diff -Nru nova-15.0.1/AUTHORS nova-15.0.2/AUTHORS --- nova-15.0.1/AUTHORS 2017-03-15 11:19:30.000000000 +0000 +++ nova-15.0.2/AUTHORS 2017-03-22 10:19:14.000000000 +0000 @@ -1000,6 +1000,7 @@ Shraddha Pandhe Shraddha Pandhe Shuangtai Tian +ShunliZhou Shunya Kitada Shuquan Huang Sidharth Surana diff -Nru nova-15.0.1/ChangeLog nova-15.0.2/ChangeLog --- nova-15.0.1/ChangeLog 2017-03-15 11:19:28.000000000 +0000 +++ nova-15.0.2/ChangeLog 2017-03-22 10:19:12.000000000 +0000 @@ -1,6 +1,16 @@ CHANGES ======= +15.0.2 +------ + +* Add release note for CVE-2017-7214 +* get_model method missing for Ploop image +* do not include context to exception notification +* Add populate_retry to schedule_and_build_instances +* Fix functional regression/recreate test for bug 1671648 +* Add a functional regression/recreate test for bug 1671648 + 15.0.1 ------ diff -Nru nova-15.0.1/debian/changelog nova-15.0.2/debian/changelog --- nova-15.0.1/debian/changelog 2017-03-15 14:52:46.000000000 +0000 +++ nova-15.0.2/debian/changelog 2017-03-22 12:42:18.000000000 +0000 @@ -1,3 +1,9 @@ +nova (2:15.0.2-0ubuntu1) zesty; urgency=medium + + * New upstream point release for OpenStack Ocata. + + -- Chuck Short Wed, 22 Mar 2017 08:42:18 -0400 + nova (2:15.0.1-0ubuntu1) zesty; urgency=medium * New upstream point release for OpenStack Ocata. diff -Nru nova-15.0.1/debian/gbp.conf nova-15.0.2/debian/gbp.conf --- nova-15.0.1/debian/gbp.conf 2017-03-15 14:52:46.000000000 +0000 +++ nova-15.0.2/debian/gbp.conf 2017-03-22 12:42:18.000000000 +0000 @@ -1,5 +1,5 @@ [DEFAULT] -debian-branch = stable/ocata +debian-branch = master upstream-tag = %(version)s pristine-tar = True diff -Nru nova-15.0.1/nova/conductor/manager.py nova-15.0.2/nova/conductor/manager.py --- nova-15.0.1/nova/conductor/manager.py 2017-03-15 11:16:59.000000000 +0000 +++ nova-15.0.2/nova/conductor/manager.py 2017-03-22 10:16:50.000000000 +0000 @@ -875,9 +875,10 @@ for (build_request, request_spec, host) in six.moves.zip( build_requests, request_specs, hosts): filter_props = request_spec.to_legacy_filter_properties_dict() + instance = build_request.get_new_instance(context) + scheduler_utils.populate_retry(filter_props, instance.uuid) scheduler_utils.populate_filter_properties(filter_props, host) - instance = build_request.get_new_instance(context) # Convert host from the scheduler into a cell record if host['host'] not in host_mapping_cache: diff -Nru nova-15.0.1/nova/exception_wrapper.py nova-15.0.2/nova/exception_wrapper.py --- nova-15.0.1/nova/exception_wrapper.py 2017-03-15 11:16:48.000000000 +0000 +++ nova-15.0.2/nova/exception_wrapper.py 2017-03-22 10:16:39.000000000 +0000 @@ -86,6 +86,9 @@ # self can't be serialized and shouldn't be in the # payload call_dict.pop('self', None) + # NOTE(gibi) remove context as well as it contains sensitive information + # and it can also contain circular references + call_dict.pop('context', None) return _cleanse_dict(call_dict) diff -Nru nova-15.0.1/nova/tests/functional/regressions/test_bug_1671648.py nova-15.0.2/nova/tests/functional/regressions/test_bug_1671648.py --- nova-15.0.1/nova/tests/functional/regressions/test_bug_1671648.py 1970-01-01 00:00:00.000000000 +0000 +++ nova-15.0.2/nova/tests/functional/regressions/test_bug_1671648.py 2017-03-22 10:16:39.000000000 +0000 @@ -0,0 +1,154 @@ +# Copyright 2017 Huawei Technologies Co.,LTD. