yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #78752
[Bug 1831723] [NEW] The flavor hide_hypervisor_id value can be overridden by the image img_hide_hypervisor_id
Public bug reported:
During the implementation of enabling hypervisor hiding for windows guests
it became apparent that a latent bug exits that allows non privaldges users
to override the policy set by the admin in the flavor by uploading a custom image.
by convention back in the havan/icehouse days we used to allow the flavor to take precendece
over the image if there was a conflcit and log a warning. sometime aound liberty/mitaka we decided
that was a bad user experence for endusers as they did not recive what they asked for and started to convert all confict into a hard error. The only case where we intentionally allow the image to take prescedece over the flavor is hw:mem_page_size where it is allows if an only if the adming has set hw:mem_p[age_size to large or any expcltly. in other words unless the admin has opted in to allowing ther image to take precendece by not setting a value in the flavor or setint it to a value that allows the image to refine the choice we do not support image overriding flavors.
the current code does exactly that by the use of a logical or
flavor_hide_kvm = strutils.bool_from_string(
flavor.get('extra_specs', {}).get('hide_hypervisor_id'))
if (virt_type in ("qemu", "kvm") and
(image_meta.properties.get('img_hide_hypervisor_id') or
flavor_hide_kvm)):
and the new code
hide_hypervisor_id = (strutils.bool_from_string(
flavor.extra_specs.get('hide_hypervisor_id')) or
image_meta.properties.get('img_hide_hypervisor_id'))
exibits the same behavior.
in both cases if img_hide_hypervisor_id=true and hide_hypervisor_id=false
hypervior hiding will be enabled.
in this specific case the side-effects of this are safe but it may not be in all
cases of this pattern.
** Affects: nova
Importance: Undecided
Status: New
** Tags: libvirt
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1831723
Title:
The flavor hide_hypervisor_id value can be overridden by the image
img_hide_hypervisor_id
Status in OpenStack Compute (nova):
New
Bug description:
During the implementation of enabling hypervisor hiding for windows guests
it became apparent that a latent bug exits that allows non privaldges users
to override the policy set by the admin in the flavor by uploading a custom image.
by convention back in the havan/icehouse days we used to allow the flavor to take precendece
over the image if there was a conflcit and log a warning. sometime aound liberty/mitaka we decided
that was a bad user experence for endusers as they did not recive what they asked for and started to convert all confict into a hard error. The only case where we intentionally allow the image to take prescedece over the flavor is hw:mem_page_size where it is allows if an only if the adming has set hw:mem_p[age_size to large or any expcltly. in other words unless the admin has opted in to allowing ther image to take precendece by not setting a value in the flavor or setint it to a value that allows the image to refine the choice we do not support image overriding flavors.
the current code does exactly that by the use of a logical or
flavor_hide_kvm = strutils.bool_from_string(
flavor.get('extra_specs', {}).get('hide_hypervisor_id'))
if (virt_type in ("qemu", "kvm") and
(image_meta.properties.get('img_hide_hypervisor_id') or
flavor_hide_kvm)):
and the new code
hide_hypervisor_id = (strutils.bool_from_string(
flavor.extra_specs.get('hide_hypervisor_id')) or
image_meta.properties.get('img_hide_hypervisor_id'))
exibits the same behavior.
in both cases if img_hide_hypervisor_id=true and hide_hypervisor_id=false
hypervior hiding will be enabled.
in this specific case the side-effects of this are safe but it may not be in all
cases of this pattern.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1831723/+subscriptions
