93c0f9bc74
This change tightens the validation around the attachment update API to ensure that it can only be called if the source volume has a non empty migration status. That means it will only accept a request to swap the volume if it is the result of a cinder volume migration. This change is being made to prevent the instance domain XML from getting out of sync with the nova BDM records and cinder connection info. In the future support for direct swap volume actions can be re-added if and only if the nova libvirt driver is updated to correctly modify the domain. The libvirt driver is the only driver that supported this API outside of a cinder orchestrated swap volume. By allowing the domain XML and BDMs to get out of sync if an admin later live-migrates the VM the host path will not be modified for the destination host. Normally this results in a live migration failure which often prompts the admin to cold migrate instead. however if the source device path exists on the destination the migration will proceed. This can lead to 2 VMs using the same host block device. At best this will cause a crash or data corruption. At worst it will allow one guest to access the data of another. Prior to this change there was an explicit warning in nova API ref stating that humans should never call this API because it can lead to this situation. Now it considered a hard error due to the security implications. Closes-Bug: #2112187 Depends-on: https://review.opendev.org/c/openstack/tempest/+/957753 Change-Id: I439338bd2f27ccd65a436d18c8cbc9c3127ee612 Signed-off-by: Sean Mooney <work@seanmooney.info>
37 lines
1.7 KiB
YAML
37 lines
1.7 KiB
YAML
---
|
|
security:
|
|
- |
|
|
Nova has documented that the ``update volume attachment`` API
|
|
PUT /servers/{server_id}/os-volume_attachments/{volume_id}
|
|
should not be called directly for a very long time.
|
|
|
|
"When updating volumeId, this API is typically meant to only
|
|
be used as part of a larger orchestrated volume migration
|
|
operation initiated in the block storage service via
|
|
the os-retype or os-migrate_volume volume actions.
|
|
Direct usage of this API to update volumeId is not recommended
|
|
and may result in needing to hard reboot the server
|
|
to update details within the guest such as block storage serial IDs.
|
|
Furthermore, updating volumeId via this API is only implemented
|
|
by certain compute drivers."
|
|
|
|
As an admin only api, direct usage has always been limited to admins
|
|
or service like ``watcher``.
|
|
This longstanding recommendation is now enforced as a security
|
|
hardening measure and restricted to only cinder.
|
|
The prior warning alluded to the fact that directly using this
|
|
api can result in a guest with a de-synced definition of the volume
|
|
serial. Before this change it was possible for an admin to unknowingly
|
|
put a VM in an inconsistent state such that a future live migration may
|
|
fail or succeed and break tenant isolation. This could not happen
|
|
when the api was called by cinder so Nova has restricted that api
|
|
exclusively to that use-case.
|
|
see: https://bugs.launchpad.net/nova/+bug/2112187 for details.
|
|
|
|
fixes:
|
|
- |
|
|
``Nova`` now strictly enforces that only ``cinder`` can call the
|
|
``update volume attachment`` aka ``swap volume`` api. This is part
|
|
of addressing a security hardening gap identified as part of bug:
|
|
https://bugs.launchpad.net/nova/+bug/2112187
|