| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Due to how the Linux SCSI kernel driver works there are some storage
systems, such as iSCSI with shared targets, where a normal user can
access other projects' volume data connected to the same compute host
using the attachments REST API.
This affects both single and multi-pathed connections.
To prevent users from doing this, unintentionally or maliciously,
cinder-api will now reject some delete attachment requests that are
deemed unsafe.
Cinder will process the delete attachment request normally in the
following cases:
- The request comes from an OpenStack service that is sending the
service token that has one of the roles in `service_token_roles`.
- Attachment doesn't have an instance_uuid value
- The instance for the attachment doesn't exist in Nova
- According to Nova the volume is not connected to the instance
- Nova is not using this attachment record
There are 3 operations in the actions REST API endpoint that can be used
for an attack:
- `os-terminate_connection`: Terminate volume attachment
- `os-detach`: Detach a volume
- `os-force_detach`: Force detach a volume
In this endpoint we just won't allow most requests not coming from a
service. The rules we apply are the same as for attachment delete
explained earlier, but in this case we may not have the attachment id
and be more restrictive. This should not be a problem for normal
operations because:
- Cinder backup doesn't use the REST API but RPC calls via RabbitMQ
- Glance doesn't use this interface anymore
Checking whether it's a service or not is done at the cinder-api level
by checking that the service user that made the call has at least one of
the roles in the `service_token_roles` configuration. These roles are
retrieved from keystone by the keystone middleware using the value of
the "X-Service-Token" header.
If Cinder is configured with `service_token_roles_required = true` and
an attacker provides non-service valid credentials the service will
return a 401 error, otherwise it'll return 409 as if a normal user had
made the call without the service token.
Closes-Bug: #2004555
Change-Id: I612905a1bf4a1706cce913c0d8a6df7a240d599a
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I93557ac79e9cbd47da8e8f3fab16454fcdc51d3e
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
After change[1], there is only one way to create a multiattach
volume and that is using a multiattach volume type.
Our documentation mentions there are 2 ways to create multiattach
volumes which is incorrect, this patch corrects the same.
[1] https://review.opendev.org/c/openstack/cinder/+/874865
Change-Id: Icaa2f60c5af8869e481bd3b90aa4cf219f843eef
|
| |\ \ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Some APIs were using odd parameter names, had different parameter names
in the interface and implementation, or were located in an odd place.
Fix all of these.
Change-Id: Ied387cefb8c22f2be129f6e469395f2f7f656a70
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
|
| |\ \ \ \
| |_|/ /
|/| | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In recent HPE 3PAR WSAPI, observed issues with parameters
like snapCPG, localSnapCPG, etc.
Due to this, few operations (eg. create volume, create
remote copy group [RCG]) fail.
In order to work with new wsapi (of 2023), performed minor
code changes in 3par driver code.
Closes-Bug: #2015746
Change-Id: I98e021594c59dbad1723597e38aeb4c0cec6934b
|
| |\ \ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
A new error message has been added to the API response for the
add_pod command.
This needs to be checked for as a valid error.
Without this check the driver will fail.
Change-Id: I53d6fc94c9940b13f156772b80596c866bdf26b2
|
| |\ \ \ \ \ |
|
| | | |/ / /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add NVMe-TCP to the existing NVMe driver, which currently supports RoCE.
This change extends the parameter ``pure_nvme_transport`` to allow the
option ``tcp``.
Additional checks are performed on the backend to ensure that the
network ports used for connections are of the correct NVMe service
type.
Change-Id: I76166b9305f340a6e085216490d4c6bbecc7d1c1
|
| |\ \ \ \ \ |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Add a non-voting gate job for py311 unit tests.
Related-Bug: #2000436
Depends-On: I5c1a4cd0ba0394849987203888b942169550672e
Depends-On: I471ce2887a9884a5478a303e4b4db9cf8e55b6fb
Depends-On: I4fdf57755b25bbdd19013fd3a2fd86a7d1dd29e9
Change-Id: I06741d95050b42e1801260b1b8d1806c9d3bf6c9
|
| |\ \ \ \ \ \ |
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | | |
Change-Id: I3d0adca3fe1b7bdffab342361a58f3643d969541
|
| |\ \ \ \ \ \
| |_|_|/ / /
|/| | | | | |
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This is not needed on current versions of pylint.
Change-Id: I5dacaacfd1d500b48d789fbcd417f0402c17a999
|
| |\ \ \ \ \ \ |
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Small cleanup of extra dict keys.
Change-Id: I96e7cb80da597a447140929e1c8335e78589f81c
|
| |\ \ \ \ \ \ \ |
|
| | | |_|/ / / /
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
distutils.version is deprecated and is
removed completely in Python 3.12.
Change-Id: I1b1944cb7058024fccc4863856c3eab61d56d492
|
| |\ \ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Update of our PowerMax driver documentation to include the last
version of Unisphere and PowerMaxOS that Antelope supports.
Change-Id: I77d1e8d3f60f08022722d39b8c04f8b67cfc988c
|
| |\ \ \ \ \ \ \ \ |
|
| | | |_|_|/ / / /
| |/| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Cinder uses Nova API version 2.93 as of I8fae9e2b, which
was added in novaclient 18.2.0.
