* [gentoo-commits] repo/gentoo:master commit in: sys-cluster/nova/, sys-cluster/nova/files/
@ 2015-08-18 22:29 Matt Thode
0 siblings, 0 replies; 4+ messages in thread
From: Matt Thode @ 2015-08-18 22:29 UTC (permalink / raw
To: gentoo-commits
commit: 87376f9158f69b70b13bc15e728f2e087daa87fe
Author: Matthew Thode <mthode <AT> mthode <DOT> org>
AuthorDate: Tue Aug 18 22:23:55 2015 +0000
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org>
CommitDate: Tue Aug 18 22:26:21 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=87376f91
sys-cluster/nova: fixing CVE-2015-3241
Signed-off-by: Matthew Thode <mthode <AT> mthode.org>
sys-cluster/nova/files/CVE-2015-3241-kilo.patch | 351 +++++++++++++++++++++
...-2015.1.1-r1.ebuild => nova-2015.1.1-r2.ebuild} | 4 +-
2 files changed, 354 insertions(+), 1 deletion(-)
diff --git a/sys-cluster/nova/files/CVE-2015-3241-kilo.patch b/sys-cluster/nova/files/CVE-2015-3241-kilo.patch
new file mode 100644
index 0000000..24835e0
--- /dev/null
+++ b/sys-cluster/nova/files/CVE-2015-3241-kilo.patch
@@ -0,0 +1,351 @@
+From b5020a047fc487f35b76fc05f31e52665a1afda1 Mon Sep 17 00:00:00 2001
+From: abhishekkekane <abhishek.kekane@nttdata.com>
+Date: Mon, 6 Jul 2015 01:51:26 -0700
+Subject: [PATCH] libvirt: Kill rsync/scp processes before deleting instance
+
+In the resize operation, during copying files from source to
+destination compute node scp/rsync processes are not aborted after
+the instance is deleted because linux kernel doesn't delete instance
+files physically until all processes using the file handle is closed
+completely. Hence rsync/scp process keeps on running until it
+transfers 100% of file data.
+
+Added new module instancejobtracker to libvirt driver which will add,
+remove or terminate the processes running against particular instances.
+Added callback methods to execute call which will store the pid of
+scp/rsync process in cache as a key: value pair and to remove the
+pid from the cache after process completion. Process id will be used to
+kill the process if it is running while deleting the instance. Instance
+uuid is used as a key in the cache and pid will be the value.
+
+Conflicts:
+ nova/virt/libvirt/driver.py
+
+SecurityImpact
+
+Closes-bug: #1387543
+Change-Id: Ie03acc00a7c904aec13c90ae6a53938d08e5e0c9
+(cherry picked from commit 7ab75d5b0b75fc3426323bef19bf436a258b9707)
+---
+ nova/tests/unit/virt/libvirt/test_driver.py | 38 +++++++++++
+ nova/tests/unit/virt/libvirt/test_utils.py | 9 ++-
+ nova/virt/libvirt/driver.py | 18 +++++-
+ nova/virt/libvirt/instancejobtracker.py | 98 +++++++++++++++++++++++++++++
+ nova/virt/libvirt/utils.py | 14 +++--
+ 5 files changed, 168 insertions(+), 9 deletions(-)
+ create mode 100644 nova/virt/libvirt/instancejobtracker.py
+
+diff --git a/nova/tests/unit/virt/libvirt/test_driver.py b/nova/tests/unit/virt/libvirt/test_driver.py
+index 859df95..5ff978a 100644
+--- a/nova/tests/unit/virt/libvirt/test_driver.py
++++ b/nova/tests/unit/virt/libvirt/test_driver.py
+@@ -23,6 +23,7 @@
+ import random
+ import re
+ import shutil
++import signal
+ import threading
+ import time
+ import uuid
+@@ -9817,6 +9818,15 @@ def test_shared_storage_detection_easy(self):
+ self.mox.ReplayAll()
+ self.assertTrue(drvr._is_storage_shared_with('foo', '/path'))
+
++ def test_store_pid_remove_pid(self):
++ instance = objects.Instance(**self.test_instance)
++ drvr = libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), False)
++ popen = mock.Mock(pid=3)
++ drvr.job_tracker.add_job(instance, popen.pid)
++ self.assertIn(3, drvr.job_tracker.jobs[instance.uuid])
++ drvr.job_tracker.remove_job(instance, popen.pid)
++ self.assertNotIn(instance.uuid, drvr.job_tracker.jobs)
++
+ @mock.patch('nova.virt.libvirt.host.Host.get_domain')
+ def test_get_domain_info_with_more_return(self, mock_get_domain):
+ instance = objects.Instance(**self.test_instance)
+@@ -11316,12 +11326,18 @@ def fake_get_host_ip_addr():
+ def fake_execute(*args, **kwargs):
+ pass
+
++ def fake_copy_image(src, dest, host=None, receive=False,
++ on_execute=None, on_completion=None):
++ self.assertIsNotNone(on_execute)
++ self.assertIsNotNone(on_completion)
++
+ self.stubs.Set(self.drvr, 'get_instance_disk_info',
+ fake_get_instance_disk_info)
+ self.stubs.Set(self.drvr, '_destroy', fake_destroy)
+ self.stubs.Set(self.drvr, 'get_host_ip_addr',
+ fake_get_host_ip_addr)
+ self.stubs.Set(utils, 'execute', fake_execute)
++ self.stubs.Set(libvirt_utils, 'copy_image', fake_copy_image)
+
+ ins_ref = self._create_instance(params=params_for_instance)
+
+@@ -12428,6 +12444,28 @@ def test_delete_instance_files(self, get_instance_path, exists, exe,
+ @mock.patch('shutil.rmtree')
+ @mock.patch('nova.utils.execute')
+ @mock.patch('os.path.exists')
++ @mock.patch('os.kill')
++ @mock.patch('nova.virt.libvirt.utils.get_instance_path')
++ def test_delete_instance_files_kill_running(
++ self, get_instance_path, kill, exists, exe, shutil):
++ get_instance_path.return_value = '/path'
++ instance = objects.Instance(uuid='fake-uuid', id=1)
++ self.drvr.job_tracker.jobs[instance.uuid] = [3, 4]
++
++ exists.side_effect = [False, False, True, False]
++
++ result = self.drvr.delete_instance_files(instance)
++ get_instance_path.assert_called_with(instance)
++ exe.assert_called_with('mv', '/path', '/path_del')
++ kill.assert_has_calls([mock.call(3, signal.SIGKILL), mock.call(3, 0),
++ mock.call(4, signal.SIGKILL), mock.call(4, 0)])
++ shutil.assert_called_with('/path_del')
++ self.assertTrue(result)
++ self.assertNotIn(instance.uuid, self.drvr.job_tracker.jobs)
++
++ @mock.patch('shutil.rmtree')
++ @mock.patch('nova.utils.execute')
++ @mock.patch('os.path.exists')
+ @mock.patch('nova.virt.libvirt.utils.get_instance_path')
+ def test_delete_instance_files_resize(self, get_instance_path, exists,
+ exe, shutil):
+diff --git a/nova/tests/unit/virt/libvirt/test_utils.py b/nova/tests/unit/virt/libvirt/test_utils.py
+index 7fa0326..14bf822 100644
+--- a/nova/tests/unit/virt/libvirt/test_utils.py
++++ b/nova/tests/unit/virt/libvirt/test_utils.py
+@@ -62,7 +62,8 @@ def test_copy_image_local_cp(self, mock_execute):
+ mock_execute.assert_called_once_with('cp', 'src', 'dest')
+
+ _rsync_call = functools.partial(mock.call,
+- 'rsync', '--sparse', '--compress')
++ 'rsync', '--sparse', '--compress',
++ on_execute=None, on_completion=None)
+
+ @mock.patch('nova.utils.execute')
+ def test_copy_image_rsync(self, mock_execute):
+@@ -85,7 +86,8 @@ def test_copy_image_scp(self, mock_execute):
+
+ mock_execute.assert_has_calls([
+ self._rsync_call('--dry-run', 'src', 'host:dest'),
+- mock.call('scp', 'src', 'host:dest'),
++ mock.call('scp', 'src', 'host:dest',
++ on_execute=None, on_completion=None),
+ ])
+ self.assertEqual(2, mock_execute.call_count)
+
+@@ -110,7 +112,8 @@ def test_copy_image_scp_ipv6(self, mock_execute):
+
+ mock_execute.assert_has_calls([
+ self._rsync_call('--dry-run', 'src', '[2600::]:dest'),
+- mock.call('scp', 'src', '[2600::]:dest'),
++ mock.call('scp', 'src', '[2600::]:dest',
++ on_execute=None, on_completion=None),
+ ])
+ self.assertEqual(2, mock_execute.call_count)
+
+diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
+index 40ee080..0a94d5a 100644
+--- a/nova/virt/libvirt/driver.py
++++ b/nova/virt/libvirt/driver.py
+@@ -95,6 +95,7 @@
+ from nova.virt.libvirt import host
+ from nova.virt.libvirt import imagebackend
+ from nova.virt.libvirt import imagecache
++from nova.virt.libvirt import instancejobtracker
+ from nova.virt.libvirt import lvm
+ from nova.virt.libvirt import rbd_utils
+ from nova.virt.libvirt import utils as libvirt_utils
+@@ -465,6 +466,8 @@ def __init__(self, virtapi, read_only=False):
+ 'expect': ', '.join("'%s'" % k for k in
+ sysinfo_serial_funcs.keys())})
+
++ self.job_tracker = instancejobtracker.InstanceJobTracker()
++
+ def _get_volume_drivers(self):
+ return libvirt_volume_drivers
+
+@@ -6301,6 +6304,11 @@ def migrate_disk_and_power_off(self, context, instance, dest,
+ # finish_migration/_create_image to re-create it for us.