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +import time + +import nova.compute.resource_tracker +from nova import exception +from nova import test +from nova.tests import fixtures as nova_fixtures +from nova.tests.unit import cast_as_call +from nova.tests.unit import fake_network +import nova.tests.unit.image.fake +from nova.tests.unit import policy_fixture +from nova.virt import fake + + +class TestRetryBetweenComputeNodeBuilds(test.TestCase): + """This tests a regression introduced in the Ocata release. + + In Ocata we started building instances in conductor for cells v2. That + uses a new "schedule_and_build_instances" in the ConductorManager rather + than the old "build_instances" method and duplicates a lot of the same + logic, but it missed populating the "retry" value in the scheduler filter + properties. As a result, failures to build an instance on a compute node + which would normally result in a retry of the build on another compute + node are not actually happening. + """ + + def setUp(self): + super(TestRetryBetweenComputeNodeBuilds, self).setUp() + + self.useFixture(policy_fixture.RealPolicyFixture()) + + # The NeutronFixture is needed to stub out validate_networks in API. + self.useFixture(nova_fixtures.NeutronFixture(self)) + + # This stubs out the network allocation in compute. + fake_network.set_stub_network_methods(self) + + # We need the computes reporting into placement for the filter + # scheduler to pick a host. + self.useFixture(nova_fixtures.PlacementFixture()) + + api_fixture = self.useFixture(nova_fixtures.OSAPIFixture( + api_version='v2.1')) + # The admin API is used to get the server details to verify the + # host on which the server was built. + self.admin_api = api_fixture.admin_api + + # the image fake backend needed for image discovery + nova.tests.unit.image.fake.stub_out_image_service(self) + + self.start_service('conductor') + self.start_service('consoleauth') + + # Configure a minimal filter scheduler setup. + self.flags(enabled_filters=['ComputeFilter', 'RetryFilter'], + group='filter_scheduler') + self.start_service('scheduler') + + # We start two compute services because we're going to fake one + # of them to fail the build so we can trigger the retry code. + # set_nodes() is needed to have each compute service return a + # different nodename, so we get two hosts in the list of candidates + # for scheduling. Otherwise both hosts will have the same default + # nodename "fake-mini". The host passed to start_service controls the + # "host" attribute and set_nodes() sets the "nodename" attribute. + # We set_nodes() to make host and nodename the same for each compute. + fake.set_nodes(['host1']) + self.addCleanup(fake.restore_nodes) + self.start_service('compute', host='host1') + fake.set_nodes(['host2']) + self.addCleanup(fake.restore_nodes) + self.start_service('compute', host='host2') + + self.useFixture(cast_as_call.CastAsCall(self.stubs)) + + self.image_id = self.admin_api.get_images()[0]['id'] + self.flavor_id = self.admin_api.get_flavors()[0]['id'] + + # This is our flag that we set when we hit the first host and + # made it fail. + self.failed_host = None + self.attempts = 0 + + # We can't stub nova.compute.claims.Claims.