OpenStack Compute (nova)

Invalid availability zone name with ':' is accepted

Bug #1695861 reported by Hiroaki Kobayashi
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Tetsuro Nakamura
Ocata
Fix Committed
Medium
Matt Riedemann
Pike
Fix Committed
Medium
Matt Riedemann

Bug Description

According to the parse_availability_zone() of the API class [1], Nova has a legacy hack to allow admins to specify hosts via an availability zone using az:host:node. That means ':' cannot be included in the name of an availability zone itself. However, the create aggregate API accepts requests which have availability zone names including ':'. That causes a following bad scenario:

1. An admin creates a host aggregate with availability_zone = bad:name:example
2. An admin tries to create a server with availability_zone = bad:name:example
3. The nova-api parse the request and split the availability_zone value with ':'
4. Then it recognizes az=bad, host=name, node=example
5. Nova returns 'No valid host found' because there is no availability zone whose name is 'bad'.

To solve this problem following fixes are needed:

Option A:
* Do not allow admins to create a host aggregate whose availability_zone name including ':'.
* Document this specification.

Option B:
* Deprecate the legacy admin hack which uses az:host:node and allow ':' for az name.

[1] https://review.openstack.org/gitweb?p=openstack/nova.git;a=blob;f=nova/compute/api.py;h=46ed8e91fcc16f3755fd6a5e2e4a6d54f990cb8b;hb=HEAD#l561

See original description
Tags: api
Hiroaki Kobayashi (hiro-kobayashi)
summary: - Invalid availability zone name can be accepted
+ Invalid availability zone name with ':' is accepted
Takashi Natsume (natsume-takashi)
Changed in nova:
status: New → Confirmed
tags: added: api
Revision history for this message
Takashi Natsume (natsume-takashi) wrote :

I can reproduce it in nova master (commit 3ce0a050e1e611ad87336406c189522ee63ded30).

Revision history for this message
Hiroaki Kobayashi (hiro-kobayashi) wrote :

Which is better solution, option A or B?

description: updated
description: updated
Revision history for this message
jichenjc (jichenjc) wrote :

maybe A ? remove a functionaility looks bad than document the restriction

Tetsuro Nakamura (tetsuro0907)
Changed in nova:
assignee: nobody → Tetsuro Nakamura (tetsuro0907)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/490722

Changed in nova:
status: Confirmed → In Progress
Matt Riedemann (mriedem)
Changed in nova:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/490776

Changed in nova:
assignee: Tetsuro Nakamura (tetsuro0907) → Viktor Varga (vvargaszte)
Revision history for this message
Viktor Varga (vvargaszte) wrote :

Sorry, Tetsuro Nakamura, I have not noticed you have already proposed a fix to this patch. Please reassign it to yourself.

Tetsuro Nakamura (tetsuro0907)
Changed in nova:
assignee: Viktor Varga (vvargaszte) → Tetsuro Nakamura (tetsuro0907)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/491282

Revision history for this message
Tetsuro Nakamura (tetsuro0907) wrote :

Hi Viktor Varga,
No problem, thank you for telling me that I can reassign it again.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/491340

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (master)

Change abandoned by Tetsuro Nakamura (<email address hidden>) on branch: master
Review: https://review.openstack.org/491340
Reason: This bug should be fixed in the patch of Change-Id: I9b0d8e8d4b3ab2cb3d578c22fa259e0e7c0d325b

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Tetsuro Nakamura (<email address hidden>) on branch: master
Review: https://review.openstack.org/491282
Reason: This bug should be fixed in the patch of Change-Id: I9b0d8e8d4b3ab2cb3d578c22fa259e0e7c0d325b

Revision history for this message
Tetsuro Nakamura (tetsuro0907) wrote :

Sorry for messing up. I'm working here; https://review.openstack.org/#/c/490722/2

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Change abandoned by Viktor Varga (<email address hidden>) on branch: master
Review: https://review.openstack.org/490776
Reason: There is already a fix in progress for this bug.

Matt Riedemann (mriedem)
no longer affects: nova/ocata
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Tetsuro Nakamura (tetsuro0907) → Matt Riedemann (mriedem)
Matt Riedemann (mriedem)
Changed in nova:
assignee: Matt Riedemann (mriedem) → Tetsuro Nakamura (tetsuro0907)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/490722
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=38b25397e805dcf7a995666049713304fe4f1af1
Submitter: Jenkins
Branch: master

commit 38b25397e805dcf7a995666049713304fe4f1af1
Author: Tetsuro Nakamura <email address hidden>
Date: Fri Aug 4 11:29:00 2017 +0900

    fix nova accepting invalid availability zone name with ':'

    Nova has a legacy hack to allow admins to specify hosts via an
    availability zone using az:host:node. That means ':' cannot be
    included in the name of an availability zone itself.

    However, the aggregate API accepts requests which have
    availability zone names including ':'.

    This patch checks the availabilty zone name when aggregate is
    created or updated and raises an error if it contains ':'.

    Change-Id: I9b0d8e8d4b3ab2cb3d578c22fa259e0e7c0d325b
    Closes-Bug: #1695861

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/509656

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/509659

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 17.0.0.0b1

This issue was fixed in the openstack/nova 17.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/pike)

Reviewed: https://review.openstack.org/509656
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=a33634e5558b20e4bd496fe476f6ceb1a2ba79f6
Submitter: Zuul
Branch: stable/pike

commit a33634e5558b20e4bd496fe476f6ceb1a2ba79f6
Author: Tetsuro Nakamura <email address hidden>
Date: Fri Aug 4 11:29:00 2017 +0900

    fix nova accepting invalid availability zone name with ':'

    Nova has a legacy hack to allow admins to specify hosts via an
    availability zone using az:host:node. That means ':' cannot be
    included in the name of an availability zone itself.

    However, the aggregate API accepts requests which have
    availability zone names including ':'.

    This patch checks the availabilty zone name when aggregate is
    created or updated and raises an error if it contains ':'.

    Conflicts:
          api-ref/source/parameters.yaml

    NOTE(mriedem): The conflict in the api-ref docs is due to not
    having change f657efcdc59e6b80f5e96beb7f9fdc59d8aadbec in Pike.

    Change-Id: I9b0d8e8d4b3ab2cb3d578c22fa259e0e7c0d325b
    Closes-Bug: #1695861
    (cherry picked from commit 38b25397e805dcf7a995666049713304fe4f1af1)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 16.0.3

This issue was fixed in the openstack/nova 16.0.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/ocata)

Reviewed: https://review.openstack.org/509659
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=c53df19bd4535c5a95cd1aa7e50f49e128f83b95
Submitter: Zuul
Branch: stable/ocata

commit c53df19bd4535c5a95cd1aa7e50f49e128f83b95
Author: Tetsuro Nakamura <email address hidden>
Date: Fri Aug 4 11:29:00 2017 +0900

    fix nova accepting invalid availability zone name with ':'

    Nova has a legacy hack to allow admins to specify hosts via an
    availability zone using az:host:node. That means ':' cannot be
    included in the name of an availability zone itself.

    However, the aggregate API accepts requests which have
    availability zone names including ':'.

    This patch checks the availabilty zone name when aggregate is
    created or updated and raises an error if it contains ':'.

    Change-Id: I9b0d8e8d4b3ab2cb3d578c22fa259e0e7c0d325b
    Closes-Bug: #1695861
    (cherry picked from commit 38b25397e805dcf7a995666049713304fe4f1af1)
    (cherry picked from commit a33634e5558b20e4bd496fe476f6ceb1a2ba79f6)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 15.1.0

This issue was fixed in the openstack/nova 15.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.