+ continue
+
++ on_execute = lambda process: self.job_tracker.add_job(
++ instance, process.pid)
++ on_completion = lambda process: self.job_tracker.remove_job(
++ instance, process.pid)
++
+ if info['type'] == 'qcow2' and info['backing_file']:
+ tmp_path = from_path + "_rbase"
+ # merge backing file
+@@ -6310,11 +6318,15 @@ def migrate_disk_and_power_off(self, context, instance, dest,
+ if shared_storage:
+ utils.execute('mv', tmp_path, img_path)
+ else:
+- libvirt_utils.copy_image(tmp_path, img_path, host=dest)
++ libvirt_utils.copy_image(tmp_path, img_path, host=dest,
++ on_execute=on_execute,
++ on_completion=on_completion)
+ utils.execute('rm', '-f', tmp_path)
+
+ else: # raw or qcow2 with no backing file
+- libvirt_utils.copy_image(from_path, img_path, host=dest)
++ libvirt_utils.copy_image(from_path, img_path, host=dest,
++ on_execute=on_execute,
++ on_completion=on_completion)
+ except Exception:
+ with excutils.save_and_reraise_exception():
+ self._cleanup_remote_migration(dest, inst_base,
+@@ -6683,6 +6695,8 @@ def delete_instance_files(self, instance):
+ # invocation failed due to the absence of both target and
+ # target_resize.
+ if not remaining_path and os.path.exists(target_del):
++ self.job_tracker.terminate_jobs(instance)
++
+ LOG.info(_LI('Deleting instance files %s'), target_del,
+ instance=instance)
+ remaining_path = target_del
+diff --git a/nova/virt/libvirt/instancejobtracker.py b/nova/virt/libvirt/instancejobtracker.py
+new file mode 100644
+index 0000000..d47fb45
+--- /dev/null
++++ b/nova/virt/libvirt/instancejobtracker.py
+@@ -0,0 +1,98 @@
++# Copyright 2015 NTT corp.
++# All Rights Reserved.
++# Licensed under the Apache License, Version 2.0 (the "License"); you may
++# not use this file except in compliance with the License. You may obtain
++# a copy of the License at
++#
++# http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
++# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
++# License for the specific language governing permissions and limitations
++# under the License.
++
++
++import collections
++import errno
++import os
++import signal
++
++from oslo_log import log as logging
++
++from nova.i18n import _LE
++from nova.i18n import _LW
++
++
++LOG = logging.getLogger(__name__)
++
++
++class InstanceJobTracker(object):
++ def __init__(self):
++ self.jobs = collections.defaultdict(list)
++
++ def add_job(self, instance, pid):
++ """Appends process_id of instance to cache.
++
++ This method will store the pid of a process in cache as
++ a key: value pair which will be used to kill the process if it
++ is running while deleting the instance. Instance uuid is used as
++ a key in the cache and pid will be the value.
++
++ :param instance: Object of instance
++ :param pid: Id of the process
++ """
++ self.jobs[instance.uuid].append(pid)
++
++ def remove_job(self, instance, pid):
++ """Removes pid of process from cache.
++
++ This method will remove the pid of a process from the cache.
++
++ :param instance: Object of instance
++ :param pid: Id of the process
++ """
++ uuid = instance.uuid
++ if uuid in self.jobs and pid in self.jobs[uuid]:
++ self.jobs[uuid].remove(pid)
++
++ # remove instance.uuid if no pid's remaining
++ if not self.jobs[uuid]:
++ self.jobs.pop(uuid, None)
++
++ def terminate_jobs(self, instance):
++ """Kills the running processes for given instance.
++
++ This method is used to kill all running processes of the instance if
++ it is deleted in between.
++
++ :param instance: Object of instance
++ """
++ pids_to_remove = list(self.jobs.get(instance.uuid, []))
++ for pid in pids_to_remove:
++ try:
++ # Try to kill the process
++ os.kill(pid, signal.SIGKILL)
++ except OSError as exc:
++ if exc.errno != errno.ESRCH:
++ LOG.error(_LE('Failed to kill process %(pid)s '
++ 'due to %(reason)s, while deleting the '
++ 'instance.'), {'pid': pid, 'reason': exc},
++ instance=instance)
++
++ try:
++ # Check if the process is still alive.
++ os.kill(pid, 0)
++ except OSError as exc:
++ if exc.errno != errno.ESRCH:
++ LOG.error(_LE('Unexpected error while checking process '
++ '%(pid)s.'), {'pid': pid},
++ instance=instance)
++ else:
++ # The process is still around
++ LOG.warn(_LW("Failed to kill a long running process "
++ "%(pid)s related to the instance when "
++ "deleting it."), {'pid': pid},
++ instance=instance)
++
++ self.remove_job(instance, pid)
+diff --git a/nova/virt/libvirt/utils.py b/nova/virt/libvirt/utils.py
+index 7b80464..83d5ba3 100644
+--- a/nova/virt/libvirt/utils.py
++++ b/nova/virt/libvirt/utils.py
+@@ -294,13 +294,16 @@ def get_disk_backing_file(path, basename=True):
+ return backing_file
+
+
+-def copy_image(src, dest, host=None, receive=False):
++def copy_image(src, dest, host=None, receive=False,
++ on_execute=None, on_completion=None):
+ """Copy a disk image to an existing directory
+
+ :param src: Source image
+ :param dest: Destination path
+ :param host: Remote host
+ :param receive: Reverse the rsync direction
++ :param on_execute: Callback method to store pid of process in cache
++ :param on_completion: Callback method to remove pid of process from cache
+ """
+
+ if not host:
+@@ -322,11 +325,14 @@ def copy_image(src, dest, host=None, receive=False):
+ # Do a relatively light weight test first, so that we
+ # can fall back to scp, without having run out of space
+ # on the destination for example.
