18686478 kstat warning every minute in nova-compute log on SPARC
19064962 power state mapping for incomplete zone is incorrect
19065445 Horizon doesn't deal well with shutdown zones
19130253 pausing/suspension "successful" in horizon, though nothing happens
19161623 problem in SERVICE/KEYSTONE
19166348 cinder & nova should default signing_dir explicitly for consistency
19166359 minor pkgfmt(1) issues with OpenStack manifests
--- a/components/openstack/cinder/files/api-paste.ini Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/cinder/files/api-paste.ini Mon Jul 07 20:35:11 2014 -0700
@@ -58,4 +58,4 @@
# signing_dir is configurable, but the default behavior of the authtoken
# middleware should be sufficient. It will create a temporary directory
# in the home directory for the user the cinder process is running as.
-#signing_dir = /var/lib/cinder/keystone-signing
+signing_dir = /var/lib/cinder/keystone-signing
--- a/components/openstack/common/openstack.p5m Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/common/openstack.p5m Mon Jul 07 20:35:11 2014 -0700
@@ -48,8 +48,8 @@
depend type=group fmri=cloud/openstack/swift
depend type=group fmri=library/python/ceilometerclient
depend type=group fmri=library/python/cinderclient
+depend type=group fmri=library/python/glanceclient
depend type=group fmri=library/python/heatclient
-depend type=group fmri=library/python/glanceclient
depend type=group fmri=library/python/keystoneclient
depend type=group fmri=library/python/neutronclient
depend type=group fmri=library/python/novaclient
--- a/components/openstack/horizon/files/overrides.py Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/horizon/files/overrides.py Mon Jul 07 20:35:11 2014 -0700
@@ -38,6 +38,8 @@
InstanceDetailTabs, LogTab, OverviewTab
from openstack_dashboard.dashboards.project.instances.workflows import \
create_instance
+from openstack_dashboard.dashboards.project.instances.workflows import \
+ update_instance
from openstack_dashboard.dashboards.project.networks.ports.tables import \
PortsTable as projectPortsTable
from openstack_dashboard.dashboards.project.networks.subnets.tables import \
@@ -53,7 +55,7 @@
from openstack_dashboard.dashboards.project.networks.workflows import \
CreateNetworkInfoAction, CreateSubnetDetailAction, CreateSubnetInfoAction
-# remove VolumeOptions and PostCreationStep from LaunchInstance
+# Remove 'PostCreationStep' from Project/Instances/Launch Instance
create_instance.LaunchInstance.default_steps = (
create_instance.SelectProjectUser,
create_instance.SetInstanceDetails,
@@ -61,59 +63,80 @@
create_instance.SetNetwork
)
-# Remove the Security Groups tab from Project/Access and Security
+# Remove 'UpdateInstanceSecurityGroups' from
+# Project/Instances/Actions/Edit Instance
+update_instance.UpdateInstance.default_steps = (
+ update_instance.UpdateInstanceInfo,
+)
+
+# Remove 'SecurityGroupsTab' tab from Project/Access & Security
AccessAndSecurityTabs.tabs = (KeypairsTab, FloatingIPsTab, APIAccessTab)
-# remove the 'Console' tab from Instance Detail
+# Remove 'ConsoleTab' tab from Project/Instances/Instance Name
InstanceDetailTabs.tabs = (OverviewTab, LogTab)
-# remove the 'Console' option in the Admin Instances pulldown by removing the
-# action for project_tables.ConsoleLink
+# Remove 'ConfirmResize', 'RevertResize', 'ConsoleLink', 'TogglePause',
+# 'ToggleSuspend', 'MigrateInstance' actions from Admin/Instances/Actions
admin_tables.AdminInstancesTable._meta.row_actions = (
- project_tables.ConfirmResize,
- project_tables.RevertResize,
admin_tables.AdminEditInstance,
project_tables.LogLink,
