OpenStack Compute (nova)

pci device duplicate attach after intance evacuated

Bug #1910663 reported by rj
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Expired
Undecided
Unassigned

Bug Description

my openstack version is openstack-nova-compute-22.0.1
after I evacuated an instance use:
 nova evacuate 837e283a-4288-44c1-b1e8-846fb0488c9c

I found this instance's pci device duplicated in virsh xml ,here are:

    <video>
      <model type='cirrus' vram='16384' heads='1' primary='yes'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x85' slot='0x00' function='0x0'/>
      </source>
      <alias name='hostdev0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x07' function='0x0'/>
    </hostdev>
    <hostdev mode='subsystem' type='pci' managed='yes'>
      <driver name='vfio'/>
      <source>
        <address domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
      </source>
      <alias name='hostdev1'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
    </hostdev>

it suppose to be only one PCI passthough device. then I try more times,every time nova add a new pci passthough
 device to this instance during evacuate.the database finally like this. :

deleted|id |compute_node_id|address |vendor_id|dev_type|dev_id |label |status |uuid |
-------|---|---------------|------------|---------|--------|----------------|---------------|---------|------------------------------------|
      0|726| 189|0000:85:00.0|10de |type-PCI|pci_0000_85_00_0|label_10de_1e89|allocated|fb211d66-e245-4de5-baec-8686a0b3fb9b|
      0|747| 195|0000:03:00.0|10de |type-PCI|pci_0000_03_00_0|label_10de_1e89|allocated|fa0d92ff-273d-4a70-967d-9cf934b41f2c|
      0|828| 216|0000:02:00.0|10de |type-PCI|pci_0000_02_00_0|label_10de_1e89|allocated|ae20691f-a2bf-43d4-a630-d9cd5db2168b|
      0|915| 237|0000:03:00.0|10de |type-PCI|pci_0000_03_00_0|label_10de_1e89|allocated|6281ec51-decb-426c-b906-c788181bdd01|

so this instance now has 4 pci passthough device from four different hosts.

See original description
rj (filiills01)
description: updated
Revision history for this message
Jeremy Stanley (fungi) wrote :

You've filed this as a private report of a suspected security vulnerability, but based on your description this needs admin interaction to exploit (presumably untrusted users aren't granted access to trigger host evacuation in any typical environment?).

Can you confirm whether you wanted this treated as a report of a suspected vulnerability, or are merely attempting to file a normal bug report?

Revision history for this message
rj (filiills01) wrote :

Sorry , This is a normal bug report.

information type: Private Security → Public
information type: Public → Public Security
information type: Public Security → Public
Revision history for this message
Balazs Gibizer (balazs-gibizer) wrote :

Strange, I cannot reproduce this on master. See my reproduction steps in [1]. Maybe you spot something that I did differently than you. I grepped the git log between 22.0.1 and master but nothing popped up to me that could be fixing this issue.

Please let me know if you looked at my reproduction and see something different. Maybe you used significantly different pci alias / whitelist config.

If you can try to reproduce on master or on a newer victoria release that would be also helpful.

[1] http://paste.openstack.org/show/803678/

Revision history for this message
Balazs Gibizer (balazs-gibizer) wrote :

Setting this to incomplete until we somebody can provide a reproduction on newer versions.

Changed in nova:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for OpenStack Compute (nova) because there has been no activity for 60 days.]

Changed in nova:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.