upstream/oracle/userland-gate: components/openstack/nova/patches/04-CVE-2013-4497.patch@5e73a3a3f66a

PSARC/2013/350 OpenStack for Solaris (Umbrella) PSARC/2014/007 OpenStack client API components for Grizzly PSARC/2014/048 OpenStack Keystone (OpenStack Identity Service) PSARC/2014/049 OpenStack Nova (OpenStack Compute Service) PSARC/2014/054 OpenStack Cinder (OpenStack Block Storage Service) PSARC/2014/055 OpenStack Glance (OpenStack Image Service) PSARC/2014/058 OpenStack Horizon (OpenStack Dashboard) PSARC/2014/059 OpenStack Neutron (OpenStack Networking Service) 17531161 greenlet doesn't build with gcc 4.7.X 18143276 greenlet can crash with register window corruption on MP SPARC 18290089 integrate cinderclient 18290097 integrate glanceclient 18290102 integrate keystoneclient 18290109 integrate neutronclient 18290113 integrate novaclient 18290119 integrate swiftclient 18290125 integrate quantumclient 18307582 Request to integrate Cinder into userland 18307595 Request to integrate Glance into userland 18307626 Request to integrate Horizon into userland 18307641 Request to integrate Keystone into userland 18307650 Request to integrate Neutron into userland 18307659 Request to integrate Nova into userland 18321909 a few Python packages deliver both po and mo files 18362900 Dnsmasq's SMF method_credential is missing a privilege 18363793 Dnsmasq should use SIOCSXARP ioctl


Upstream patch fixed in Grizzly 2013.1.5, Havana 2013.2

commit df2ea2e3acdede21b40d47b7adbeac04213d031b
Author: John Garbutt <[email protected]>
Date:   Thu Sep 12 18:11:49 2013 +0100

    xenapi: enforce filters after live-migration
    
    Currently and network filters, including security groups, are
    lost after a server has been live-migrated.
    
    This partially fixes the issue by ensuring that security groups are
    re-applied to the VM once it reached the destination, and been started.
    
    This leaves a small amount of time during the live-migrate where the VM
    is not protected. There is a further bug raised to close the rest of
    this whole, but this helps keep the VM protected for the majority of the
    time.
    
    Fixes bug 1202266
    
    (Cherry picked from commit: 5cced7a6dd32d231c606e25dbf762d199bf9cca7)
    
    Change-Id: I66bc7af1c6da74e18dce47180af0cb6020ba2c1a

diff --git a/nova/tests/test_xenapi.py b/nova/tests/test_xenapi.py
index f7fb81d..d4c19a4 100644
--- a/nova/tests/test_xenapi.py
+++ b/nova/tests/test_xenapi.py
@@ -2723,7 +2723,27 @@ class XenAPILiveMigrateTestCase(stubs.XenAPITestBase):
         # ensure method is present
         stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)
         self.conn = xenapi_conn.XenAPIDriver(fake.FakeVirtAPI(), False)
-        self.conn.post_live_migration_at_destination(None, None, None, None)
+
+        fake_instance = "instance"
+        fake_network_info = "network_info"
+
+        def fake_fw(instance, network_info):
+            self.assertEquals(instance, fake_instance)
+            self.assertEquals(network_info, fake_network_info)
+            fake_fw.called += 1
+
+        fake_fw.called = 0
+        _vmops = self.conn._vmops
+        self.stubs.Set(_vmops.firewall_driver,
+                       'setup_basic_filtering', fake_fw)
+        self.stubs.Set(_vmops.firewall_driver,
+                       'prepare_instance_filter', fake_fw)
+        self.stubs.Set(_vmops.firewall_driver,
+                       'apply_instance_filter', fake_fw)
+
+        self.conn.post_live_migration_at_destination(None, fake_instance,
+                                                     fake_network_info, None)
+        self.assertEqual(fake_fw.called, 3)
 
     def test_check_can_live_migrate_destination_with_block_migration(self):
         stubs.stubout_session(self.stubs, stubs.FakeSessionForVMTests)
diff --git a/nova/virt/xenapi/driver.py b/nova/virt/xenapi/driver.py
index 128f67f..564c587 100755
--- a/nova/virt/xenapi/driver.py
+++ b/nova/virt/xenapi/driver.py
@@ -1,4 +1,3 @@
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
 
