blob: b38c4233fef42b187a4cb485daeadc4d845e6131 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
---
upgrade:
- |
Be sure to read the **Security** release notes about upgrade impacts for
resolving bug 1552042.
security:
- |
When using the *libvirt* compute driver, the **libguestfs** package is now
**required** for file injection, if you are supporting that in your cloud
(see the ``[libvirt]/inject_partition`` config option).
Previously, if the libguestfs package was not installed, the nova-compute
service would fallback to mounting to the local compute host file system
which is a security exposure. This has been discussed for years in several
forums:
http://lists.openstack.org/pipermail/openstack-dev/2014-September/046764.html
http://lists.openstack.org/pipermail/openstack-dev/2016-July/098703.html
http://lists.openstack.org/pipermail/openstack-dev/2016-November/107233.html
Furthermore, the `2.57 compute REST API microversion`_ deprecated the use
of personality files for file injection. For more history on deprecating
file injection, see the `spec`__.
There are some known caveats with this:
* If running on s390x, you will need libguestfs >= 1.37.14.
* At this time, FreeBSD does not have a libguestfs package, therefore
file injection cannot be supported with the libvirt driver on a FreeBSD
compute host.
* ``[libvirt]/virt_type`` config option values other than ``kvm`` or
``qemu`` may be impacted, like ``lxc``, where libguestfs was not
previously required.
For more background on this change, see
https://bugs.launchpad.net/nova/+bug/1552042.
.. _2.57 compute REST API microversion: https://docs.openstack.org/nova/latest/reference/api-microversion-history.html#id51
.. __: https://specs.openstack.org/openstack/nova-specs/specs/queens/implemented/deprecate-file-injection.html
|