+- execute('rsync', '--sparse', '--compress', '--dry-run', src, dest)
++ execute('rsync', '--sparse', '--compress', '--dry-run', src, dest,
++ on_execute=on_execute, on_completion=on_completion)
+ except processutils.ProcessExecutionError:
+- execute('scp', src, dest)
++ execute('scp', src, dest, on_execute=on_execute,
++ on_completion=on_completion)
+ else:
+- execute('rsync', '--sparse', '--compress', src, dest)
++ execute('rsync', '--sparse', '--compress', src, dest,
++ on_execute=on_execute, on_completion=on_completion)
+
+
+ def write_to_file(path, contents, umask=None):
diff --git a/sys-cluster/nova/nova-2015.1.1-r1.ebuild b/sys-cluster/nova/nova-2015.1.1-r2.ebuild
similarity index 98%
rename from sys-cluster/nova/nova-2015.1.1-r1.ebuild
rename to sys-cluster/nova/nova-2015.1.1-r2.ebuild
index 5e2cead..8da90ab 100644
--- a/sys-cluster/nova/nova-2015.1.1-r1.ebuild
+++ b/sys-cluster/nova/nova-2015.1.1-r2.ebuild
@@ -34,6 +34,7 @@ DEPEND="
>=dev-python/mock-1.0[${PYTHON_USEDEP}]
<dev-python/mock-1.1.0[${PYTHON_USEDEP}]
>=dev-python/mox3-0.7.0[${PYTHON_USEDEP}]
+ <dev-python/mox3-0.8.0[${PYTHON_USEDEP}]
dev-python/mysql-python[${PYTHON_USEDEP}]
dev-python/psycopg[${PYTHON_USEDEP}]
>=dev-python/python-barbicanclient-3.0.1[${PYTHON_USEDEP}]
@@ -114,7 +115,7 @@ RDEPEND="
<dev-python/stevedore-1.4.0[${PYTHON_USEDEP}]
>=dev-python/websockify-0.6.0[${PYTHON_USEDEP}]
<dev-python/websockify-0.7.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-concurrency-1.8.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-concurrency-1.8.2[${PYTHON_USEDEP}]
<dev-python/oslo-concurrency-1.9.0[${PYTHON_USEDEP}]
>=dev-python/oslo-config-1.9.3[${PYTHON_USEDEP}]
<dev-python/oslo-config-1.10.0[${PYTHON_USEDEP}]
@@ -162,6 +163,7 @@ RDEPEND="
)"
PATCHES=(
+ "${FILESDIR}/CVE-2015-3241-kilo.patch"
)
pkg_setup() {
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-cluster/nova/, sys-cluster/nova/files/
@ 2016-01-07 17:56 Matt Thode
0 siblings, 0 replies; 4+ messages in thread
From: Matt Thode @ 2016-01-07 17:56 UTC (permalink / raw
To: gentoo-commits
commit: 82b087e56b85822daadc9457c90a1c3b1b0a4da0
Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 7 17:55:40 2016 +0000
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org>
CommitDate: Thu Jan 7 17:55:40 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82b087e5
sys-cluster/nova: fixing CVE-2015-7548
Package-Manager: portage-2.2.26
sys-cluster/nova/Manifest | 2 -
.../files/cve-2015-7548-stable-liberty-0001.patch | 267 +++++++++++++++++++
.../files/cve-2015-7548-stable-liberty-0002.patch | 168 ++++++++++++
.../files/cve-2015-7548-stable-liberty-0003.patch | 171 ++++++++++++
sys-cluster/nova/nova-12.0.0-r1.ebuild | 295 +++++++++++++++++++++
sys-cluster/nova/nova-2015.1.1-r3.ebuild | 253 ------------------
sys-cluster/nova/nova-2015.1.2.ebuild | 253 ------------------
7 files changed, 901 insertions(+), 508 deletions(-)
diff --git a/sys-cluster/nova/Manifest b/sys-cluster/nova/Manifest
index fb999f0..4eb99d9 100644
--- a/sys-cluster/nova/Manifest
+++ b/sys-cluster/nova/Manifest
@@ -1,4 +1,2 @@
DIST liberty-nova.conf.sample 134201 SHA256 32752212c571c4a1473c3fa8bbd197a658ee54e233b4d46a157807be42997e42 SHA512 5325a31a0fccb9898bec0a022f5430dcc1729615c8eac88a4261c403f9ecd8ce2b07d73b52f3bc2c5cbe681234b30b923adb94385aac28e08d982a8f8bfef350 WHIRLPOOL 6d2894160a96742551777ce397b67f332c4f2793402f4634a2cfd0005ba99fb077cf0d0306a59e4b8c7f689914860e5d7f45d838c845d6a896a66c24f0f141c0
DIST nova-12.0.0.tar.gz 5233669 SHA256 28416df09a1f99b78d001d133e30f51acce389749d7e111c9e7dce18e7462ac4 SHA512 e3304684e090e8ec6cb45df5d77835d8b7d7c881c08e49c89cfa547a2581ec13bd66c430db01d7e82345650a1bc6fea77faa37092f00313c4fd58390ea3627d7 WHIRLPOOL 53f3afbae0cd3b8884c9074299f17b26d73074466bad491636ab0ef0fe1e636fa08267c6d26fff9d9b1850e8c9100d509fc47d1b76588d8f1564b23ebd707b17
-DIST nova-2015.1.1.tar.gz 4544374 SHA256 d9b480827995727f2ccc06e4b5709e689e8a466006e07157ce92bc9d074e197e SHA512 7aad21fc59143cd4acab4a97980aafa9b1216789a0206c0d3098f5d96257e40baa77ef45696982648cc82a7f988f40525621da402871eeb398b21699932cea64 WHIRLPOOL 08b94f93be1e5821cfaaa835f33af2ddc23e75cea3dc6f1ca82be80317db95abd38dda336cca212cd68111fa65ca8c53c62f684e07acd2c1906e8d4cfc989905
-DIST nova-2015.1.2.tar.gz 4564794 SHA256 8ea47c076367dec47d7bea89210f260da64171be5adf559ced8514d5fdb6c453 SHA512 c3ec70f90723dbbc6c04a1ab5e5fd43b43c4080ab6a7454bd48d47eb2f228fe22b59f999f881dfb28fbd502e084c0c8764f5cdf4b096f6af46a2f0c97f0e4f61 WHIRLPOOL d3e038905726574864cc5c4d04ead21c90c24a676bc6d5580e65a1b37830889b92b7df09165b5f97e345aa99ba94a3f42b3212119a4bae34b318aa5946052bf6
diff --git a/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0001.patch b/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0001.patch
new file mode 100644
index 0000000..9f2429d
--- /dev/null
+++ b/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0001.patch
@@ -0,0 +1,267 @@
+From f41488f828fda1370e1b017503711248a810d432 Mon Sep 17 00:00:00 2001
+From: Matthew Booth <mbooth@redhat.com>
+Date: Wed, 9 Dec 2015 15:36:32 +0000
+Subject: [PATCH 1/3] Fix format detection in libvirt snapshot
+
+The libvirt driver was using automatic format detection during
+snapshot for disks stored on the local filesystem. This opened an
+exploit if nova was configured to use local file storage, and
+additionally to store those files in raw format by specifying
+use_cow_images = False in nova.conf. An authenticated user could write
+a qcow2 header to their guest image with a backing file on the host.
