nova-manage vm list produces monster query
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Medium
|
Sumanth Nagadavalli |
Bug Description
Marking this as a security vulnerability because this can be used to essentially flood the database server and cause an entire Nova MySQL database to slow to a crawl.
This issue was discovered by HP database admins investigating slow performance on the Nova database nodes. The DBA was seeing the following PROCESSLIST in MySQL:
With this being the query predominantly running, with a status of "Sending data":
Code in trunk:
https:/
AFAICT, no limit/marker offset is ever passed to the query, and so the command by default lists every VM, with joins to all related tables.
The short-term solution would be to put a pagination mechanism into nova-manage.
tags: | added: db |
tags: | added: nova-manage |
Changed in nova: | |
importance: | Undecided → Medium |
Changed in nova: | |
assignee: | nobody → Sumanth Nagadavalli (sumanth-nagadavalli) |
Discussed with Jay, and there is no valid threat model for this unless your deployment let attackers indirectly run nova-manage commands... in which case the issue could be considered a vulnerability in the way you deployed rather than in Nova.
Those affected deployers should definitely patch this before we open the bug to the public... and fix the bug in Nova publicly.
Hopefully that will happen before the next RC round.
Setting to Incomplete until Jay can confirm this is OK to open.