If a rebuild is refused by the scheduler, the instance's imageref is not rolled back
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
int32bit | ||
Newton |
Won't Fix
|
Undecided
|
Unassigned | ||
Ocata |
Fix Committed
|
High
|
melanie witt | ||
Pike |
Fix Committed
|
High
|
melanie witt |
Bug Description
Description
===========
Since CVE-2017-16239, we now go through the scheduler for rebuilds. If the scheduler refuses a rebuild with a new image because of filter constraints (for example IsolatedHostsFi
Steps to reproduce
==================
1. Configure IsolatedHostsFi
[filter_
enabled_filters = [...],IsolatedH
isolated_images = 41d3e5ca-
isolated_hosts = ubuntu
restrict_
2. Have two images, one isolated and one not:
$ openstack image list
8d0581a5-
41d3e5ca-
cirros is the isolated one
3. Have only one hypervisor (the isolated one):
$ openstack hypervisor list
ubuntu | QEMU | 192.168.100.194 | up
4. To confirm, boot a centos (non-isolated) image, expecting it to be refused by the scheduler:
$ openstack server create \
--image 8d0581a5-
--flavor \
m1.nano centos-
$ openstack server list
centos-
5. Boot a cirros (isolated) image:
$ openstack server create \
--image 41d3e5ca-
--flavor m1.nano \
cirros-
$ openstack server list
cirros-
6. Rebuild the cirros instance with centos:
$ nova --debug rebuild cirros-
DEBUG (session:722) POST call to compute for
http://
used request id req-c234346a-
7. Observer the rebuild being refused in the conductor:
WARNING nova.conductor.
[None req-c234346a-
[instance: d9d98bf7-
No valid host found for rebuild: NoValidHost_Remote:
No valid host was found. There are not enough hosts available.
8. Observe the API is showing the new centos image for the instance:
$ nova show cirros-
[...]
image | centos (8d0581a5-
[...]
Expected result
===============
Some indication that the rebuild was refused, or at least rolling back the instance's imageref.
Actual result
=============
No indication that the rebuild was refused, and worse, we now have a wrong imageref for the instance.
Environment
===========
1. Exact version of OpenStack you are running. See the following
This was picked up by QE for stable/pike, and is still present in master,
and presumably in all versions affected by the CVE fix, including newton,
which is now EOL.
2. Which hypervisor did you use?
libvirt+kvm
Changed in nova: | |
assignee: | nobody → int32bit (int32bit) |
tags: | added: queens-rc-potential |
Changed in nova: | |
assignee: | int32bit (int32bit) → melanie witt (melwitt) |
Changed in nova: | |
assignee: | melanie witt (melwitt) → int32bit (int32bit) |
Changed in nova: | |
assignee: | int32bit (int32bit) → melanie witt (melwitt) |
Changed in nova: | |
assignee: | melanie witt (melwitt) → int32bit (int32bit) |
Changed in nova: | |
assignee: | int32bit (int32bit) → Matt Riedemann (mriedem) |
Changed in nova: | |
assignee: | Matt Riedemann (mriedem) → int32bit (int32bit) |
That's IMHO a very critical bug that we need to tackle ASAP