Add policy rule to block image-backed servers with 0 root disk flavor
This adds a new policy rule which defaults to behave in a
backward compatible way, but will allow operators to enforce
that servers created with a zero disk flavor must also be
volume-backed servers.
Allowing users to upload their own images and create image-backed
servers on local disk with zero root disk size flavors can be
potentially hazardous if the size of the image is unexpectedly
large, since it can consume the local disk (or shared storage pool).
It should be noted that disabling the new policy rule will
result in a non-backward compatible API behavior change and no
microversion is being introduced for this because enforcement via
a new microversion would not close the security gap on any previous
microversions.
Related compute API reference and user documentation is updated
to mention the policy rule along with a release note since
this is tied to a security bug, which will be backported to stable
branches.
NOTE(mriedem): The api-ref/source/parameters.yaml conflict is due
to If646149efb7eec8c90bf7d07c39ff4c495349941 not being in Pike.
The doc/source/admin/flavors2.rst conflict is due to the doc
not being in Ocata - it was migrated from the central admin-guide
in Ifa0039e270e54ea2fb58ab18ce6724e5e8e061a1.
The nova/policies/servers.py conflict is due to two changes in Pike:
I17b6ca6e17c777ae7d337bf70ec4774ffe5187a8 and
I050c4f5f19aa79a682e076cc3e47eba597f272dd. The DocumentedRuleDefault
class was added to oslo.policy starting in 1.21.1 in Pike which is
newer than what stable/ocata supports in global-requirements so we
can't use it in this backport.
The nova/tests/functional/wsgi/test_servers.py conflict is due to
Ifcaaf285c8f98a1d0e8bbbc87b2f57fbce057346 and
I294c54e5a22dd6e5b226a4b00e7cd116813f0704 not being in Ocata.
Change-Id: Id67e1285a0522474844de130c9263e11868f67fb
Closes-Bug: #1739646
(cherry picked from commit 763fd62464e9a0753e061171cc1fd826055bbc01)
(cherry picked from commit 7bcd581c78bb5916bf4b52e213322e7b56283572)
(cherry picked from commit 0bf75621bbd25d4ce8a3588f112cf714891556eb)
Reviewed: https:/ /review. openstack. org/563719 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=8392c7f2656 ae624877e3df539 681c0a8f8b4926
Committed: https:/
Submitter: Zuul
Branch: stable/ocata
commit 8392c7f2656ae62 4877e3df539681c 0a8f8b4926
Author: Matt Riedemann <email address hidden>
Date: Fri Apr 13 13:44:33 2018 -0400
Add policy rule to block image-backed servers with 0 root disk flavor
This adds a new policy rule which defaults to behave in a
backward compatible way, but will allow operators to enforce
that servers created with a zero disk flavor must also be
volume-backed servers.
Allowing users to upload their own images and create image-backed
servers on local disk with zero root disk size flavors can be
potentially hazardous if the size of the image is unexpectedly
large, since it can consume the local disk (or shared storage pool).
It should be noted that disabling the new policy rule will
result in a non-backward compatible API behavior change and no
microversion is being introduced for this because enforcement via
a new microversion would not close the security gap on any previous
microversions.
Related compute API reference and user documentation is updated
to mention the policy rule along with a release note since
this is tied to a security bug, which will be backported to stable
branches.
Conflicts:
api- ref/source/ parameters. yaml
doc/ source/ admin/flavors2. rst
nova/ policies/ servers. py
nova/ tests/functiona l/wsgi/ test_servers. py
NOTE(mriedem): The api-ref/ source/ parameters. yaml conflict is due 8c90bf7d07c39ff 4c495349941 not being in Pike. admin/flavors2. rst conflict is due to the doc a2fb58ab18ce672 4e5e8e061a1. servers. py conflict is due to two changes in Pike: c777ae7d337bf70 ec4774ffe5187a8 and aa79a682e076cc3 e47eba597f272dd . The DocumentedRuleD efault functional/ wsgi/test_ servers. py conflict is due to f98a1d0e8bbbc87 b2f57fbce057346 and 2dd6e5b226a4b00 e7cd116813f0704 not being in Ocata.
to If646149efb7eec
The doc/source/
not being in Ocata - it was migrated from the central admin-guide
in Ifa0039e270e54e
The nova/policies/
I17b6ca6e17
I050c4f5f19
class was added to oslo.policy starting in 1.21.1 in Pike which is
newer than what stable/ocata supports in global-requirements so we
can't use it in this backport.
The nova/tests/
Ifcaaf285c8
I294c54e5a2
Change-Id: Id67e1285a05224 74844de130c9263 e11868f67fb 53e061171cc1fd8 26055bbc01) 6bf4b52e213322e 7b56283572) ce8a3588f112cf7 14891556eb)
Closes-Bug: #1739646
(cherry picked from commit 763fd62464e9a07
(cherry picked from commit 7bcd581c78bb591
(cherry picked from commit 0bf75621bbd25d4