project_tables.CreateSnapshot,
- project_tables.TogglePause,
- project_tables.ToggleSuspend,
- admin_tables.MigrateInstance,
project_tables.SoftRebootInstance,
project_tables.RebootInstance,
project_tables.TerminateInstance
)
-# Disable 'admin_state' and 'shared' checkboxes on Create Networks
+# Remove 'ConfirmResize', 'RevertResize', 'EditInstanceSecurityGroups',
+# 'ConsoleLink', 'TogglePause', 'ToggleSuspend', 'ResizeLink',
+# 'RebuildInstance' actions from Project/Instances/Actions
+project_tables.InstancesTable._meta.row_actions = (
+ project_tables.StartInstance,
+ project_tables.CreateSnapshot,
+ project_tables.SimpleAssociateIP,
+ project_tables.AssociateIP,
+ project_tables.SimpleDisassociateIP,
+ project_tables.EditInstance,
+ project_tables.LogLink,
+ project_tables.SoftRebootInstance,
+ project_tables.RebootInstance,
+ project_tables.StopInstance,
+ project_tables.TerminateInstance
+)
+
+# Disable 'admin_state' and 'shared' checkboxes in
+# Admin/Networks/Create Network
CreateNetwork.base_fields['admin_state'].widget.attrs['disabled'] = True
CreateNetwork.base_fields['shared'].widget.attrs['disabled'] = True
-# Disable 'admin_state' checkbox on Create Port
+# Disable 'admin_state' checkbox in
+# Admin/Networks/Network Name/Create Port
CreatePort.base_fields['admin_state'].widget.attrs['disabled'] = True
-# Remove the ability to Update Ports
+# Remove 'UpdatePort' action from Admin/Networks/Network Name/Actions
PortsTable._meta.row_actions = (DeletePort,)
-# Remove the ability to Update Subnets
+# Remove 'UpdateSubnet' action from Admin/Networks/Network Name/Actions
SubnetsTable._meta.row_actions = (DeleteSubnet,)
-# Remove the ability to Edit Networks
+# Remove the 'EditNetwork' action from Admin/Networks/Actions
NetworksTable._meta.row_actions = (DeleteNetwork,)
-# Remove the ability to Update project Ports
+# Remove the 'UpdatePort' action from Project/Networks/Name/Ports/Actions
projectPortsTable._meta.row_actions = ()
-# Remove the ability to Update project Subnets
+# Remove the 'UpdateSubnet' action from
+# Project/Networks/Name/Subnets/Actions
projectSubnetsTable._meta.row_actions = (projectDeleteSubnet,)
-# Remove the ability to Edit project Networks
+# Remove the 'EditNetwork' action from Project/Networks/Actions
projectNetworksTable._meta.row_actions = (projectCreateSubnet,
projectDeleteNetwork)
-# Disable 'admin_state' checkbox on Create project Networks
+# Disable 'admin_state' checkboxes in Project/Networks/Create Network/Network
CreateNetworkInfoAction.base_fields['admin_state'].widget.attrs['disabled'] = \
True
-# Disable 'no_gateway' checkbox on Create project Networks
+# Disable 'no_gateway' checkboxes in Project/Networks/Create Network/Subnet
CreateSubnetInfoAction.base_fields['no_gateway'].widget.attrs['disabled'] = \
True
@@ -121,7 +144,8 @@
# Project/Images & Snapshots/Actions
ImagesTable._meta.row_actions = (LaunchImage, EditImage, DeleteImage,)
-# change 'allocation_pools' and 'host_routes' to readonly
+# Change 'allocation_pools' and 'host_routes' fields to read-only in
+# Project/Networks/Create Network/Subnet Detail
base_fields = CreateSubnetDetailAction.base_fields
base_fields['allocation_pools'].widget.attrs['readonly'] = 'readonly'
base_fields['host_routes'].widget.attrs['readonly'] = 'readonly'
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/keystone/patches/07-CVE-2014-3520.patch Mon Jul 07 20:35:11 2014 -0700
@@ -0,0 +1,91 @@
+This upstream patch addresses CVE-2014-3520 and is tracked under
+Launchpad bug 1331912. It is addressed in Icehouse 2014.1.2 and Havana
+2013.2.4.
