Ironic

Bug #2019892
Comment #14

Comment 14 for bug 2019892

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-06-01: Fix merged to ironic (stable/wallaby)

#14

Reviewed: https://review.opendev.org/c/openstack/ironic/+/883581
Committed: https://opendev.org/openstack/ironic/commit/fdaf396e88ac59a52d395ed075ddff8163a16473
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit fdaf396e88ac59a52d395ed075ddff8163a16473
Author: Julia Kreger <email address hidden>
Date: Thu May 11 11:09:28 2023 -0700

Fix Cinder Integration fallout from CVE-2023-2088

    In the recent change to cinder, to address CVE-2023-2088,
    cinder changed the policy rules and behavior for unbinding,
    or "detaching" a volume. This was because of a vulnerability
    in compute nodes where a volume which was in use by a VM
    could be detached outside of Nova, and nova wouldn't become
    aware the volume was detached, and the volume could be accessible
    to the next VM.

This vulnerability doesn't apply to bare metal operations as
volumes are attached to whole baremetal nodes with Ironic.

    We now generate and use a service token when interacting with
    Cinder which allows cinder to recognize "this request is
    coming from a fellow OpenStack service", and by-pass
    checking with Nova if the "instance" is managed by Nova,
    or Not. This allows the volumes to be attached, and detached
    as needed as part of the power operation flow and overall
    set of lifecycle operations.

    Note: This change is modified from the original upstream chnage
    becuse that change leverages the ability for a project_id value
    to no longer be required in the cinder URL for interactions with
    cinder, which was a requirement removed in Yoga.

    Additional note: Disables the rescue testing on one of the wallaby
    branch jobs. Essentially is is a tempest branching, or lack their
    of issue. Master branch ironic-tempest-plugin has a fix
    which doesn't exist on tempest 29.0.0.

Related-Bug: 2004555
Closes-Bug: 2019892

    Change-Id: Ib258bc9650496da989fc93b759b112d279c8b217
    (cherry picked from commit 9c0b4c90a19fc1db262a942a1b6a1baafc881ccc)
    (cherry picked from commit cb38746f71f5dfa346371bf06985bbbb2208af6e)

Reviewed:  https://review.opendev.org/c/openstack/ironic/+/883581
Committed: https://opendev.org/openstack/ironic/commit/fdaf396e88ac59a52d395ed075ddff8163a16473
Submitter: "Zuul (22348)"
Branch:    stable/wallaby

commit fdaf396e88ac59a52d395ed075ddff8163a16473
Author: Julia Kreger <juliaashleykreger@gmail.com>
Date:   Thu May 11 11:09:28 2023 -0700

Fix Cinder Integration fallout from CVE-2023-2088
    
    In the recent change to cinder, to address CVE-2023-2088,
    cinder changed the policy rules and behavior for unbinding,
    or "detaching" a volume. This was because of a vulnerability
    in compute nodes where a volume which was in use by a VM
    could be detached outside of Nova, and nova wouldn't become
    aware the volume was detached, and the volume could be accessible
    to the next VM.
    
    This vulnerability doesn't apply to bare metal operations as
    volumes are attached to whole baremetal nodes with Ironic.
    
    We now generate and use a service token when interacting with
    Cinder which allows cinder to recognize "this request is
    coming from a fellow OpenStack service", and by-pass
    checking with Nova if the "instance" is managed by Nova,
    or Not. This allows the volumes to be attached, and detached
    as needed as part of the power operation flow and overall
    set of lifecycle operations.
    
    Note: This change is modified from the original upstream chnage
    becuse that change leverages the ability for a project_id value
    to no longer be required in the cinder URL for interactions with
    cinder, which was a requirement removed in Yoga.
    
    Additional note: Disables the rescue testing on one of the wallaby
    branch jobs. Essentially is is a tempest branching, or lack their
    of issue. Master branch ironic-tempest-plugin has a fix
    which doesn't exist on tempest 29.0.0.
    
    Related-Bug: 2004555
    Closes-Bug: 2019892
    
    Change-Id: Ib258bc9650496da989fc93b759b112d279c8b217
    (cherry picked from commit 9c0b4c90a19fc1db262a942a1b6a1baafc881ccc)
    (cherry picked from commit cb38746f71f5dfa346371bf06985bbbb2208af6e)