File: bug-1664931-refine-validate-image-rebuild-6d730042438eec10.yaml

package info (click to toggle)
nova 2:14.0.0-4+deb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 33,804 kB
  • sloc: python: 315,557; sh: 1,317; xml: 1,184; pascal: 1,168; makefile: 126; sql: 43
file content (20 lines) | stat: -rw-r--r-- 1,143 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
---
fixes:
  - |
    The fix for `OSSA-2017-005`_ (CVE-2017-16239) was too far-reaching in that
    rebuilds can now fail based on scheduling filters that should not apply
    to rebuild. For example, a rebuild of an instance on a disabled compute
    host could fail whereas it would not before the fix for CVE-2017-16239.
    Similarly, rebuilding an instance on a host that is at capacity for vcpu,
    memory or disk could fail since the scheduler filters would treat it as a
    new build request even though the rebuild is not claiming *new* resources.

    Therefore this release contains a fix for those regressions in scheduling
    behavior on rebuild while maintaining the original fix for CVE-2017-16239.

    .. note:: The fix relies on a ``RUN_ON_REBUILD`` variable which is checked
              for all scheduler filters during a rebuild. The reasoning behind
              the value for that variable depends on each filter. If you have
              out-of-tree scheduler filters, you will likely need to assess
              whether or not they need to override the default value (False)
              for the new variable.