OpenStack Compute (nova)

Leaking username and backend in RBD driver

Bug #1926978 reported by Tobias Urdin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Unassigned
Victoria
Fix Released
Undecided
Unassigned
Wallaby
Fix Released
Undecided
Unassigned

Bug Description

The RBD utils get_pool_info() function raises an processutils.ProcessExecutionError from oslo.concurrency if it fails. That error message contains the Ceph username and the fact that it's running Ceph in the error message that a end-user can view.

| fault | {"code": 500, "created": "2021-05-03T14:00:57Z", "message": "Exceeded maximum number of retries. Exceeded max scheduling attempts 3 for instance 28c36a23-8e2b-4425-aeb3-502c536f43e8. Last exception: Unexpected error while running command. |
| | Command: ceph df --format=json --id openstack --conf /etc/ceph/ceph.conf

This information should not be available to end-users.

Tags: ceph
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/nova/+/789374

Changed in nova:
status: New → In Progress
melanie witt (melwitt)
tags: added: ceph
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/c/openstack/nova/+/789374
Committed: https://opendev.org/openstack/nova/commit/86af7feed06f08ddb3ef65122089216708d53a06
Submitter: "Zuul (22348)"
Branch: master

commit 86af7feed06f08ddb3ef65122089216708d53a06
Author: Tobias Urdin <email address hidden>
Date: Mon May 3 17:25:43 2021 +0200

    Stop leaking ceph df cmd in RBD utils

    If the ceph df command fails in the get_pool_info
    method of RBD utils the actual command executed
    if seen by the users in the fault error message.

    This hides the command behind a StorageError
    exception and logs the exception instead of leaking
    it to the users.

    Change-Id: I6e3a73f2e04d1a7636daf96d5af73c9cf2fbe220
    Closes-Bug: 1926978

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/nova/+/791938

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/nova/+/791939

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/nova/+/791939
Committed: https://opendev.org/openstack/nova/commit/5ede75c65edbcb27557831ae6f5c3a9f81f23a0e
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 5ede75c65edbcb27557831ae6f5c3a9f81f23a0e
Author: Tobias Urdin <email address hidden>
Date: Mon May 3 17:25:43 2021 +0200

    Stop leaking ceph df cmd in RBD utils

    If the ceph df command fails in the get_pool_info
    method of RBD utils the actual command executed
    if seen by the users in the fault error message.

    This hides the command behind a StorageError
    exception and logs the exception instead of leaking
    it to the users.

    Change-Id: I6e3a73f2e04d1a7636daf96d5af73c9cf2fbe220
    Closes-Bug: 1926978
    (cherry picked from commit 86af7feed06f08ddb3ef65122089216708d53a06)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/nova/+/791938
Committed: https://opendev.org/openstack/nova/commit/bec6dd475243b027ce5ca487e1a9bffdb866d25f
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit bec6dd475243b027ce5ca487e1a9bffdb866d25f
Author: Tobias Urdin <email address hidden>
Date: Mon May 3 17:25:43 2021 +0200

    Stop leaking ceph df cmd in RBD utils

    If the ceph df command fails in the get_pool_info
    method of RBD utils the actual command executed
    if seen by the users in the fault error message.

    This hides the command behind a StorageError
    exception and logs the exception instead of leaking
    it to the users.

    Change-Id: I6e3a73f2e04d1a7636daf96d5af73c9cf2fbe220
    Closes-Bug: 1926978
    (cherry picked from commit 86af7feed06f08ddb3ef65122089216708d53a06)
    (cherry picked from commit 5ede75c65edbcb27557831ae6f5c3a9f81f23a0e)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 23.0.2

This issue was fixed in the openstack/nova 23.0.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 22.2.2

This issue was fixed in the openstack/nova 22.2.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 24.0.0.0rc1

This issue was fixed in the openstack/nova 24.0.0.0rc1 release candidate.

Revision history for this message
Tobias Urdin (tobias-urdin) wrote (last edit ): RE:

edit: nop

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.