Filing as a security vulnerability because I can crash the compute service (and it consumes all memory). Not sure if this is worthy of being classed as a vulnerability, but I presume we can easily mark it as "not security" if need be.
In an integration test, I create a server, and then immediately delete it (I don't wait for it to come up).
This causes all sorts of problems and errors to be reported, mostly on the compute node.
It's definitely timing dependent:
* For a while I was seeing errors because the directory structure was being deleted underneath the instance during construction; this manifested itself as file not found errors on console.log (as I recall)
* I'm currently seeing a problem where the compute process goes to 100% CPU (I believe on all cores) and rapidly eats all memory until the process is killed by the Linux OOM killer. The last few messages are at the bottom of this bug report.
I think that we need to make sure that a destroy can't proceed concurrently with a create on the same instance. Also, adding a test case would probably be useful here.
...
2012-02-20 23:22:02 DEBUG nova.rpc.common [-] Making asynchronous cast on network... from (pid=1177) cast /opt/stack/nova/nova/rpc/amqp.py:343
2012-02-20 23:22:02 DEBUG nova.compute.manager [-] [instance: cdcdd06c-2030-4826-bf99-b09dd96b2373] Checking state from (pid=1177) _get_power_state /opt/stack/nova/nova/compute/manager.py:253
libvir: QEMU error : Domain not found: no domain with matching name 'instance-0000001f'
libvir: QEMU error : Domain not found: no domain with matching name 'instance-0000001f'
2012-02-20 23:22:03 INFO nova.virt.libvirt.firewall [-] [instance: cdcdd06c-2030-4826-bf99-b09dd96b2373] Attempted to unfilter instance which is not filtered
2012-02-20 23:22:03 INFO nova.virt.libvirt.connection [-] [instance: cdcdd06c-2030-4826-bf99-b09dd96b2373] Deleting instance files /opt/stack/nova/nova/..//instances/instance-0000001f
2012-02-20 23:22:03 DEBUG nova.utils [-] Running cmd (subprocess): sudo mount /dev/nbd14 /tmp/tmp1D8j0M from (pid=1177) execute /opt/stack/nova/nova/utils.py:207
libvir: QEMU error : Domain not found: no domain with matching name 'instance-0000001f'
2012-02-20 23:22:04 INFO nova.virt.libvirt.connection [-] [instance: cdcdd06c-2030-4826-bf99-b09dd96b2373] Instance destroyed successfully.
2012-02-20 23:22:04 DEBUG nova.compute.manager [-] [instance: cdcdd06c-2030-4826-bf99-b09dd96b2373] Instance network_info: |[VIF({'network': Network({'bridge': u'br100', 'subnets': [Subnet({'ips': [FixedIP({'meta': {}, 'version': 4, 'type': u'fixed', 'floating_ips': [], 'address': u'192.168.71.2'})], 'version': 4, 'meta': {}, 'dns': [IP({'meta': {}, 'version': 4, 'type': u'dns', 'address': u'8.8.4.4'})], 'routes': [], 'cidr': u'192.168.0.0/16', 'gateway': IP({'meta': {}, 'version': 4, 'type': u'gateway', 'address': u'192.168.1.1'})}), Subnet({'ips': [], 'version': None, 'meta': {}, 'dns': [], 'routes': [], 'cidr': None, 'gateway': IP({'meta': {}, 'version': None, 'type': u'gateway', 'address': None})})], 'meta': {u'injected': True, u'tenant_id': None}, 'id': u'e800dca0-b76d-4309-8cb9-c5a3eb1f3105', 'label': u'private'}), 'meta': {}, 'id': u'b1625dc2-f9c2-4c70-914e-0eb554d43fc6', 'address': u'02:16:3e:66:5e:24'})]| from (pid=1177) _allocate_network /opt/stack/nova/nova/compute/manager.py:561
2012-02-20 23:22:04 DEBUG nova.compute.manager [-] [instance: cdcdd06c-2030-4826-bf99-b09dd96b2373] Deallocating network for instance from (pid=1177) _deallocate_network /opt/stack/nova/nova/compute/manager.py:611
2012-02-20 23:22:04 DEBUG nova.rpc.common [-] Making asynchronous cast on network... from (pid=1177) cast /opt/stack/nova/nova/rpc/amqp.py:343
2012-02-20 23:22:04 ERROR nova.compute.manager [-] Instance cdcdd06c-2030-4826-bf99-b09dd96b2373 not found.