+libvirt.utils.get_disk_type() would then misdetect the type of this
+image as qcow2 and pass this to the Qcow2 image backend, whose
+snapshot_extract method interprets the image as qcow2 and writes the
+backing file to glance. The authenticated user can then download the
+host file from glance.
+
+This patch makes 2 principal changes. libvirt.utils.get_disk_type,
+which ought to be removed entirely as soon as possible, is updated to
+no longer do format detection if the format can't be determined from
+the path. Its name is changed to get_disk_type_from_path to reflect
+its actual function.
+
+libvirt.utils.find_disk is updated to return both the path and format
+of the root disk, rather than just the path. This is the most reliable
+source of this information, as it reflects the actual format in use.
+The previous format detection function of get_disk_type is replaced by
+the format taken from libvirt.
+
+We replace a call to get_disk_type in _rebase_with_qemu_img with an
+explicit call to qemu_img_info, as the other behaviour of
+get_disk_type was not relevant in this context. qemu_img_info is safe
+from the backing file exploit when called on a file known to be a
+qcow2 image. As the file in this context is a volume snapshot, this is
+a safe use.
+
+(cherry picked from commit c69fbad4860a1ce931d80f3f0ce0f90da29e8e5f)
+
+ Conflicts:
+ nova/tests/unit/virt/libvirt/test_driver.py
+ nova/tests/unit/virt/libvirt/test_utils.py
+ nova/virt/libvirt/driver.py
+ nova/virt/libvirt/utils.py
+
+ Most about method _rebase_with_qemu_img which does not exist.
+
+Partial-Bug: #1524274
+Change-Id: I94c1c0d26215c061f71c3f95e1a6bf3a58fa19ea
+---
+ nova/tests/unit/virt/libvirt/fake_libvirt_utils.py | 10 +++--
+ nova/tests/unit/virt/libvirt/test_utils.py | 44 +++-------------------
+ nova/virt/libvirt/driver.py | 25 +++++++++---
+ nova/virt/libvirt/utils.py | 26 ++++++++++---
+ 4 files changed, 51 insertions(+), 54 deletions(-)
+
+diff --git a/nova/tests/unit/virt/libvirt/fake_libvirt_utils.py b/nova/tests/unit/virt/libvirt/fake_libvirt_utils.py
+index 302ccee..52d1e85 100644
+--- a/nova/tests/unit/virt/libvirt/fake_libvirt_utils.py
++++ b/nova/tests/unit/virt/libvirt/fake_libvirt_utils.py
+@@ -40,7 +40,9 @@ def get_disk_backing_file(path):
+ return disk_backing_files.get(path, None)
+
+
+-def get_disk_type(path):
++def get_disk_type_from_path(path):
++ if disk_type in ('raw', 'qcow2'):
++ return None
+ return disk_type
+
+
+@@ -99,11 +101,11 @@ def file_open(path, mode=None):
+
+ def find_disk(virt_dom):
+ if disk_type == 'lvm':
+- return "/dev/nova-vg/lv"
++ return ("/dev/nova-vg/lv", "raw")
+ elif disk_type in ['raw', 'qcow2']:
+- return "filename"
++ return ("filename", disk_type)
+ else:
+- return "unknown_type_disk"
++ return ("unknown_type_disk", None)
+
+
+ def load_file(path):
+diff --git a/nova/tests/unit/virt/libvirt/test_utils.py b/nova/tests/unit/virt/libvirt/test_utils.py
+index ac7ea8d..6773bea 100644
+--- a/nova/tests/unit/virt/libvirt/test_utils.py
++++ b/nova/tests/unit/virt/libvirt/test_utils.py
+@@ -39,24 +39,6 @@ CONF = cfg.CONF
+
+ class LibvirtUtilsTestCase(test.NoDBTestCase):
+
+- @mock.patch('os.path.exists', return_value=True)
+- @mock.patch('nova.utils.execute')
+- def test_get_disk_type(self, mock_execute, mock_exists):
+- path = "disk.config"
+- example_output = """image: disk.config
+-file format: raw
+-virtual size: 64M (67108864 bytes)
+-cluster_size: 65536
+-disk size: 96K
+-blah BLAH: bb
+-"""
+- mock_execute.return_value = (example_output, '')
+- disk_type = libvirt_utils.get_disk_type(path)
+- mock_execute.assert_called_once_with('env', 'LC_ALL=C', 'LANG=C',
+- 'qemu-img', 'info', path)
+- mock_exists.assert_called_once_with(path)
+- self.assertEqual('raw', disk_type)
+-
+ @mock.patch('nova.utils.execute')
+ def test_copy_image_local(self, mock_execute):
+ libvirt_utils.copy_image('src', 'dest')
+@@ -77,37 +59,21 @@ blah BLAH: bb
+ on_completion=None, on_execute=None, compression=True)
+
+ @mock.patch('os.path.exists', return_value=True)
+- def test_disk_type(self, mock_exists):
++ def test_disk_type_from_path(self, mock_exists):
+ # Seems like lvm detection
+ # if its in /dev ??
+ for p in ['/dev/b', '/dev/blah/blah']:
+- d_type = libvirt_utils.get_disk_type(p)
++ d_type = libvirt_utils.get_disk_type_from_path(p)
+ self.assertEqual('lvm', d_type)
+
+ # Try rbd detection
+- d_type = libvirt_utils.get_disk_type('rbd:pool/instance')
++ d_type = libvirt_utils.get_disk_type_from_path('rbd:pool/instance')
+ self.assertEqual('rbd', d_type)
+
+ # Try the other types
+- template_output = """image: %(path)s
+-file format: %(format)s
+-virtual size: 64M (67108864 bytes)
+-cluster_size: 65536
+-disk size: 96K
+-"""
+ path = '/myhome/disk.config'
+- for f in ['raw', 'qcow2']:
+- output = template_output % ({
+- 'format': f,
+- 'path': path,
+- })
+- with mock.patch('nova.utils.execute',
+- return_value=(output, '')) as mock_execute:
+- d_type = libvirt_utils.get_disk_type(path)
+- mock_execute.assert_called_once_with(
+- 'env', 'LC_ALL=C', 'LANG=C',
+- 'qemu-img', 'info', path)
+- self.assertEqual(f, d_type)
++ d_type = libvirt_utils.get_disk_type_from_path(path)
++ self.assertIsNone(d_type)
+
+ @mock.patch('os.path.exists', return_value=True)
+ @mock.patch('nova.utils.execute')
+diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
+index fc1c909..51b1e4b 100644
+--- a/nova/virt/libvirt/driver.py
++++ b/nova/virt/libvirt/driver.py
+@@ -1338,10 +1338,23 @@ class LibvirtDriver(driver.ComputeDriver):
+
+ snapshot = self._image_api.get(context, image_id)
+
+- disk_path = libvirt_utils.find_disk(virt_dom)
+- source_format = libvirt_utils.get_disk_type(disk_path)
+-
+- image_format = CONF.libvirt.snapshot_image_format or source_format
++ # source_format is an on-disk format
++ # source_type is a backend type
++ disk_path, source_format = libvirt_utils.find_disk(virt_dom)
++ source_type = libvirt_utils.get_disk_type_from_path(disk_path)
++
++ # We won't have source_type for raw or qcow2 disks, because we can't
++ # determine that from the path. We should have it from the libvirt
++ # xml, though.
