Package: nova / 2:14.0.0-4+deb9u1

Metadata

Package Version Patches format
nova 2:14.0.0-4+deb9u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
path to the xenhost.conf fixup.patch | (download)

plugins/xenserver/xenapi/etc/xapi.d/plugins/xenhost | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 fixes the path to the xenhost.conf file
Add_nova idmapshift_to_rootwrap_filters.patch | (download)

etc/nova/rootwrap.d/compute.filters | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 
 this patch adds the rootwrapper filter for nova-idmapshift
 binary, it is used when unprivileged lxc domains are created.
 .

Bug: #1452143
Install missed files.patch | (download)

MANIFEST.in | 22 22 + 0 - 0 !
1 file changed, 22 insertions(+)

 
 [patch] install missed files
fix requirements.txt.patch | (download)

requirements.txt | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 
 fix requirements.txt
 Without this patch, we get:
  dpkg-gencontrol: warning: can't parse dependency python-cryptography (!= 1.3.0)
clean up build_requests table on upgrades.patch | (download)

nova/db/sqlalchemy/api_migrations/migrate_repo/versions/013_build_request_extended_attrs.py | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 
 clean-up build_requests on upgrades
allow using sqla 1.1.patch | (download)

requirements.txt | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 allow using sqla >= 1.1
CVE 2017 7214_do_not_include_context_to_exception_notification.patch | (download)

nova/exception_wrapper.py | 3 3 + 0 - 0 !
nova/tests/unit/test_exception.py | 1 1 + 0 - 0 !
2 files changed, 4 insertions(+)

 
 cve-2017-7214: do not include context to exception notification
 The wrap_exception decorator optionally emited a notification.
 Based on the code comments the original intention was not to include the
 context to that notification due to security reasons. However the
 implementation did included the context to the payload of the legacy
 notification.
 .
 Recently we saw circural reference errors during the payload serialization
 of this notification. Based on the logs the only complex data structure
 that could cause circural reference is the context. So this patch
 removes the context from the legacy exception notification.
 .
 The versioned exception notification is not affected as it does not
 contain the args of the decorated function.
CVE 2017 16239_Validate_new_image_via_scheduler_during_rebuild.patch | (download)

nova/compute/api.py | 17 16 + 1 - 0 !
nova/conductor/manager.py | 6 5 + 1 - 0 !
nova/tests/functional/api/client.py | 10 10 + 0 - 0 !
nova/tests/functional/integrated_helpers.py | 46 44 + 2 - 0 !
nova/tests/functional/test_servers.py | 70 70 + 0 - 0 !
nova/tests/unit/compute/test_compute_api.py | 12 10 + 2 - 0 !
nova/tests/unit/conductor/test_conductor.py | 5 4 + 1 - 0 !
7 files changed, 159 insertions(+), 7 deletions(-)

 
 validate new image via scheduler during rebuild
 During a rebuild we bypass the scheduler because we are
 always rebuilding the instance on the same host it's already
 on. However, we allow passing a new image during rebuild
 and that new image needs to be validated to work with the
 instance host by running it through the scheduler filters,
 like the ImagePropertiesFilter. Otherwise the new image
 could violate constraints placed on the host by the admin.
 .
 This change checks to see if there is a new image provided
 and if so, modifies the request spec passed to the scheduler
 so that the new image is validated all while restricting
 the scheduler to still pick the same host that the instance
 is running on. If the image is not valid for the host, the
 scheduler will raise NoValidHost and the rebuild stops.
 .
 A functional test is added to show the recreate of the bug
 and that we probably stop the rebuild now in conductor by
 calling the scheduler to validate the image.
 .
 NOTE(mriedem): There were a few changes needed for Newton:
 .
 1. There is no PlacementFixture but it's not needed.
 2. The API client needs to have the microversion set from
    the test.
 3. The enabled_filters config option wasn't in Newton.
 4. The scheduler has to be started before compute otherwise
    we get a MessagingTimeout due to the CastAsCall fixture
    during the compute startup.
CVE 2017 17051_Refined_fix_for_validating_image_on_rebuild.patch | (download)

nova/compute/api.py | 19 15 + 4 - 0 !
nova/scheduler/filters/__init__.py | 22 20 + 2 - 0 !
nova/scheduler/filters/affinity_filter.py | 12 12 + 0 - 0 !
nova/scheduler/filters/aggregate_image_properties_isolation.py | 2 2 + 0 - 0 !
nova/scheduler/filters/aggregate_instance_extra_specs.py | 2 2 + 0 - 0 !
nova/scheduler/filters/aggregate_multitenancy_isolation.py | 2 2 + 0 - 0 !
nova/scheduler/filters/all_hosts_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/availability_zone_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/compute_capabilities_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/compute_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/core_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/disk_filter.py | 4 4 + 0 - 0 !
nova/scheduler/filters/exact_core_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/exact_disk_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/exact_ram_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/image_props_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/io_ops_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/isolated_hosts_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/json_filter.py | 3 3 + 0 - 0 !
nova/scheduler/filters/metrics_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/num_instances_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/numa_topology_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/pci_passthrough_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/ram_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/retry_filter.py | 4 4 + 0 - 0 !
nova/scheduler/filters/trusted_filter.py | 2 2 + 0 - 0 !
nova/scheduler/filters/type_filter.py | 4 4 + 0 - 0 !
nova/scheduler/host_manager.py | 9 7 + 2 - 0 !
nova/scheduler/utils.py | 13 13 + 0 - 0 !
nova/tests/functional/test_servers.py | 22 22 + 0 - 0 !
nova/tests/unit/compute/test_compute_api.py | 10 5 + 5 - 0 !
releasenotes/notes/bug-1664931-refine-validate-image-rebuild-6d730042438eec10.yaml | 20 20 + 0 - 0 !
32 files changed, 169 insertions(+), 13 deletions(-)

 
 cve-2017-17051 refined fix for validating image on rebuild
 This aims to fix the issue described in bug 1664931 where a rebuild
 fails to validate the existing host with the scheduler when a new
 image is provided. The previous attempt to do this could cause rebuilds
 to fail unnecessarily because we ran _all_ of the filters during a
 rebuild, which could cause usage/resource filters to prevent an otherwise
 valid rebuild from succeeding.
 .
 This aims to classify filters as useful for rebuild or not, and only apply
 the former during a rebuild scheduler check. We do this by using an internal
 scheduler hint, indicating our intent. This should (a) filter out
 all hosts other than the one we're running on and (b) be detectable by
 the filtering infrastructure as an internally-generated scheduling request
 in order to trigger the correct filtering behavior.
 .
 Conflicts:
      nova/scheduler/utils.py
      nova/tests/unit/compute/test_compute_api.py
 .
 NOTE(mriedem): The conflicts are due to not having
 7d0381c91a6ba8a45ae6527f046f382166eb158d or
 4a7502a5c9e84a8c8cef7f355d72425b26b8c379 in Newton.
 .
 (cherry picked from commit f7c688b8ef88a7390f5b09719a2b3e80368438c0)
 (cherry picked from commit b29a461a8bc05c9b171c0574abb2e7e5b62a2ed7)
 (cherry picked from commit bbfc4230efe3299fa51f9451f54062f32590ed3d)
Bug-Ubuntu: https://bugs.launchpad.net/nova/+bug/1664931