Change-Id: I62dca81dbea50f7019f4404fa4f87278e53d2744
|
| |\ \ \ \ \ \ \ \ |
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
For more information about this automatic import see:
https://docs.openstack.org/i18n/latest/reviewing-translation-import.html
Change-Id: I8786ee0027b4de694b1bf21bd1e137e4bf51f859
|
| |\ \ \ \ \ \ \ \ \ |
|
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
librbd errors when update_features is called w/
features = 0 -- when this situation would occur,
skip calling update_features.
Closes-Bug: #1997980
Change-Id: Iab6a990ce7dee2c13deb4f46aeec0f46ffb7cd62
|
| |\ \ \ \ \ \ \ \ \ \
| |_|_|_|_|/ / / / /
|/| | | | | | | | | |
|
| | | |_|_|_|_|_|/ /
| |/| | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
The migration specifies a column order of
('service_uuid', 'deleted'), make the model use the same order.
Closes-Bug: #2012289
Change-Id: I2332bf4657761076c3d72e41d089ec014e73fb52
|
| |\ \ \ \ \ \ \ \ \ |
|
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
This patch adds two new FIPS enabled jobs to determine if there are any
issues when FIPS is enabled.
Because the FIPS jobs currently run on centos, code is added to the
test setup script to set up the databases correctly. Also had
to increase the swap space on the nodes; see [0] for an explanation.
[0] https://review.opendev.org/c/openstack/devstack/+/803706
Depends-On: https://review.opendev.org/c/openstack/devstack-plugin-nfs/+/847087
Depends-On: https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/847086
Change-Id: Ib85b6ecc6f1b12eb8afa866e56afbfb13aad0cba
|
| |\ \ \ \ \ \ \ \ \ \ |
|
| | | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
Consider volume and snapshots as below:
v1
|
`-- s1
|
`-- v2
|
`-- s2
User initiated deletion of snapshot s1.
It failed with some vague message.
Initially, it was suspected that ...
While copying volume v2 (sometimes an intermediate step to break
volume dependency), we send a request to clone the volume v2 to new
base volume; and the exception [1] isn't handled properly.
[1] Conflict (HTTP 409) 32 - volume has a child
However, on further investigation it was found that ...
after a new volume v2 (omv-<id>) is created and
when we try to delete old volume v2 (osv-<id>),
at this point the exception [1] is thrown as error.
This is now handled gracefully. Appropriate error is thrown
if the volume (v2) has snapshot (s2).
Co-Authored-By: raghavendrat <raghavendra-uddhav.tilay@hpe.com>
Closes-Bug: #1994521
Change-Id: I5e7fb425c92cdf8c16d5a86a58ca1a52421543d7
|
| | |_|_|_|_|_|_|_|_|/
|/| | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Based on the python runtimes for 2023.2 [0], we should be running
functional jobs on python 3.9 and python 3.10.
This patch does not remove the ability to run the functional jobs
locally on python 3.8, as it may be useful to test changes that
are intended to be backported.
[0] https://governance.openstack.org/tc/reference/runtimes/2023.2.html
Change-Id: I5e12a7555b465a5fd8510d5a9b80d5caa30ce507
|
| |\ \ \ \ \ \ \ \ \ \
| |_|_|_|_|_|_|_|/ /
|/| | | | | | | | | |
|
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
This makes these tests work in Python 3.11.
Also includes a few cleanups such as reducing storing
the driver in "self", and removal of unneeded fakes code
for rbd_iscsi_client.
Related-Bug: #2000436
Change-Id: I471ce2887a9884a5478a303e4b4db9cf8e55b6fb
|
| |\ \ \ \ \ \ \ \ \ \ |
|
| | | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
Since paramiko does not support FIPS, some deployments
may run without paramiko installed. Handle this in
ssh_utils.
(This does not handle the paramiko requirement for
drivers that import it directly.)
Change-Id: Id87876543df825f9d84938c615c5976abdebd8f4
|
| |\ \ \ \ \ \ \ \ \ \ \ |
|
| | |/ / / / / / / / / /
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
The pylint job is non-voting, but it was annoying to see it fail.
To add the insult to injury, the code was correct, but the pylint
was not smart enough. So this patch only exists to address
shortcomings of our toolchain.
Change-Id: I391e03426c42b7af122722cd851c4aa03f2dcb68
|
| |/ / / / / / / / / /
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
"targest" -> "targets"
Change-Id: Ife69605de9692bd87c6173bac3d0b458d047571f
|
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Change-Id: I0e1ce867c76fcf4fb5784550c1f1f051498176a4
Closes-Bug: 1989280
Signed-off-by: Takashi Natsume <takanattie@gmail.com>
|
| |\ \ \ \ \ \ \ \ \ \ |
|
| | | |_|_|_|_|_|/ / /
| |/| | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Added a note to the two CI jobs that increase host memory about
a recently added devstack option [0] so that we don't forget about
it.
[0] I7b223391d3de
Change-Id: Ifb52819ddc4db22507805c77c5562ca3e3600e1a
|
| | |_|_|_|/ / / / /
|/| | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Update of our PowerFlex Documentation to add support for PowerFlex
4.0.x
Change-Id: I4cd422cae77167a1c894dfc489e28c3cda6732f4
|
| |\ \ \ \ \ \ \ \ \
| |/ / / / / / / /
|/| | | | | | | | |
|
