is part of the yoga stable release series.
The source is available from:
https://opendev.org/openstack/cinder
Download the package from:
https://tarballs.openstack.org/cinder/
Please report issues through:
https://bugs.launchpad.net/cinder/+bugs
For more details, please see below.
20.3.0
^^^^^^
Known Issues
************
* For security reasons (Bug #2004555
(https://bugs.launchpad.net/cinder/+bug/2004555)) manually deleting
an attachment, manually doing the "os-terminate_connection", "os-
detach" or "os-force_detach" actions will no longer be allowed in
most cases unless the request is coming from another OpenStack
service on behalf of a user.
Upgrade Notes
*************
* Nova must be configured to send service tokens
(https://docs.openstack.org/cinder/latest/configuration/block-
storage/service-token.html) **and** cinder must be configured to
recognize at least one of the roles that the nova service user has
been assigned in keystone. By default, cinder will recognize the
"service" role, so if the nova service user is assigned a
differently named role in your cloud, you must adjust your cinder
configuration file ("service_token_roles" configuration option in
the "keystone_authtoken" section). If nova and cinder are not
configured correctly in this regard, detaching volumes will no
longer work (Bug #2004555
(https://bugs.launchpad.net/cinder/+bug/2004555)).
Critical Issues
***************
* Detaching volumes will fail if Nova is not configured to send
service tokens
(https://docs.openstack.org/cinder/latest/configuration/block-
storage/service-token.html), please read the upgrade section for
more information. (Bug #2004555
(https://bugs.launchpad.net/cinder/+bug/2004555)).
Security Issues
***************
* As part of the fix for Bug #2004555
(https://bugs.launchpad.net/cinder/+bug/2004555), cinder now rejects
user attachment delete requests for attachments that are being used
by nova instances to ensure that no leftover devices are produced on
the compute nodes which could be used to access another project's
volumes. Terminate connection, detach, and force detach volume
actions (calls that are not usually made by users directly) are, in
most cases, not allowed for users.
Bug Fixes
*********
* Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555):
Fixed issue where a user manually deleting an attachment, calling
terminate connection, detach, or force detach, for a volume that is
still used by a nova instance resulted in leftover devices on the
compute node. These operations will now fail when it is believed to
be a problem.
Changes in cinder 20.2.0..20.3.0
--------------------------------
a66f4afa2 Reject unsafe delete attachment calls
Diffstat (except docs and test files)
-------------------------------------
api-ref/source/v3/attachments.inc | 15 ++
api-ref/source/v3/volumes-v3-volumes-actions.inc | 55 ++++++
cinder/compute/nova.py | 7 +
cinder/exception.py | 7 +
cinder/volume/api.py | 98 +++++++++++
.../configuration/block-storage/service-token.rst | 46 +++--
.../redirect-detach-nova-4b7b7902d7d182e0.yaml | 43 +++++
15 files changed, 504 insertions(+), 23 deletions(-)
More information about the Release-announce
mailing list