--- a/components/openstack/nova/patches/04-CVE-2013-4497.patch Tue Jun 10 14:07:48 2014 -0700
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,152 +0,0 @@
-Upstream patch fixed in Grizzly 2013.1.5, Havana 2013.2
-
-commit df2ea2e3acdede21b40d47b7adbeac04213d031b
-Author: John Garbutt <[email protected]>
-Date: Thu Sep 12 18:11:49 2013 +0100
-
- xenapi: enforce filters after live-migration
-
- Currently and network filters, including security groups, are
- lost after a server has been live-migrated.
-
- This partially fixes the issue by ensuring that security groups are
- re-applied to the VM once it reached the destination, and been started.
-
- This leaves a small amount of time during the live-migrate where the VM
- is not protected. There is a further bug raised to close the rest of
- this whole, but this helps keep the VM protected for the majority of the
- time.
-
- Fixes bug 1202266
-
- (Cherry picked from commit: 5cced7a6dd32d231c606e25dbf762d199bf9cca7)
-
- Change-Id: I66bc7af1c6da74e18dce47180af0cb6020ba2c1a
-
-diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py
-index f7fb81d..d4c19a4 100644
---- a/nova/tests/test_xenapi.py
-+++ b/nova/tests/test_xenapi.py
-@@ -2723,7 +2723,27 @@ class XenAPILiveMigrateTestCase(stubs.XenAPITestBase):
- # ensure method is present
- stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)
- self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False)
-- self.conn.post_live_migration_at_destination(None, None, None, None)
-+
-+ fake_instance = "instance"
-+ fake_network_info = "network_info"
-+
-+ def fake_fw(instance, network_info):
-+ self.assertEquals(instance, fake_instance)
-+ self.assertEquals(network_info, fake_network_info)
-+ fake_fw.called += 1
-+
-+ fake_fw.called = 0
-+ _vmops = self.conn._vmops
-+ self.stubs.Set(_vmops.firewall_driver,
-+ 'setup_basic_filtering', fake_fw)
-+ self.stubs.Set(_vmops.firewall_driver,
-+ 'prepare_instance_filter', fake_fw)
-+ self.stubs.Set(_vmops.firewall_driver,
-+ 'apply_instance_filter', fake_fw)
-+
-+ self.conn.post_live_migration_at_destination(None, fake_instance,
-+ fake_network_info, None)
-+ self.assertEqual(fake_fw.called, 3)
-
- def test_check_can_live_migrate_destination_with_block_migration(self):
- stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)
-diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py
-index 128f67f..564c587 100755
---- a/nova/virt/xenapi/driver.py
-+++ b/nova/virt/xenapi/driver.py
-@@ -1,4 +1,3 @@
--# vim: tabstop=4 shiftwidth=4 softtabstop=4
-
- # Copyright (c) 2010 Citrix Systems, Inc.
- # Copyright 2010 OpenStack Foundation
-@@ -514,7 +513,8 @@ class XenAPIDriver(driver.ComputeDriver):
- :params : block_migration: if true, post operation of block_migraiton.
- """
- # TODO(JohnGarbutt) look at moving/downloading ramdisk and kernel
-- pass
-+ self._vmops.post_live_migration_at_destination(ctxt, instance_ref,
-+ network_info, block_device_info, block_device_info)
-
- def unfilter_instance(self, instance_ref, network_info):
- """Removes security groups configured for an instance."""
-diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py
-index eccf3e0..ae5c697 100644
---- a/nova/virt/xenapi/vmops.py
-+++ b/nova/virt/xenapi/vmops.py
-@@ -1737,6 +1737,24 @@ class VMOps(object):
- recover_method(context, instance, destination_hostname,
- block_migration)
-
-+ def post_live_migration_at_destination(self, context, instance,
-+ network_info, block_migration,
-+ block_device_info):
-+ # FIXME(johngarbutt): we should block all traffic until we have
-+ # applied security groups, however this requires changes to XenServer
-+ try:
-+ self.firewall_driver.setup_basic_filtering(
-+ instance, network_info)
-+ except NotImplementedError:
-+ # NOTE(salvatore-orlando): setup_basic_filtering might be
-+ # empty or not implemented at all, as basic filter could
-+ # be implemented with VIF rules created by xapi plugin
-+ pass
-+
-+ self.firewall_driver.prepare_instance_filter(instance,
-+ network_info)
-+ self.firewall_driver.apply_instance_filter(instance, network_info)
-+
- def get_per_instance_usage(self):
- """Get usage info about each active instance."""
- usage = {}
-commit 01de658210fd65171bfbf5450c93673b5ce0bd9e
-Author: John Garbutt <[email protected]>
-Date: Mon Oct 21 19:34:43 2013 +0100
-
- xenapi: apply firewall rules in finish_migrate
-
- When security groups were added, the rules were not re-applied to
- servers that have been migrated to a new hypervisor.
-
- This change ensures the firewall rules are applied as part of creating
- the new VM in finish_migrate. This code follows a very similar pattern
- to the code in spawn, and that is where the cut and paste code comes
- from. This code duplication was removed in Havana.
-
- Fixes bug 1073306
-
- Change-Id: I6295a782df328a759e358fb82b76dd3f7bd4b39e
-
-diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py
-index eccf3e0..7a96ac2 100644
---- a/nova/virt/xenapi/vmops.py
-+++ b/nova/virt/xenapi/vmops.py
-@@ -277,8 +277,23 @@ class VMOps(object):
-
- self._attach_mapped_block_devices(instance, block_device_info)
-
-+ try:
-+ self.firewall_driver.setup_basic_filtering(
-+ instance, network_info)
-+ except NotImplementedError:
-+ # NOTE(salvatore-orlando): setup_basic_filtering might be
-+ # empty or not implemented at all, as basic filter could
-+ # be implemented with VIF rules created by xapi plugin
-+ pass
-+
-+ self.firewall_driver.prepare_instance_filter(instance,
-+ network_info)
-+
- # 5. Start VM
- self._start(instance, vm_ref=vm_ref)
-+
-+ self.firewall_driver.apply_instance_filter(instance, network_info)
-+
- self._update_instance_progress(context, instance,
- step=5,
- total_steps=RESIZE_TOTAL_STEPS)