+
+commit 96d9bcf230a74d6122a2b14e00ef10915c8f76e3
+Author: Jamie Lennox <[email protected]>
+Date: Thu Jun 19 14:41:22 2014 +1000
+
+ Ensure that in v2 auth tenant_id matches trust
+
+ Previously if a trustee requests a trust scoped token for a project that
+ is different to the one in the trust, however the trustor has the
+ appropriate roles then a token would be issued.
+
+ Ensure that the trust that was given matches the project that was
+ specified in the scope.
+
+ (cherry picked from commit 1556faec2f65dba60584f0a9657d5b717a6ede3a)
+
+ Closes-Bug: #1331912
+ Change-Id: I00ad783bcb93cea9e5622965f81b91c80f4570cc
+
+diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py
+index 6371caf..0d97f44 100644
+--- a/keystone/tests/test_auth.py
++++ b/keystone/tests/test_auth.py
+@@ -624,13 +624,15 @@ class AuthWithTrust(AuthTest):
+ self.new_trust = self.trust_controller.create_trust(
+ context, trust=trust_data)['trust']
+
+- def build_v2_token_request(self, username, password):
++ def build_v2_token_request(self, username, password, tenant_id=None):
++ if not tenant_id:
++ tenant_id = self.tenant_bar['id']
+ body_dict = _build_user_auth(username=username, password=password)
+ self.unscoped_token = self.controller.authenticate({}, body_dict)
+ unscoped_token_id = self.unscoped_token['access']['token']['id']
+ request_body = _build_user_auth(token={'id': unscoped_token_id},
+ trust_id=self.new_trust['id'],
+- tenant_id=self.tenant_bar['id'])
++ tenant_id=tenant_id)
+ return request_body
+
+ def test_create_trust_bad_data_fails(self):
+@@ -704,6 +706,15 @@ class AuthWithTrust(AuthTest):
+ exception.Forbidden,
+ self.controller.authenticate, {}, request_body)
+
++ def test_token_from_trust_wrong_project_fails(self):
++ for assigned_role in self.assigned_roles:
++ self.assignment_api.add_role_to_user_and_project(
++ self.trustor['id'], self.tenant_baz['id'], assigned_role)
++ request_body = self.build_v2_token_request('TWO', 'two2',
++ self.tenant_baz['id'])
++ self.assertRaises(exception.Forbidden, self.controller.authenticate,
++ {}, request_body)
++
+ def fetch_v2_token_from_trust(self):
+ request_body = self.build_v2_token_request('TWO', 'two2')
+ auth_response = self.controller.authenticate({}, request_body)
+diff --git a/keystone/token/controllers.py b/keystone/token/controllers.py
+index 72486a1..de7e473 100644
+--- a/keystone/token/controllers.py
++++ b/keystone/token/controllers.py
+@@ -160,6 +160,8 @@ class Auth(controller.V2Controller):
+
+ user_ref = old_token_ref['user']
+ user_id = user_ref['id']
++ tenant_id = self._get_project_id_from_auth(auth)
++
+ if not CONF.trust.enabled and 'trust_id' in auth:
+ raise exception.Forbidden('Trusts are disabled.')
+ elif CONF.trust.enabled and 'trust_id' in auth:
+@@ -168,6 +170,9 @@ class Auth(controller.V2Controller):
+ raise exception.Forbidden()
+ if user_id != trust_ref['trustee_user_id']:
+ raise exception.Forbidden()
++ if (trust_ref['project_id'] and
++ tenant_id != trust_ref['project_id']):
++ raise exception.Forbidden()
+ if ('expires' in trust_ref) and (trust_ref['expires']):
+ expiry = trust_ref['expires']
+ if expiry < timeutils.parse_isotime(timeutils.isotime()):
+@@ -190,7 +195,6 @@ class Auth(controller.V2Controller):
+ current_user_ref = self.identity_api.get_user(user_id)
+
+ metadata_ref = {}
+- tenant_id = self._get_project_id_from_auth(auth)
+ tenant_ref, metadata_ref['roles'] = self._get_project_roles_and_ref(
+ user_id, tenant_id)
+
--- a/components/openstack/nova/files/api-paste.ini Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/nova/files/api-paste.ini Mon Jul 07 20:35:11 2014 -0700
