Merge "[stable-only][cve] Check VMDK create-type against an allowed list" into stable/victoriastable/victoria

author: Zuul <zuul@review.opendev.org> 2023-03-23 13:34:14 +0000
committer: Gerrit Code Review <review@openstack.org> 2023-03-23 13:34:14 +0000
commit: cdccf4ed2ad5d73756b76bb2740e93010f8a33af (patch)
tree: 62475989507643a42a1a1d7b401fcf704022393d /nova/conf/compute.py
parent: 898593e223ce837ffe0a4fa853677fe1d029d02e (diff)
parent: eabb16a421326388c8d53a1b6ca47d79a03e0e16 (diff)
download: nova-cdccf4ed2ad5d73756b76bb2740e93010f8a33af.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/nova/conf/compute.py b/nova/conf/compute.py
index 92b5ab7918..cdd282a862 100644
--- a/nova/conf/compute.py
+++ b/nova/conf/compute.py
@@ -986,6 +986,15 @@ Additional documentation is available here:
   https://docs.openstack.org/nova/latest/admin/managing-resource-providers.html
 
 """),
+    cfg.ListOpt('vmdk_allowed_types',
+                default=['streamOptimized', 'monolithicSparse'],
+                help="""
+A list of strings describing allowed VMDK "create-type" subformats
+that will be allowed. This is recommended to only include
+single-file-with-sparse-header variants to avoid potential host file
+exposure due to processing named extents. If this list is empty, then no
+form of VMDK image will be allowed.
+"""),
 ]
 
 interval_opts = [
author	Zuul <zuul@review.opendev.org>	2023-03-23 13:34:14 +0000
committer	Gerrit Code Review <review@openstack.org>	2023-03-23 13:34:14 +0000
commit	cdccf4ed2ad5d73756b76bb2740e93010f8a33af (patch)
tree	62475989507643a42a1a1d7b401fcf704022393d /nova/conf/compute.py
parent	898593e223ce837ffe0a4fa853677fe1d029d02e (diff)
parent	eabb16a421326388c8d53a1b6ca47d79a03e0e16 (diff)
download	nova-cdccf4ed2ad5d73756b76bb2740e93010f8a33af.tar.gz