++ if source_type is None:
++ source_type = source_format
++ # For lxc instances we won't have it either from libvirt xml
++ # (because we just gave libvirt the mounted filesystem), or the path,
++ # so source_type is still going to be None. In this case,
++ # snapshot_backend is going to default to CONF.libvirt.images_type
++ # below, which is still safe.
++
++ image_format = CONF.libvirt.snapshot_image_format or source_type
+
+ # NOTE(bfilippov): save lvm and rbd as raw
+ if image_format == 'lvm' or image_format == 'rbd':
+@@ -1367,7 +1380,7 @@ class LibvirtDriver(driver.ComputeDriver):
+ if (self._host.has_min_version(MIN_LIBVIRT_LIVESNAPSHOT_VERSION,
+ MIN_QEMU_LIVESNAPSHOT_VERSION,
+ host.HV_DRIVER_QEMU)
+- and source_format not in ('lvm', 'rbd')
++ and source_type not in ('lvm', 'rbd')
+ and not CONF.ephemeral_storage_encryption.enabled
+ and not CONF.workarounds.disable_libvirt_livesnapshot):
+ live_snapshot = True
+@@ -1402,7 +1415,7 @@ class LibvirtDriver(driver.ComputeDriver):
+
+ snapshot_backend = self.image_backend.snapshot(instance,
+ disk_path,
+- image_type=source_format)
++ image_type=source_type)
+
+ if live_snapshot:
+ LOG.info(_LI("Beginning live snapshot process"),
+diff --git a/nova/virt/libvirt/utils.py b/nova/virt/libvirt/utils.py
+index 5573927..062b2fb 100644
+--- a/nova/virt/libvirt/utils.py
++++ b/nova/virt/libvirt/utils.py
+@@ -334,13 +334,20 @@ def find_disk(virt_dom):
+ """
+ xml_desc = virt_dom.XMLDesc(0)
+ domain = etree.fromstring(xml_desc)
++ driver = None
+ if CONF.libvirt.virt_type == 'lxc':
+- source = domain.find('devices/filesystem/source')
++ filesystem = domain.find('devices/filesystem')
++ driver = filesystem.find('driver')
++
++ source = filesystem.find('source')
+ disk_path = source.get('dir')
+ disk_path = disk_path[0:disk_path.rfind('rootfs')]
+ disk_path = os.path.join(disk_path, 'disk')
+ else:
+- source = domain.find('devices/disk/source')
++ disk = domain.find('devices/disk')
++ driver = disk.find('driver')
++
++ source = disk.find('source')
+ disk_path = source.get('file') or source.get('dev')
+ if not disk_path and CONF.libvirt.images_type == 'rbd':
+ disk_path = source.get('name')
+@@ -351,17 +358,26 @@ def find_disk(virt_dom):
+ raise RuntimeError(_("Can't retrieve root device path "
+ "from instance libvirt configuration"))
+
+- return disk_path
++ if driver is not None:
++ format = driver.get('type')
++ # This is a legacy quirk of libvirt/xen. Everything else should
++ # report the on-disk format in type.
++ if format == 'aio':
++ format = 'raw'
++ else:
++ format = None
++ return (disk_path, format)
+
+
+-def get_disk_type(path):
++def get_disk_type_from_path(path):
+ """Retrieve disk type (raw, qcow2, lvm) for given file."""
+ if path.startswith('/dev'):
+ return 'lvm'
+ elif path.startswith('rbd:'):
+ return 'rbd'
+
+- return images.qemu_img_info(path).file_format
++ # We can't reliably determine the type from this path
++ return None
+
+
+ def get_fs_info(path):
+--
+2.5.0
+
diff --git a/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0002.patch b/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0002.patch
new file mode 100644
index 0000000..2ffca9f
--- /dev/null
+++ b/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0002.patch
@@ -0,0 +1,168 @@
+From 0e6b4a06ad72ac68ec41bab2063f8d167e8e277e Mon Sep 17 00:00:00 2001
+From: Matthew Booth <mbooth@redhat.com>
+Date: Thu, 10 Dec 2015 16:34:19 +0000
+Subject: [PATCH 2/3] Fix format conversion in libvirt snapshot
+
+The libvirt driver was calling images.convert_image during snapshot to
+convert snapshots to the intended output format. However, this
+function does not take the input format as an argument, meaning it
+implicitly does format detection. This opened an exploit for setups
+using raw storage on the backend, including raw on filesystem, LVM,
+and RBD (Ceph). An authenticated user could write a qcow2 header to
+their instance's disk which specified an arbitrary backing file on the
+host. When convert_image ran during snapshot, this would then write
+the contents of the backing file to glance, which is then available to
+the user. If the setup uses an LVM backend this conversion runs as
+root, meaning the user can exfiltrate any file on the host, including
+raw disks.
+
+This change adds an input format to convert_image.
+
+Partial-Bug: #1524274
+
+Change-Id: If73e73718ecd5db262ed9904091024238f98dbc0
+(cherry picked from commit 840644d619e9560f205016eafc8799565ffd6d8c)
+---
+ nova/tests/unit/virt/libvirt/test_driver.py | 5 +++--
+ nova/tests/unit/virt/libvirt/test_utils.py | 3 ++-
+ nova/virt/images.py | 26 ++++++++++++++++++++++++--
+ nova/virt/libvirt/imagebackend.py | 19 ++++++++++++++-----
+ 4 files changed, 43 insertions(+), 10 deletions(-)
+
+diff --git a/nova/tests/unit/virt/libvirt/test_driver.py b/nova/tests/unit/virt/libvirt/test_driver.py
+index 22ef56d..6fd8728 100644
+--- a/nova/tests/unit/virt/libvirt/test_driver.py
++++ b/nova/tests/unit/virt/libvirt/test_driver.py
+@@ -14985,7 +14985,7 @@ class LibvirtVolumeSnapshotTestCase(test.NoDBTestCase):
+ self.mox.VerifyAll()
+
+
+-def _fake_convert_image(source, dest, out_format,
++def _fake_convert_image(source, dest, in_format, out_format,
+ run_as_root=True):
+ libvirt_driver.libvirt_utils.files[dest] = ''
+
+@@ -15127,7 +15127,8 @@ class LVMSnapshotTests(_BaseSnapshotTests):
+
+ mock_volume_info.assert_has_calls([mock.call('/dev/nova-vg/lv')])
+ mock_convert_image.assert_called_once_with(
+- '/dev/nova-vg/lv', mock.ANY, disk_format, run_as_root=True)
++ '/dev/nova-vg/lv', mock.ANY, 'raw', disk_format,
++ run_as_root=True)
+
+ def test_raw(self):
+ self._test_lvm_snapshot('raw')
+diff --git a/nova/tests/unit/virt/libvirt/test_utils.py b/nova/tests/unit/virt/libvirt/test_utils.py
+index 6773bea..6f75a92 100644
+--- a/nova/tests/unit/virt/libvirt/test_utils.py
++++ b/nova/tests/unit/virt/libvirt/test_utils.py
+@@ -594,7 +594,8 @@ disk size: 4.4M
+ target = 't.qcow2'
+ self.executes = []
+ expected_commands = [('qemu-img', 'convert', '-O', 'raw',
+- 't.qcow2.part', 't.qcow2.converted'),
++ 't.qcow2.part', 't.qcow2.converted',
++ '-f', 'qcow2'),
+ ('rm', 't.qcow2.part'),
+ ('mv', 't.qcow2.converted', 't.qcow2')]
+ images.fetch_to_raw(context, image_id, target, user_id, project_id,
+diff --git a/nova/virt/images.py b/nova/virt/images.py
+index 5b9374b..e2b5b91 100644
+--- a/nova/virt/images.py
++++ b/nova/virt/images.py
+@@ -66,9 +66,31 @@ def qemu_img_info(path):
+ return imageutils.QemuImgInfo(out)
+
+
+-def convert_image(source, dest, out_format, run_as_root=False):
++def convert_image(source, dest, in_format, out_format, run_as_root=False):
+ """Convert image to other format."""
