OpenStack Compute (nova)

TrustedFilter checks compute trust level, not hypervisors

Bug #1223452 reported by Bob Ball
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
jiang, yunhong
OpenStack Compute (nova) 2014.2 "juno"
Icehouse
Fix Released
Undecided
Unassigned
OpenStack Compute (nova) 2014.1.5

Bug Description

The TrustedFilter uses host_state.host as the name that will be checked against the remote attestation service.

This works for the KVM case because the compute node and the hypervisor are the same; however we must be checking host_state.nodename which is the hostname for the hypervisor which will be registered with the attestation server.

Revision history for this message
Bob Ball (bob-ball) wrote :

The same issue applies to pre-populating the cache which uses compute['service']['host'] which is the compute's host name not the hypervisor's host name

Russell Bryant (russellb)
tags: added: scheduler
Russell Bryant (russellb)
Changed in nova:
status: New → Confirmed
importance: Undecided → Medium
jiang, yunhong (yunhong-jiang)
Changed in nova:
assignee: nobody → jiang, yunhong (yunhong-jiang)
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/89427

OpenStack Infra (hudson-openstack)
Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/89427
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=3c88fce604959a68f48d71274e0d93b74da17e34
Submitter: Jenkins
Branch: master

commit 3c88fce604959a68f48d71274e0d93b74da17e34
Author: Yunhong Jiang <email address hidden>
Date: Mon Apr 21 09:15:56 2014 -0700

    Use hypervisor hostname for compute trust level

    In XenAPI, service hostname and compute node hostname is different
    because the Nova compute service may run in a separated VM and is
    different with the hostname of the compute node.

    The remote attestation service use the compute node's hostname because
    it's the compute node that will run the servers.

    Closes-Bug: #1223452

    Change-Id: I9a7ce74d595531196804615a8947e253b0bd3f1a

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → juno-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: juno-3 → 2014.2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/176871

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/icehouse)

Reviewed: https://review.openstack.org/176871
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=4812617002ee6a5044096e253413d6718003bca3
Submitter: Jenkins
Branch: stable/icehouse

commit 4812617002ee6a5044096e253413d6718003bca3
Author: Yunhong Jiang <email address hidden>
Date: Mon Apr 21 09:15:56 2014 -0700

    Use hypervisor hostname for compute trust level

    In XenAPI, service hostname and compute node hostname is different
    because the Nova compute service may run in a separated VM and is
    different with the hostname of the compute node.

    The remote attestation service use the compute node's hostname because
    it's the compute node that will run the servers.

    (cherry picked from commit 3c88fce604959a68f48d71274e0d93b74da17e34)

    Conflicts:
     nova/scheduler/filters/trusted_filter.py
     nova/tests/scheduler/test_host_filters.py

    Closes-Bug: #1223452
    Change-Id: I9a7ce74d595531196804615a8947e253b0bd3f1a

tags: added: in-stable-icehouse
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.