Description of problem ---------------------- This new oslo.concurrency release has infrastructure to fix this downstream CVE issue: https://bugzilla.redhat.com/show_bug.cgi?id=1267576 The upstream Nova stable/liberty change backport is in progress: https://review.openstack.org/#/c/327624/ virt: set address space & CPU time limits when running qemu-img This is the oslo.concurrency release that has the necessary fixes: ----------------------------------------------------------------------- https://review.openstack.org/#/c/332742/ -- oslo.concurrency 2.6.1 for Liberty commit c5245bd2ecc479c3b4fbc3e7a0b972702a0f2b2b Author: Victor Stinner <vstinner> Date: Wed Jun 22 12:39:52 2016 +0200 oslo.concurrency 2.6.1 for Liberty The main change is the addition of a new prlimit parameter to processutils. This change is needed by the Nova change I135b5242af1bfdcb0ea09a6fcda21fc03a6fbe7d in Liberty to fix a security vulnerability: "qemu-img calls need to be restricted by ulimit (CVE-2015-5162)" (see related bug). $ git log efb6c0..d65d93 --oneline d65d931 processutils: add support for missing process limits e33f64f Add prlimit parameter to execute() 306cf37 Updated from global requirements d0de35f Updated from global requirements 725e2f4 Updated from global requirements d65a8b8 Update .gitreview for stable/liberty Change-Id: If6541215438f92139a9ced2cbf5b2bd4cfe41546 Related-Bug: #1449062 -----------------------------------------------------------------------
The upstream change is stuck: https://review.openstack.org/#/c/327624/ * It was decided to require the newer oslo.concurrency release * Upgrading oslo.concurrency in global requirements was rejected: https://review.openstack.org/#/c/337277/ (-2 vote) In RHOS, we have more freedom to upgrade component, but what is the status of the nova backport downstream? I don't see much activity on this issue :-/ Is this issue (update oslo.concurrency in RHOS 8) still needed?
(In reply to Victor Stinner from comment #2) > The upstream change is stuck: https://review.openstack.org/#/c/327624/ > > * It was decided to require the newer oslo.concurrency release > * Upgrading oslo.concurrency in global requirements was rejected: > https://review.openstack.org/#/c/337277/ (-2 vote) The above is now abandoned (in favor of the Nova backport) after some discussion upstream: http://lists.openstack.org/pipermail/openstack-dev/2016-September/104345.html We went with the solution to backport the CVE fix, to stable/liberty branch of Nova, that also adds a check for the presence of 'ProcessLimits' attribute (which is only present in oslo.concurrency>=2.6.1; and a conditional check for 'prlimit' parameter in qemu_img_info() method: http://git.openstack.org/cgit/openstack/nova/commit/?h=stable/liberty&id=6bc37dc > In RHOS, we have more freedom to upgrade component, but what is the status > of the nova backport downstream? I don't see much activity on this issue :-/ > Is this issue (update oslo.concurrency in RHOS 8) still needed? Given my above comment, this (update oslo.concurrency in RHOS 8) is not needed any more given that the issue is fixed in Nova itself, for stable/liberty Thanks for checking, Victor.
(In reply to Kashyap Chamarthy from comment #3) > (In reply to Victor Stinner from comment #2) > > The upstream change is stuck: https://review.openstack.org/#/c/327624/ > > > > * It was decided to require the newer oslo.concurrency release > > * Upgrading oslo.concurrency in global requirements was rejected: > > https://review.openstack.org/#/c/337277/ (-2 vote) > > The above is now abandoned (in favor of the Nova backport) after some > discussion upstream: > > http://lists.openstack.org/pipermail/openstack-dev/2016-September/104345.html > > We went with the solution to backport the CVE fix, to stable/liberty branch > of Nova, that also adds a check for the presence of 'ProcessLimits' > attribute (which is only present in oslo.concurrency>=2.6.1; and a > conditional check for 'prlimit' parameter in qemu_img_info() method: > > http://git.openstack.org/cgit/openstack/nova/commit/?h=stable/ > liberty&id=6bc37dc > > > In RHOS, we have more freedom to upgrade component, but what is the status > > of the nova backport downstream? I don't see much activity on this issue :-/ > > Is this issue (update oslo.concurrency in RHOS 8) still needed? > > Given my above comment, this (update oslo.concurrency in RHOS 8) is not > needed any more given that the issue is fixed in Nova itself, for > stable/liberty Wait, I'm wrong. Spoke too soon. The above Got commit I pointed out works if oslo.concurrency 2.6.1 is present, if not, it will log an error: LOG.error(_LE('Please upgrade to oslo.concurrency version ' '2.6.1 -- this version has fixes for the ' 'vulnerability CVE-2015-5162.')) So, we still need oslo.concurrency to 2.6.1 for the Nova fix to take effect.
I rebased the python-oslo-concurrency package on 2.6.1: you get the package python-oslo-concurrency-2.6.1-1.el7ost.
Verified SanityOnly. build passed E2E/HA automation run.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2712.html