os-brick

  1. Bug #2004555
  2. Comment #68

Comment 68 for bug 2004555

Revision history for this message
Sylvain Bauza (sylvain-bauza) wrote : Re: [ussuri] Wrong volume attachment - volumes overlapping when connected through iscsi on host

I quite like Gorkar's policy workarounds using the service_user tokens. That would help our operators to just modify their configurations without needing to upgrade some z-release and then the exploit wouldn't be possible.

I also looked at https://bugs.launchpad.net/nova/+bug/2004555/+attachment/5656303/+files/cinder-2004555.patch and I'm quite OK with it, but I have a concern : if we want to backport it, then we could only do it down to only Xena as 2.89 is only there in that release.
https://docs.openstack.org/nova/latest/reference/api-microversion-history.html#microversion-2-89

For this specific reason, unless we change the fix to use other APIs from Nova that are more older (but honestly, I don't really know which ones) or we explain in the vulnerability details that you need to use the policy workarounds if you're older than Xena.