++ if in_format is None:
++ raise RuntimeError("convert_image without input format is a security"
++ "risk")
++ _convert_image(source, dest, in_format, out_format, run_as_root)
++
++
++def convert_image_unsafe(source, dest, out_format, run_as_root=False):
++ """Convert image to other format, doing unsafe automatic input format
++ detection. Do not call this function.
++ """
++
++ # NOTE: there is only 1 caller of this function:
++ # imagebackend.Lvm.create_image. It is not easy to fix that without a
++ # larger refactor, so for the moment it has been manually audited and
++ # allowed to continue. Remove this function when Lvm.create_image has
++ # been fixed.
++ _convert_image(source, dest, None, out_format, run_as_root)
++
++
++def _convert_image(source, dest, in_format, out_format, run_as_root):
+ cmd = ('qemu-img', 'convert', '-O', out_format, source, dest)
++ if in_format is not None:
++ cmd = cmd + ('-f', in_format)
+ utils.execute(*cmd, run_as_root=run_as_root)
+
+
+@@ -123,7 +145,7 @@ def fetch_to_raw(context, image_href, path, user_id, project_id, max_size=0):
+ staged = "%s.converted" % path
+ LOG.debug("%s was %s, converting to raw" % (image_href, fmt))
+ with fileutils.remove_path_on_error(staged):
+- convert_image(path_tmp, staged, 'raw')
++ convert_image(path_tmp, staged, fmt, 'raw')
+ os.unlink(path_tmp)
+
+ data = qemu_img_info(staged)
+diff --git a/nova/virt/libvirt/imagebackend.py b/nova/virt/libvirt/imagebackend.py
+index 5e14f61..151ebc4 100644
+--- a/nova/virt/libvirt/imagebackend.py
++++ b/nova/virt/libvirt/imagebackend.py
+@@ -477,7 +477,7 @@ class Raw(Image):
+ self.correct_format()
+
+ def snapshot_extract(self, target, out_format):
+- images.convert_image(self.path, target, out_format)
++ images.convert_image(self.path, target, self.driver_format, out_format)
+
+ @staticmethod
+ def is_file_in_instance_path():
+@@ -631,7 +631,16 @@ class Lvm(Image):
+ size, sparse=self.sparse)
+ if self.ephemeral_key_uuid is not None:
+ encrypt_lvm_image()
+- images.convert_image(base, self.path, 'raw', run_as_root=True)
++ # NOTE: by calling convert_image_unsafe here we're
++ # telling qemu-img convert to do format detection on the input,
++ # because we don't know what the format is. For example,
++ # we might have downloaded a qcow2 image, or created an
++ # ephemeral filesystem locally, we just don't know here. Having
++ # audited this, all current sources have been sanity checked,
++ # either because they're locally generated, or because they have
++ # come from images.fetch_to_raw. However, this is major code smell.
++ images.convert_image_unsafe(base, self.path, self.driver_format,
++ run_as_root=True)
+ if resize:
+ disk.resize2fs(self.path, run_as_root=True)
+
+@@ -678,8 +687,8 @@ class Lvm(Image):
+ lvm.remove_volumes([self.lv_path])
+
+ def snapshot_extract(self, target, out_format):
+- images.convert_image(self.path, target, out_format,
+- run_as_root=True)
++ images.convert_image(self.path, target, self.driver_format,
++ out_format, run_as_root=True)
+
+ def get_model(self, connection):
+ return imgmodel.LocalBlockImage(self.path)
+@@ -786,7 +795,7 @@ class Rbd(Image):
+ self.driver.resize(self.rbd_name, size)
+
+ def snapshot_extract(self, target, out_format):
+- images.convert_image(self.path, target, out_format)
++ images.convert_image(self.path, target, 'raw', out_format)
+
+ @staticmethod
+ def is_shared_block_storage():
+--
+2.5.0
+
diff --git a/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0003.patch b/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0003.patch
new file mode 100644
index 0000000..b542041
--- /dev/null
+++ b/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0003.patch
@@ -0,0 +1,171 @@
+From 62516194c424abad3bec12ea360dde06617fe97d Mon Sep 17 00:00:00 2001
+From: Matthew Booth <mbooth@redhat.com>
+Date: Fri, 11 Dec 2015 13:40:54 +0000
+Subject: [PATCH 3/3] Fix backing file detection in libvirt live snapshot
+
+When doing a live snapshot, the libvirt driver creates an intermediate
+qcow2 file with the same backing file as the original disk. However,
+it calls qemu-img info without specifying the input format explicitly.
+An authenticated user can write data to a raw disk which will cause
+this code to misinterpret the disk as a qcow2 file with a
+user-specified backing file on the host, and return an arbitrary host
+file as the backing file.
+
+This bug does not appear to result in a data leak in this case, but
+this is hard to verify. It certainly results in corrupt output.
+
+Closes-Bug: #1524274
+
+Change-Id: I11485f077d28f4e97529a691e55e3e3c0bea8872
+(cherry picked from commit ccea9095d9fb5bcdcb61ee5e352c4a8163754b9d)
+---
+ nova/tests/unit/virt/libvirt/fake_libvirt_utils.py | 4 ++--
+ nova/tests/unit/virt/libvirt/test_driver.py | 7 ++++---
+ nova/virt/images.py | 8 +++++---
+ nova/virt/libvirt/driver.py | 11 +++++++----
+ nova/virt/libvirt/utils.py | 9 +++++----
+ 5 files changed, 23 insertions(+), 16 deletions(-)
+
+diff --git a/nova/tests/unit/virt/libvirt/fake_libvirt_utils.py b/nova/tests/unit/virt/libvirt/fake_libvirt_utils.py
+index 52d1e85..b474687 100644
+--- a/nova/tests/unit/virt/libvirt/fake_libvirt_utils.py
++++ b/nova/tests/unit/virt/libvirt/fake_libvirt_utils.py
+@@ -32,11 +32,11 @@ def create_cow_image(backing_file, path):
+ pass
+
+
+-def get_disk_size(path):
++def get_disk_size(path, format=None):
+ return 0
+
+
+-def get_disk_backing_file(path):
++def get_disk_backing_file(path, format=None):
+ return disk_backing_files.get(path, None)
+
+
+diff --git a/nova/tests/unit/virt/libvirt/test_driver.py b/nova/tests/unit/virt/libvirt/test_driver.py
+index 6fd8728..6d0afdf 100644
+--- a/nova/tests/unit/virt/libvirt/test_driver.py
++++ b/nova/tests/unit/virt/libvirt/test_driver.py
+@@ -12018,7 +12018,7 @@ class LibvirtConnTestCase(test.NoDBTestCase):
+
+ image_meta = objects.ImageMeta.from_dict(self.test_image_meta)
+ drvr._live_snapshot(self.context, self.test_instance, guest,
+- srcfile, dstfile, "qcow2", image_meta)
++ srcfile, dstfile, "qcow2", "qcow2", image_meta)
+
+ mock_dom.XMLDesc.assert_called_once_with(flags=(
+ fakelibvirt.VIR_DOMAIN_XML_INACTIVE |
+@@ -12029,8 +12029,9 @@ class LibvirtConnTestCase(test.NoDBTestCase):
+ fakelibvirt.VIR_DOMAIN_BLOCK_REBASE_REUSE_EXT |
+ fakelibvirt.VIR_DOMAIN_BLOCK_REBASE_SHALLOW))
+
+- mock_size.assert_called_once_with(srcfile)
+- mock_backing.assert_called_once_with(srcfile, basename=False)
++ mock_size.assert_called_once_with(srcfile, format="qcow2")
++ mock_backing.assert_called_once_with(srcfile, basename=False,
++ format="qcow2")
+ mock_create_cow.assert_called_once_with(bckfile, dltfile, 1004009)
+ mock_chown.assert_called_once_with(dltfile, os.getuid())
+ mock_snapshot.assert_called_once_with(dltfile, "qcow2",
+diff --git a/nova/virt/images.py b/nova/virt/images.py
+index e2b5b91..6f3e487 100644
+--- a/nova/virt/images.py
++++ b/nova/virt/images.py
+@@ -44,7 +44,7 @@ CONF.register_opts(image_opts)
+ IMAGE_API = image.API()
+
+
+-def qemu_img_info(path):
++def qemu_img_info(path, format=None):
+ """Return an object containing the parsed output from qemu-img info."""