(nova.compute.manager): TRACE: Traceback (most recent call last):
(nova.compute.manager): TRACE: File "/opt/stack/nova/nova/compute/manager.py", line 427, in _run_instance
(nova.compute.manager): TRACE: self._deallocate_network(context, instance)
(nova.compute.manager): TRACE: File "/usr/lib/python2.7/contextlib.py", line 24, in __exit__
(nova.compute.manager): TRACE: self.gen.next()
(nova.compute.manager): TRACE: File "/opt/stack/nova/nova/compute/manager.py", line 421, in _run_instance
(nova.compute.manager): TRACE: block_device_info = self._prep_block_device(context, instance)
(nova.compute.manager): TRACE: File "/opt/stack/nova/nova/compute/manager.py", line 569, in _prep_block_device
(nova.compute.manager): TRACE: task_state=task_states.BLOCK_DEVICE_MAPPING)
(nova.compute.manager): TRACE: File "/opt/stack/nova/nova/compute/manager.py", line 213, in _instance_update
(nova.compute.manager): TRACE: return self.db.instance_update(context, instance_id, kwargs)
(nova.compute.manager): TRACE: File "/opt/stack/nova/nova/db/api.py", line 661, in instance_update
(nova.compute.manager): TRACE: return IMPL.instance_update(context, instance_id, values)
(nova.compute.manager): TRACE: File "/opt/stack/nova/nova/db/sqlalchemy/api.py", line 119, in wrapper
(nova.compute.manager): TRACE: return f(*args, **kwargs)
(nova.compute.manager): TRACE: File "/opt/stack/nova/nova/db/sqlalchemy/api.py", line 1710, in instance_update
(nova.compute.manager): TRACE: session=session)
(nova.compute.manager): TRACE: File "/opt/stack/nova/nova/db/sqlalchemy/api.py", line 119, in wrapper
(nova.compute.manager): TRACE: return f(*args, **kwargs)
(nova.compute.manager): TRACE: File "/opt/stack/nova/nova/db/sqlalchemy/api.py", line 1452, in instance_get_by_uuid
(nova.compute.manager): TRACE: raise exception.InstanceNotFound(instance_id=uuid)
(nova.compute.manager): TRACE: InstanceNotFound: Instance cdcdd06c-2030-4826-bf99-b09dd96b2373 could not be found.
(nova.compute.manager): TRACE:
2012-02-20 23:22:04 INFO nova.compute.manager [-] Going to force the deletion of the vm cdcdd06c-2030-4826-bf99-b09dd96b2373, even if it is deleted
2012-02-20 23:22:04 INFO nova.compute.manager [req-e12699ae-b49b-47d6-8416-3ee51f1b7802 47c273884edd402d9c6cba469d6dbf0f b560b4f9ab4a4941b3bafbb44e3e100b] check_instance_lock: decorating: |<function terminate_instance at 0x2bef848>|
2012-02-20 23:22:04 INFO nova.compute.manager [req-e12699ae-b49b-47d6-8416-3ee51f1b7802 47c273884edd402d9c6cba469d6dbf0f b560b4f9ab4a4941b3bafbb44e3e100b] check_instance_lock: arguments: |<nova.compute.manager.ComputeManager object at 0x7fda66825990>| |<nova.rpc.amqp.RpcContext object at 0x46b7b90>| |cdcdd06c-2030-4826-bf99-b09dd96b2373|
2012-02-20 23:22:04 DEBUG nova.compute.manager [req-e12699ae-b49b-47d6-8416-3ee51f1b7802 47c273884edd402d9c6cba469d6dbf0f b560b4f9ab4a4941b3bafbb44e3e100b] instance cdcdd06c-2030-4826-bf99-b09dd96b2373: getting locked state from (pid=1177) get_lock /opt/stack/nova/nova/compute/manager.py:1544
<Mega crash>
Regarding the security classification, I'm leaning toward not calling it a vulnerability. It could be a DoS, but only by an authenticated user. There is also no privilege escalation or information leakage.
Thoughts from other VMT members?