Comment 8 for bug 2019892

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/ironic/+/883578
Committed: https://opendev.org/openstack/ironic/commit/07497e1b0c1ff77fcba893897ba5b302a1fd6c6b
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 07497e1b0c1ff77fcba893897ba5b302a1fd6c6b
Author: Julia Kreger <email address hidden>
Date: Thu May 11 11:09:28 2023 -0700

    Fix Cinder Integration fallout from CVE-2023-2088

    In the recent change to cinder, to address CVE-2023-2088,
    cinder changed the policy rules and behavior for unbinding,
    or "detaching" a volume. This was because of a vulnerability
    in compute nodes where a volume which was in use by a VM
    could be detached outside of Nova, and nova wouldn't become
    aware the volume was detached, and the volume could be accessible
    to the next VM.

    This vulnerability doesn't apply to bare metal operations as
    volumes are attached to whole baremetal nodes with Ironic.

    We now generate and use a service token when interacting with
    Cinder which allows cinder to recognize "this request is
    coming from a fellow OpenStack service", and by-pass
    checking with Nova if the "instance" is managed by Nova,
    or Not. This allows the volumes to be attached, and detached
    as needed as part of the power operation flow and overall
    set of lifecycle operations.

    Related-Bug: 2004555
    Closes-Bug: 2019892

    Change-Id: Ib258bc9650496da989fc93b759b112d279c8b217
    (cherry picked from commit 9c0b4c90a19fc1db262a942a1b6a1baafc881ccc)