OpenStack Compute (nova)

  1. Bug #1069904
  2. Comment #4

Comment 4 for bug 1069904

Revision history for this message
Vish Ishaya (vishvananda) wrote : Re: No authentication on block device used for os-volume_boot

attach_volume is definitely not affected. It appears that attach_volume_boot has an elevated context so it may be possible to boot off of other peoples volumes. This appears to affect folsom/nova-volumes as well, although it should be verified. A simple fix would be to make sure we don't have an elevated context before doing the volume_api.get and volume_api.get_snapshot code in stable/essex here:

 375 # TODO(yamahata): default name and description
 376 snapshot = self.volume_api.get_snapshot(context,
 377 bdm['snapshot_id'])
 378 vol = self.volume_api.create(context, bdm['volume_size'],
 379 '', '', snapshot)
 380 # TODO(yamahata): creating volume simultaneously
 381 # reduces creation time?
 382 self.volume_api.wait_creation(context, vol)
 383 self.db.block_device_mapping_update(
 384 context, bdm['id'], {'volume_id': vol['id']})
 385 bdm['volume_id'] = vol['id']
 386
 387 if bdm['volume_id'] is not None:
 388 volume = self.volume_api.get(context, bdm['volume_id'])
 389 self.volume_api.check_attach(context, volume)
 390 cinfo = self._attach_volume_boot(context,
 391 instance,
 392 volume,
 393 bdm['device_name'])