@@ -122,6 +122,6 @@
# signing_dir is configurable, but the default behavior of the authtoken
# middleware should be sufficient. It will create a temporary directory
# in the home directory for the user the nova process is running as.
-#signing_dir = /var/lib/nova/keystone-signing
+signing_dir = /var/lib/nova/keystone-signing
# Workaround for https://bugs.launchpad.net/nova/+bug/1154809
auth_version = v2.0
--- a/components/openstack/nova/files/solariszones/driver.py Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/nova/files/solariszones/driver.py Mon Jul 07 20:35:11 2014 -0700
@@ -95,7 +95,7 @@
# Mapping between zone state and Nova power_state.
SOLARISZONES_POWER_STATE = {
ZONE_STATE_CONFIGURED: power_state.NOSTATE,
- ZONE_STATE_INCOMPLETE: power_state.BUILDING,
+ ZONE_STATE_INCOMPLETE: power_state.NOSTATE,
ZONE_STATE_UNAVAILABLE: power_state.NOSTATE,
ZONE_STATE_INSTALLED: power_state.SHUTDOWN,
ZONE_STATE_READY: power_state.RUNNING,
@@ -498,9 +498,9 @@
kstat_object = self._rad_instance.get_object(
kstat.Kstat(), rad.client.ADRGlobPattern(pattern))
except Exception as reason:
- LOG.warning(_("Unable to retrieve kstat object '%s:%s:%s' of "
- "class '%s' via kstat(3RAD): %s")
- % (module, instance, name, kstat_class, reason))
+ LOG.info(_("Unable to retrieve kstat object '%s:%s:%s' of class "
+ "'%s' via kstat(3RAD): %s")
+ % (module, instance, name, kstat_class, reason))
return None
kstat_data = {}
@@ -727,7 +727,8 @@
LOG.error(_("Cannot attach Fibre Channel volume '%s' because "
"no Fibre Channel HBA initiators were found")
% (target_wwn))
- raise exception.InvalidVolume(reason="No host FC initiator")
+ raise exception.InvalidVolume(
+ reason="No host Fibre Channel initiator found")
target_lun = data['target_lun']
# If the volume was exported just a few seconds previously then
@@ -1404,6 +1405,10 @@
if zone is None:
raise exception.InstanceNotFound(instance_id=name)
+ if self._get_state(zone) == power_state.SHUTDOWN:
+ self._power_on(instance)
+ return
+
try:
if reboot_type == 'SOFT':
zone.shutdown(['-r'])
--- a/components/openstack/swift/swift.p5m Mon Jul 07 20:22:27 2014 -0700
+++ b/components/openstack/swift/swift.p5m Mon Jul 07 20:35:11 2014 -0700
@@ -24,7 +24,6 @@
#
<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
-
set name=pkg.fmri \
value=pkg:/cloud/openstack/swift@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
set name=pkg.summary value="OpenStack Swift"
@@ -71,7 +70,6 @@
file path=etc/swift/swift-bench.conf
file path=etc/swift/swift.conf
<transform file path=lib/svc/.*/([^/]*) -> set action.hash files/%<1>>
-<transform file path=lib/svc/method/swift-proxy-server -> set action.hash files/swift-smf-method>
file path=lib/svc/manifest/application/openstack/swift-account-auditor.xml
file path=lib/svc/manifest/application/openstack/swift-account-reaper.xml
file path=lib/svc/manifest/application/openstack/swift-account-replicator.xml
@@ -89,6 +87,7 @@
file path=lib/svc/manifest/application/openstack/swift-proxy-server.xml
file path=lib/svc/manifest/application/openstack/swift-replicator-rsync.xml
<transform hardlink path=lib/svc/method -> default target swift-proxy-server>
+<transform file path=lib/svc/method/swift-proxy-server -> set action.hash files/swift-smf-method>
hardlink path=lib/svc/method/swift-account-auditor
hardlink path=lib/svc/method/swift-account-reaper
hardlink path=lib/svc/method/swift-account-replicator