yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #73544
[Bug 1742102] Re: Simple user can disable compute
On discussing with Dan Smith, the related denial of service condition
described in this report has been a known risk since the introduction of
the feature and generally falls below the threshold for broad
publication in an advisory. The related fixes merged back as far as
stable/pike will mitigate it (or can be tuned to greater extremes to do
so if necessary) and are accompanied by a security release note. Since
this report is already public, I'm going to mark this as a security
hardening opportunity (class D in our VMT report taxonomy[*]) with no
OSSA task needed. If there is a strong objection that an advisory is
needed, then we can revisit publishing one.
[*] https://security.openstack.org/vmt-process.html#incident-report-
taxonomy
** Information type changed from Public Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags added: security
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1742102
Title:
Simple user can disable compute
Status in OpenStack Compute (nova):
In Progress
Status in OpenStack Compute (nova) pike series:
New
Status in OpenStack Compute (nova) queens series:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Hi,
When I tested a fresh deploy of Pike, I created a private network with
a little subnet like /28. If you try to create a lot of new instances,
nova failed because which doesn't have free IP for the creation of new
instances.
The fail trace is https://thepasteb.in/p/zmh8qDG2ZYJIZ
So after that, the trigger consecutive_build_service_disable_threshold
up to 10 very fast and computes are disable.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1742102/+subscriptions
References