+ # TODO(mikal): this code should not be referring to a libvirt specific
+ # flag.
+@@ -56,8 +56,10 @@ def qemu_img_info(path):
+ msg = (_("Path does not exist %(path)s") % {'path': path})
+ raise exception.InvalidDiskInfo(reason=msg)
+
+- out, err = utils.execute('env', 'LC_ALL=C', 'LANG=C',
+- 'qemu-img', 'info', path)
++ cmd = ('env', 'LC_ALL=C', 'LANG=C', 'qemu-img', 'info', path)
++ if format is not None:
++ cmd = cmd + ('-f', format)
++ out, err = utils.execute(*cmd)
+ if not out:
+ msg = (_("Failed to run qemu-img info on %(path)s : %(error)s") %
+ {'path': path, 'error': err})
+diff --git a/nova/virt/libvirt/driver.py b/nova/virt/libvirt/driver.py
+index 51b1e4b..53a27b2 100644
+--- a/nova/virt/libvirt/driver.py
++++ b/nova/virt/libvirt/driver.py
+@@ -1434,7 +1434,8 @@ class LibvirtDriver(driver.ComputeDriver):
+ # NOTE(xqueralt): libvirt needs o+x in the temp directory
+ os.chmod(tmpdir, 0o701)
+ self._live_snapshot(context, instance, guest, disk_path,
+- out_path, image_format, image_meta)
++ out_path, source_format, image_format,
++ image_meta)
+ else:
+ snapshot_backend.snapshot_extract(out_path, image_format)
+ finally:
+@@ -1540,7 +1541,7 @@ class LibvirtDriver(driver.ComputeDriver):
+ self._set_quiesced(context, instance, image_meta, False)
+
+ def _live_snapshot(self, context, instance, guest, disk_path, out_path,
+- image_format, image_meta):
++ source_format, image_format, image_meta):
+ """Snapshot an instance without downtime."""
+ dev = guest.get_block_device(disk_path)
+
+@@ -1558,9 +1559,11 @@ class LibvirtDriver(driver.ComputeDriver):
+ # in QEMU 1.3. In order to do this, we need to create
+ # a destination image with the original backing file
+ # and matching size of the instance root disk.
+- src_disk_size = libvirt_utils.get_disk_size(disk_path)
++ src_disk_size = libvirt_utils.get_disk_size(disk_path,
++ format=source_format)
+ src_back_path = libvirt_utils.get_disk_backing_file(disk_path,
+- basename=False)
++ format=source_format,
++ basename=False)
+ disk_delta = out_path + '.delta'
+ libvirt_utils.create_cow_image(src_back_path, disk_delta,
+ src_disk_size)
+diff --git a/nova/virt/libvirt/utils.py b/nova/virt/libvirt/utils.py
+index 062b2fb..7b0cf42 100644
+--- a/nova/virt/libvirt/utils.py
++++ b/nova/virt/libvirt/utils.py
+@@ -160,24 +160,25 @@ def pick_disk_driver_name(hypervisor_version, is_block_dev=False):
+ return None
+
+
+-def get_disk_size(path):
++def get_disk_size(path, format=None):
+ """Get the (virtual) size of a disk image
+
+ :param path: Path to the disk image
++ :param format: the on-disk format of path
+ :returns: Size (in bytes) of the given disk image as it would be seen
+ by a virtual machine.
+ """
+- size = images.qemu_img_info(path).virtual_size
++ size = images.qemu_img_info(path, format).virtual_size
+ return int(size)
+
+
+-def get_disk_backing_file(path, basename=True):
++def get_disk_backing_file(path, basename=True, format=None):
+ """Get the backing file of a disk image
+
+ :param path: Path to the disk image
+ :returns: a path to the image's backing store
+ """
+- backing_file = images.qemu_img_info(path).backing_file
++ backing_file = images.qemu_img_info(path, format).backing_file
+ if backing_file and basename:
+ backing_file = os.path.basename(backing_file)
+
+--
+2.5.0
+
diff --git a/sys-cluster/nova/nova-12.0.0-r1.ebuild b/sys-cluster/nova/nova-12.0.0-r1.ebuild
new file mode 100644
index 0000000..2ad958e
--- /dev/null
+++ b/sys-cluster/nova/nova-12.0.0-r1.ebuild
@@ -0,0 +1,295 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+PYTHON_COMPAT=( python2_7 python3_4 )
+
+inherit distutils-r1 eutils linux-info multilib user
+
+DESCRIPTION="Cloud computing fabric controller (main part of an IaaS system) in Python"
+HOMEPAGE="https://launchpad.net/nova"
+SRC_URI="
+ https://launchpad.net/${PN}/liberty/${PV}/+download/${P}.tar.gz
+ https://dev.gentoo.org/~prometheanfire/dist/nova/liberty/nova.conf.sample -> liberty-nova.conf.sample"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+compute compute-only iscsi +kvm +memcached mysql +novncproxy openvswitch postgres +rabbitmq sqlite test xen"
+REQUIRED_USE="
+ !compute-only? ( || ( mysql postgres sqlite ) )
+ compute-only? ( compute !rabbitmq !memcached !mysql !postgres !sqlite )
+ compute? ( ^^ ( kvm xen ) )"
+
+CDEPEND=">=dev-python/pbr-1.8[${PYTHON_USEDEP}]"
+# need to package dev-python/sphinxcontrib-seqdiag
+DEPEND="
+ >=dev-python/setuptools-16.0[${PYTHON_USEDEP}]
+ ${CDEPEND}
+ app-admin/sudo
+ test? (
+ ${RDEPEND}
+ >=dev-python/coverage-3.6[${PYTHON_USEDEP}]
+ <=dev-python/coverage-4.0[${PYTHON_USEDEP}]
+ ~dev-python/fixtures-1.3.1[${PYTHON_USEDEP}]
+ >=dev-python/mock-1.2[${PYTHON_USEDEP}]
+ <=dev-python/mock-1.3.0[${PYTHON_USEDEP}]
+ >=dev-python/mox3-0.7.0[${PYTHON_USEDEP}]
+ <=dev-python/mox3-0.10.0[${PYTHON_USEDEP}]
+ >=dev-python/psycopg-2.5[${PYTHON_USEDEP}]
+ <=dev-python/psycopg-2.6.1[${PYTHON_USEDEP}]
+ >=dev-python/pymysql-0.6.2[${PYTHON_USEDEP}]
+ <=dev-python/pymysql-0.6.6[${PYTHON_USEDEP}]
