HypervisorUnavailable error leaks compute host fqdn to non-admin users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Low
|
Harshavardhan Metla | ||
Pike |
Fix Released
|
Undecided
|
Unassigned | ||
Queens |
Fix Released
|
Low
|
melanie witt | ||
Rocky |
Fix Released
|
Low
|
melanie witt | ||
Stein |
Fix Released
|
Low
|
melanie witt | ||
Train |
Fix Released
|
Low
|
melanie witt | ||
Ussuri |
Fix Released
|
Low
|
melanie witt | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Description
===========
When an instance encounters a HypervisorUnava
Steps to reproduce
==================
1. Spin up an instance with non-admin user credentials
2. To reproduce the error, stop the libvirtd service on the compute host containing instance
3. Delete the instance
4. Deletion fails providing HypervisorUnava
Expected result
===============
Error does not show compute host fqdn to a non-admin user
Actual result
=============
#spin up an instance
+------
| ID | Name | Status | Task State | Power State | Networks | Image Name | Image ID | Flavor Name | Flavor ID | Availability Zone | Host | Properties |
+------
| 4f42886d-
+------
#instance is running on compute-0 node (only admin knows this)
[heat-admin@
Id Name State
-------
108 instance-00000092 running
#stop libvirtd service
[root@compute-0 heat-admin]# systemctl stop tripleo_
[root@compute-0 heat-admin]# systemctl status tripleo_
● tripleo_
Loaded: loaded (/etc/systemd/
Active: inactive (dead) since Wed 2019-11-06 22:48:25 UTC; 5s ago
Process: 8514 ExecStop=
Main PID: 3783
Nov 06 22:29:48 compute-0 podman[3396]: 2019-11-06 22:29:48.443603571 +0000 UTC m=+1.325620613 container init a3e32121d12929e
Nov 06 22:29:48 compute-0 podman[3396]: 2019-11-06 22:29:48.475946808 +0000 UTC m=+1.357963869 container start a3e32121d12929e
Nov 06 22:29:48 compute-0 paunch-
Nov 06 22:29:48 compute-0 paunch-
Nov 06 22:29:49 compute-0 systemd[1]: Started nova_libvirt container.
Nov 06 22:48:24 compute-0 systemd[1]: Stopping nova_libvirt container...
Nov 06 22:48:25 compute-0 podman[8514]: 2019-11-06 22:48:25.595405651 +0000 UTC m=+1.063832024 container died a3e32121d12929e
Nov 06 22:48:25 compute-0 podman[8514]: 2019-11-06 22:48:25.597210594 +0000 UTC m=+1.065636903 container stop a3e32121d12929e
Nov 06 22:48:25 compute-0 podman[8514]: a3e32121d12929e
Nov 06 22:48:25 compute-0 systemd[1]: Stopped nova_libvirt container.
#delete the instance, it leaks compute host fqdn to the non-admin user
(overcloud) [stack@undercloud-0 ~]$ nova delete test-11869
Request to delete server test-11869 has been accepted.
(overcloud) [stack@undercloud-0 ~]$ openstack server list --long
+------
| ID | Name | Status | Task State | Power State | Networks | Image Name | Image ID | Flavor Name | Flavor ID | Availability Zone | Host | Properties |
+------
| 4f42886d-
+------
(overcloud) [stack@undercloud-0 ~]$ openstack server show test-11869 <---debug output attached in logs
+------
| Field | Value |
+------
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-
| OS-EXT-
| OS-EXT-
| OS-EXT-STS:vm_state | error |
| OS-SRV-
| OS-SRV-
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| config_drive | |
| created | 2019-11-
| description | None |
| fault | {'code': 500, 'created': '2019-11-
| flavor | disk='1', ephemeral='0', , original_
| hostId | c7e6bf58b57f435
| id | 4f42886d-
| image | cirros-
| key_name | None |
| locked | False |
| locked_reason | None |
| name | test-11869 |
| project_id | 6e39619e17a9478
| properties | |
| server_groups | [] |
| status | ERROR |
| tags | [] |
| trusted_
| updated | 2019-11-
| user_id | 3cd6a8cb88eb49d
| volumes_attached | |
+------
Changed in nova: | |
status: | New → Triaged |
Changed in nova: | |
assignee: | nobody → Harshavardhan Metla (harsha24) |
Changed in nova: | |
importance: | Undecided → Low |
HypervisorUnava ilable could probably crop up for any server action if the compute service is running but the hypervisor is down and it just blindly gets injected as an instance fault because of the @wrap_instance_ fault decorator in the ComputeManager.
The fault details should be hidden from non-admin users but the message could probably be generically whitelisted and converted to something that doesn't contain the host name.