Comment 27 for bug 1739646

Reviewed: https://review.openstack.org/563692
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=7bcd581c78bb5916bf4b52e213322e7b56283572
Submitter: Zuul
Branch: stable/queens

commit 7bcd581c78bb5916bf4b52e213322e7b56283572
Author: Matt Riedemann <email address hidden>
Date: Fri Apr 13 13:44:33 2018 -0400

    Add policy rule to block image-backed servers with 0 root disk flavor

    This adds a new policy rule which defaults to behave in a
    backward compatible way, but will allow operators to enforce
    that servers created with a zero disk flavor must also be
    volume-backed servers.

    Allowing users to upload their own images and create image-backed
    servers on local disk with zero root disk size flavors can be
    potentially hazardous if the size of the image is unexpectedly
    large, since it can consume the local disk (or shared storage pool).

    It should be noted that disabling the new policy rule will
    result in a non-backward compatible API behavior change and no
    microversion is being introduced for this because enforcement via
    a new microversion would not close the security gap on any previous
    microversions.

    Related compute API reference and user documentation is updated
    to mention the policy rule along with a release note since
    this is tied to a security bug, which will be backported to stable
    branches.

    Conflicts:
          nova/policies/servers.py
          nova/tests/unit/test_policy.py

    NOTE(mriedem): The conflict is due to not having change
    Iedd3fea0e86648fae364f075915555dcb2c4f199 in Queens for trusted
    certs.

    Change-Id: Id67e1285a0522474844de130c9263e11868f67fb
    Closes-Bug: #1739646
    (cherry picked from commit 763fd62464e9a0753e061171cc1fd826055bbc01)