Comment 52 for bug 2004555

Revision history for this message
Gorka Eguileor (gorka) wrote : Re: [ussuri] Wrong volume attachment - volumes overlapping when connected through iscsi on host

This patch is the os-brick leak prevention code that tries to detect and prevent data leak and corruption. It applies on top of the previous os-brick FC patch.

As I see it we have multiple situations that can lead to leak/corruption:

- The CVE that any normal user can exploit: Addressed by the Cinder patch.

- Unintended issue caused when deleting an instance if the detach fails: Addressed by the Nova and os-brick FC patches.

- Other scenarios: Such as when an instance is destroyed without access to the compute node and then access to the node is restored and we work with it without manually cleaning things up. This is covered by the os-brick large patch.

I would say that the current 4 patches cover 99% of the problematic cases. We can cover another 0.5% of the cases if we add "recheck_wwid yes" to multipath.conf when using the latest os-brick patch, but that's something we can work in the open in tripleo.

This last os-brick patch is kind of a big one, which together with the things it does makes it a bit risky to backport it, so it may be wise to not backport it right away.

In other words, in my opinion we should just backport the cinder, nova, and FC os-brick patch.