__init__ because there is + # a race where nova.compute.claims.NopClaim will be used instead, + # see for details: + # https://github.com/openstack/nova/blob/bb02d11/nova/compute/ + # resource_tracker.py#L121-L130 + real_instance_claim =\ + nova.compute.resource_tracker.ResourceTracker.instance_claim + + def fake_instance_claim(_self, *args, **kwargs): + self.attempts += 1 + if self.failed_host is None: + # Set the failed_host value to the ResourceTracker.host value. + self.failed_host = _self.host + raise exception.ComputeResourcesUnavailable( + reason='failure on host %s' % _self.host) + return real_instance_claim(_self, *args, **kwargs) + + self.stub_out( + 'nova.compute.resource_tracker.ResourceTracker.instance_claim', + fake_instance_claim) + + def _wait_for_instance_status(self, server_id, status): + timeout = 0.0 + server = self.admin_api.get_server(server_id) + while server['status'] != status and timeout < 10.0: + time.sleep(.1) + timeout += .1 + server = self.admin_api.get_server(server_id) + if server['status'] != status: + self.fail('Timed out waiting for server %s to have status: %s. ' + 'Current status: %s. Build attempts: %s' % + (server_id, status, server['status'], self.attempts)) + return server + + def test_retry_build_on_compute_error(self): + """Tests the retry operation between compute nodes when one fails. + + This tests the scenario that we have two compute services and we + try to build a single server. The test is setup such that the + scheduler picks the first host which we mock out to fail the claim. + This should then trigger a retry to the second host. + """ + # Now that the bug is fixed, we should assert that the server goes to + # ACTIVE status and is on the second host after the retry operation. + server = dict( + name='retry-test', + imageRef=self.image_id, + flavorRef=self.flavor_id) + server = self.admin_api.post_server({'server': server}) + self.addCleanup(self.admin_api.delete_server, server['id']) + server = self._wait_for_instance_status(server['id'], 'ACTIVE') + + # Assert that the host is not the failed host. + self.assertNotEqual(self.failed_host, + server['OS-EXT-SRV-ATTR:host']) + + # Assert that we retried. + self.assertEqual(2, self.attempts) diff -Nru nova-15.0.1/nova/tests/unit/conductor/test_conductor.py nova-15.0.2/nova/tests/unit/conductor/test_conductor.py --- nova-15.0.1/nova/tests/unit/conductor/test_conductor.py 2017-03-15 11:16:59.000000000 +0000 +++ nova-15.0.2/nova/tests/unit/conductor/test_conductor.py 2017-03-22 10:16:51.000000000 +0000 @@ -1442,6 +1442,7 @@ def _build_and_run_instance(ctxt, *args, **kwargs): details['instance'] = kwargs['instance'] self.assertTrue(kwargs['instance'].id) + self.assertTrue(kwargs['filter_properties'].get('retry')) self.assertEqual(1, len(kwargs['block_device_mapping'])) # FIXME(danms): How to validate the db connection here? diff -Nru nova-15.0.1/nova/tests/unit/test_exception.py nova-15.0.2/nova/tests/unit/test_exception.py --- nova-15.0.1/nova/tests/unit/test_exception.py 2017-03-15 11:16:48.000000000 +0000 +++ nova-15.0.2/nova/tests/unit/test_exception.py 2017-03-22 10:16:39.000000000 +0000 @@ -91,6 +91,7 @@ self.assertEqual(3, notification.payload['args']['extra']) for key in ['exception', 'args']: self.assertIn(key, notification.payload.keys()) + self.assertNotIn('context', notification.payload['args'].keys()) self.assertEqual(1, len(fake_notifier.VERSIONED_NOTIFICATIONS)) notification = fake_notifier.VERSIONED_NOTIFICATIONS[0] diff -Nru nova-15.0.1/nova/virt/libvirt/imagebackend.py nova-15.0.2/nova/virt/libvirt/imagebackend.py --- nova-15.0.1/nova/virt/libvirt/imagebackend.py 2017-03-15 11:16:59.000000000 +0000 +++ nova-15.0.2/nova/virt/libvirt/imagebackend.py 2017-03-22 10:16:51.000000000 +0000 @@ -1100,6 +1100,9 @@ target, out_format) + def get_model(self, connection): + return imgmodel.LocalFileImage(self.path, imgmodel.FORMAT_PLOOP) + class Backend(object): def __init__(self, use_cow): diff -Nru nova-15.0.1/nova.egg-info/pbr.json nova-15.0.2/nova.egg-info/pbr.json --- nova-15.0.1/nova.egg-info/pbr.json 2017-03-15 11:19:30.000000000 +0000 +++ nova-15.0.2/nova.egg-info/pbr.json 2017-03-22 10:19:14.000000000 +0000 @@ -1 +1 @@ -{"git_version": "7ccf8d2", "is_release": true} \ No newline at end of file +{"is_release": true, "git_version": "acb1916"} \ No newline at end of file diff -Nru nova-15.0.1/nova.egg-info/PKG-INFO nova-15.0.2/nova.egg-info/PKG-INFO --- nova-15.0.1/nova.egg-info/PKG-INFO 2017-03-15 11:19:30.000000000 +0000 +++ nova-15.0.2/nova.egg-info/PKG-INFO 2017-03-22 10:19:14.000000000 +0000 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: nova -Version: 15.0.1 +Version: 15.0.2 Summary: Cloud computing fabric controller Home-page: http://docs.openstack.org/developer/nova/ Author: OpenStack diff -Nru nova-15.0.1/nova.egg-info/SOURCES.txt nova-15.0.2/nova.egg-info/SOURCES.txt --- nova-15.0.1/nova.egg-info/SOURCES.txt 2017-03-15 11:19:32.000000000 +0000 +++ nova-15.0.2/nova.egg-info/SOURCES.txt 2017-03-22 10:19:16.000000000 +0000 @@ -2055,6 +2055,7 @@ nova/tests/functional/regressions/test_bug_1620248.py nova/tests/functional/regressions/test_bug_1627838.py nova/tests/functional/regressions/test_bug_1670627.py +nova/tests/functional/regressions/test_bug_1671648.py nova/tests/functional/wsgi/__init__.py nova/tests/functional/wsgi/test_attach_interfaces.py nova/tests/functional/wsgi/test_flavor_manage.py @@ -2826,6 +2827,7 @@ releasenotes/notes/bug-1661258-ee202843157f6a27.yaml releasenotes/notes/bug-1662699-06203e7262e02aa6.yaml releasenotes/notes/bug-1670522-0a9f20e05e531c7a.yaml +releasenotes/notes/bug-1673569-cve-2017-7214-2d7644b356015c93.yaml releasenotes/notes/bug-hyperv-1629040-e1eb35a7b31d9af8.yaml releasenotes/notes/cell-id-db-sync-nova-manage-8504b54dd115a2e9.yaml releasenotes/notes/cells-discover-hosts-06a3079ba687e092.yaml diff -Nru nova-15.0.1/PKG-INFO nova-15.0.2/PKG-INFO --- nova-15.0.1/PKG-INFO 2017-03-15 11:19:33.000000000 +0000 +++ nova-15.0.2/PKG-INFO 2017-03-22 10:19:17.000000000 +0000 @@ -1,6 +1,6 @@ Metadata-Version: 1.1 Name: nova -Version: 15.0.1 +Version: 15.0.2 Summary: Cloud computing fabric controller Home-page: http://docs.openstack.org/developer/nova/ Author: OpenStack diff -Nru nova-15.0.1/releasenotes/notes/bug-1673569-cve-2017-7214-2d7644b356015c93.yaml nova-15.0.2/releasenotes/notes/bug-1673569-cve-2017-7214-2d7644b356015c93.yaml --- nova-15.0.1/releasenotes/notes/bug-1673569-cve-2017-7214-2d7644b356015c93.yaml 1970-01-01 00:00:00.000000000 +0000 +++ nova-15.0.2/releasenotes/notes/bug-1673569-cve-2017-7214-2d7644b356015c93.yaml 2017-03-22 10:16:48.000000000 +0000 @@ -0,0 +1,8 @@ +--- +prelude: > + This release includes fixes for security vulnerabilities. +security: + - | + [CVE-2017-7214] Failed notification payload is dumped in logs with auth secrets + + * `Bug 1673569 `_