Bug 1446825
Summary: | OSP10 -> OSP11 upgrade: nova live migration fails before/after upgrading compute node | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Marius Cornea <mcornea> |
Component: | openstack-tripleo-heat-templates | Assignee: | Marios Andreou <mandreou> |
Status: | CLOSED ERRATA | QA Contact: | Marius Cornea <mcornea> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 11.0 (Ocata) | CC: | aschultz, dbecker, jcoufal, lbopf, mandreou, mburns, morazi, owalsh, rhel-osp-director-maint, sasha, sclewis, sgordon, slinaber |
Target Milestone: | rc | Keywords: | TestOnly, Triaged |
Target Release: | 11.0 (Ocata) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-tripleo-heat-templates-6.0.0-10.el7ost | Doc Type: | Known Issue |
Doc Text: |
A design flaw issue was found in the Red Hat OpenStack Platform director use of TripleO to enable libvirtd based live migration. TripleO did not have support for secure live migration and no additional steps were taken to lock-down the libvirtd deployment by director. Libvirtd is deployed by default (by director) listening on 0.0.0.0 (all interfaces) with no-authentication or encryption. Anyone able to make a TCP connection to any compute host IP address, including 127.0.0.1, other loopback interface addresses or in some cases possibly addresses that have been exposed beyond the management interface, could use this to open a virsh session to the libvirtd instance and gain control of virtual machine instances or possibly take over the host.
Note that without the presence of additional flaws, this should not be accessible from tenant or external networks.
Users who are upgrading to Red Hat OpenStack Platform 11 from Red Hat OpenStack Platform 10 should first apply the relevant update that resolves this issue.
Red Hat OpenStack Platform 11 already contains this update as of general availability and no subsequent update is required.
For more information about this flaw and the accompanying resolution, see https://access.redhat.com/solutions/3022771.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-05-17 20:24:14 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marius Cornea
2017-04-29 10:53:15 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1245 |