[release-announce] cinder 21.3.0 (zed)
no-reply at openstack.org
no-reply at openstack.org
Wed May 17 11:29:07 UTC 2023
We are jazzed to announce the release of:
cinder 21.3.0: OpenStack Block Storage
This release is part of the zed stable release series.
The source is available from:
https://opendev.org/openstack/cinder
Download the package from:
https://tarballs.openstack.org/cinder/
Please report issues through:
https://bugs.launchpad.net/cinder/+bugs
For more details, please see below.
21.3.0
^^^^^^
Known Issues
************
* For security reasons (Bug #2004555
(https://bugs.launchpad.net/cinder/+bug/2004555)) manually deleting
an attachment, manually doing the "os-terminate_connection" "os-
detach" or "os-force_detach" actions will no longer be allowed
unless the request is coming from another OpenStack service on
behalf of a user.
Upgrade Notes
*************
* Nova must be configured to send service tokens
(https://docs.openstack.org/cinder/latest/configuration/block-
storage/service-token.html) **and** cinder must be configured to
recognize at least one of the roles that the nova service user has
been assigned in keystone. By default, cinder will recognize the
"service" role, so if the nova service user is assigned a
differently named role in your cloud, you must adjust your cinder
configuration file ("service_token_roles" configuration option in
the "keystone_authtoken" section). If nova and cinder are not
configured correctly in this regard, detaching volumes will no
longer work (Bug #2004555
(https://bugs.launchpad.net/cinder/+bug/2004555)).
Critical Issues
***************
* Detaching volumes will fail if Nova is not configured to send
service tokens
(https://docs.openstack.org/cinder/latest/configuration/block-
storage/service-token.html), please read the upgrade section for
more information. (Bug #2004555
(https://bugs.launchpad.net/cinder/+bug/2004555)).
Security Issues
***************
* As part of the fix for Bug #2004555
(https://bugs.launchpad.net/cinder/+bug/2004555), cinder now rejects
user attachment delete requests for attachments that are being used
by nova instances to ensure that no leftover devices are produced on
the compute nodes which could be used to access another project's
volumes. Terminate connection, detach, and force detach volume
actions are not allowed for users.
Bug Fixes
*********
* Bug #2004555 (https://bugs.launchpad.net/cinder/+bug/2004555):
Fixed issue where a user manually deleting an attachment, calling
terminate connection, detach, or force detach, for a volume that is
still used by a nova instance resulted in leftover devices on the
compute node. These operations will now fail.
Changes in cinder 21.2.0..21.3.0
--------------------------------
cb4682fb8 Reject unsafe delete attachment calls
Diffstat (except docs and test files)
-------------------------------------
api-ref/source/v3/attachments.inc | 15 ++
api-ref/source/v3/volumes-v3-volumes-actions.inc | 55 ++++++
cinder/compute/nova.py | 7 +
cinder/exception.py | 7 +
cinder/volume/api.py | 98 +++++++++++
.../configuration/block-storage/service-token.rst | 46 +++--
.../redirect-detach-nova-4b7b7902d7d182e0.yaml | 42 +++++
15 files changed, 503 insertions(+), 23 deletions(-)
More information about the Release-announce
mailing list