 # Copyright (c) 2010 Citrix Systems, Inc.
 # Copyright 2010 OpenStack Foundation
@@ -514,7 +513,8 @@ class XenAPIDriver(driver.ComputeDriver):
         :params : block_migration: if true, post operation of block_migraiton.
         """
         # TODO(JohnGarbutt) look at moving/downloading ramdisk and kernel
-        pass
+        self._vmops.post_live_migration_at_destination(ctxt, instance_ref,
+                network_info, block_device_info, block_device_info)
 
     def unfilter_instance(self, instance_ref, network_info):
         """Removes security groups configured for an instance."""
diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py
index eccf3e0..ae5c697 100644
--- a/nova/virt/xenapi/vmops.py
+++ b/nova/virt/xenapi/vmops.py
@@ -1737,6 +1737,24 @@ class VMOps(object):
                 recover_method(context, instance, destination_hostname,
                                block_migration)
 
+    def post_live_migration_at_destination(self, context, instance,
+                                           network_info, block_migration,
+                                           block_device_info):
+        # FIXME(johngarbutt): we should block all traffic until we have
+        # applied security groups, however this requires changes to XenServer
+        try:
+            self.firewall_driver.setup_basic_filtering(
+                    instance, network_info)
+        except NotImplementedError:
+            # NOTE(salvatore-orlando): setup_basic_filtering might be
+            # empty or not implemented at all, as basic filter could
+            # be implemented with VIF rules created by xapi plugin
+            pass
+
+        self.firewall_driver.prepare_instance_filter(instance,
+                                                     network_info)
+        self.firewall_driver.apply_instance_filter(instance, network_info)
+
     def get_per_instance_usage(self):
         """Get usage info about each active instance."""
         usage = {}
commit 01de658210fd65171bfbf5450c93673b5ce0bd9e
Author: John Garbutt <[email protected]>
Date:   Mon Oct 21 19:34:43 2013 +0100

    xenapi: apply firewall rules in finish_migrate
    
    When security groups were added, the rules were not re-applied to
    servers that have been migrated to a new hypervisor.
    
    This change ensures the firewall rules are applied as part of creating
    the new VM in finish_migrate. This code follows a very similar pattern
    to the code in spawn, and that is where the cut and paste code comes
    from. This code duplication was removed in Havana.
    
    Fixes bug 1073306
    
    Change-Id: I6295a782df328a759e358fb82b76dd3f7bd4b39e

diff --git a/nova/virt/xenapi/vmops.py b/nova/virt/xenapi/vmops.py
index eccf3e0..7a96ac2 100644
--- a/nova/virt/xenapi/vmops.py
+++ b/nova/virt/xenapi/vmops.py
@@ -277,8 +277,23 @@ class VMOps(object):
 
         self._attach_mapped_block_devices(instance, block_device_info)
 
+        try:
+            self.firewall_driver.setup_basic_filtering(
+                    instance, network_info)
+        except NotImplementedError:
+            # NOTE(salvatore-orlando): setup_basic_filtering might be
+            # empty or not implemented at all, as basic filter could
+            # be implemented with VIF rules created by xapi plugin
+            pass
+
+        self.firewall_driver.prepare_instance_filter(instance,
+                                                     network_info)
+
         # 5. Start VM
         self._start(instance, vm_ref=vm_ref)
+
+        self.firewall_driver.apply_instance_filter(instance, network_info)
+
         self._update_instance_progress(context, instance,
                                        step=5,
                                        total_steps=RESIZE_TOTAL_STEPS)

author	Drew Fisher <drew.fisher@oracle.com>
	Mon, 31 Mar 2014 16:44:02 -0700
branch	s11-update
changeset 3028	5e73a3a3f66a
permissions	-rw-r--r--