+ ~dev-python/python-barbicanclient-3.3.0[${PYTHON_USEDEP}]
+ >=dev-python/python-ironicclient-0.8.0[${PYTHON_USEDEP}]
+ <=dev-python/python-ironicclient-0.8.1[${PYTHON_USEDEP}]
+ >=dev-python/subunit-0.0.18[${PYTHON_USEDEP}]
+ <=dev-python/subunit-1.1.0[${PYTHON_USEDEP}]
+ ~dev-python/requests-mock-0.6.0[${PYTHON_USEDEP}]
+ >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
+ !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}]
+ <dev-python/sphinx-1.3[${PYTHON_USEDEP}]
+ >=dev-python/pillow-2.4.0[${PYTHON_USEDEP}]
+ <dev-python/pillow-3.0.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-sphinx-3.2.0[${PYTHON_USEDEP}]
+ >=dev-python/oslotest-1.10.0[${PYTHON_USEDEP}]
+ <=dev-python/oslotest-1.11.0[${PYTHON_USEDEP}]
+ >=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}]
+ <=dev-python/testrepository-0.0.20[${PYTHON_USEDEP}]
+ >=dev-python/testresources-0.2.4[${PYTHON_USEDEP}]
+ <=dev-python/testresources-0.2.7-r9999[${PYTHON_USEDEP}]
+ >=dev-python/testtools-1.4.0[${PYTHON_USEDEP}]
+ <=dev-python/testtools-1.8.0[${PYTHON_USEDEP}]
+ >=dev-python/tempest-lib-0.8.0[${PYTHON_USEDEP}]
+ <=dev-python/tempest-lib-0.9.0[${PYTHON_USEDEP}]
+ ~dev-python/bandit-0.13.2[${PYTHON_USEDEP}]
+ >=dev-python/oslo-vmware-0.16.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-vmware-1.21.0[${PYTHON_USEDEP}]
+ )"
+
+# barbicanclient is in here for doc generation
+RDEPEND="
+ ${CDEPEND}
+ compute-only? (
+ >=dev-python/sqlalchemy-0.9.9[${PYTHON_USEDEP}]
+ <dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}]
+ )
+ sqlite? (
+ >=dev-python/sqlalchemy-0.9.9[sqlite,${PYTHON_USEDEP}]
+ <dev-python/sqlalchemy-1.1.0[sqlite,${PYTHON_USEDEP}]
+ )
+ mysql? (
+ dev-python/mysql-python
+ >=dev-python/sqlalchemy-0.9.9[${PYTHON_USEDEP}]
+ <dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}]
+ )
+ postgres? (
+ dev-python/psycopg:2
+ >=dev-python/sqlalchemy-0.9.9[${PYTHON_USEDEP}]
+ <dev-python/sqlalchemy-1.1.0[${PYTHON_USEDEP}]
+ )
+ >=dev-python/boto-2.32.1[${PYTHON_USEDEP}]
+ <=dev-python/boto-2.38.0[${PYTHON_USEDEP}]
+ >=dev-python/decorator-3.4.0[${PYTHON_USEDEP}]
+ <=dev-python/decorator-4.0.2[${PYTHON_USEDEP}]
+ ~dev-python/eventlet-0.17.4[${PYTHON_USEDEP}]
+ >=dev-python/jinja-2.6[${PYTHON_USEDEP}]
+ <=dev-python/jinja-2.8[${PYTHON_USEDEP}]
+ >=dev-python/keystonemiddleware-2.0.0[${PYTHON_USEDEP}]
+ <=dev-python/keystonemiddleware-2.3.1[${PYTHON_USEDEP}]
+ >=dev-python/lxml-2.3[${PYTHON_USEDEP}]
+ <=dev-python/lxml-3.4.4[${PYTHON_USEDEP}]
+ >=dev-python/routes-1.12.3[${PYTHON_USEDEP}]
+ !~dev-python/routes-2.0[${PYTHON_USEDEP}]
+ !~dev-python/routes-2.1[$(python_gen_usedep 'python2_7')]
+ <=dev-python/routes-2.2[${PYTHON_USEDEP}]
+ >=dev-python/cryptography-1.0[${PYTHON_USEDEP}]
+ <=dev-python/cryptography-1.1-r9999[${PYTHON_USEDEP}]
+ >=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
+ <=dev-python/webob-1.4.1[${PYTHON_USEDEP}]
+ >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
+ <=dev-python/greenlet-0.4.9[${PYTHON_USEDEP}]
+ >=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
+ <=dev-python/pastedeploy-1.5.2[${PYTHON_USEDEP}]
+ <=dev-python/paste-2.0.2[${PYTHON_USEDEP}]
+ >=dev-python/prettytable-0.7[${PYTHON_USEDEP}]
+ <dev-python/prettytable-0.8[${PYTHON_USEDEP}]
+ >=dev-python/sqlalchemy-migrate-0.9.6[${PYTHON_USEDEP}]
+ <=dev-python/sqlalchemy-migrate-0.10.0[${PYTHON_USEDEP}]
+ >=dev-python/netaddr-0.7.12[${PYTHON_USEDEP}]
+ !~dev-python/netaddr-0.7.16[${PYTHON_USEDEP}]
+ <=dev-python/netaddr-0.7.18[${PYTHON_USEDEP}]
+ ~dev-python/netifaces-0.10.4[${PYTHON_USEDEP}]
+ >=dev-python/paramiko-1.13.0[${PYTHON_USEDEP}]
+ <=dev-python/paramiko-1.15.2[${PYTHON_USEDEP}]
+ >=dev-python/Babel-1.3[${PYTHON_USEDEP}]
+ <=dev-python/Babel-2.0[${PYTHON_USEDEP}]
+ >=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}]
+ <=dev-python/iso8601-0.1.10[${PYTHON_USEDEP}]
+ >=dev-python/jsonschema-2.0.0[${PYTHON_USEDEP}]
+ !~dev-python/jsonschema-2.5.0[${PYTHON_USEDEP}]
+ <dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}]
+ >=dev-python/python-cinderclient-1.3.1[${PYTHON_USEDEP}]
+ <=dev-python/python-cinderclient-1.4.0[${PYTHON_USEDEP}]
+ >=dev-python/python-keystoneclient-1.6.0[${PYTHON_USEDEP}]
+ <=dev-python/python-keystoneclient-1.7.2-r9999[${PYTHON_USEDEP}]
+ >=dev-python/python-neutronclient-2.6.0[${PYTHON_USEDEP}]
+ <=dev-python/python-neutronclient-3.1.0[${PYTHON_USEDEP}]
+ >=dev-python/python-glanceclient-0.18.0[${PYTHON_USEDEP}]
+ <=dev-python/python-glanceclient-1.1.0[${PYTHON_USEDEP}]
+ >=dev-python/python-barbicanclient-3.0.1[${PYTHON_USEDEP}]
+ <=dev-python/python-barbicanclient-3.3.0[${PYTHON_USEDEP}]
+ ~dev-python/six-1.9.0[${PYTHON_USEDEP}]
+ >=dev-python/stevedore-1.5.0[${PYTHON_USEDEP}]
+ <=dev-python/stevedore-1.8.0[${PYTHON_USEDEP}]
+ >=dev-python/setuptools-16.0[${PYTHON_USEDEP}]
+ >=dev-python/websockify-0.6.1[${PYTHON_USEDEP}]
+ >=dev-python/websockify-0.6.1[${PYTHON_USEDEP}]
+ <=dev-python/websockify-0.7.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-concurrency-2.3.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-concurrency-2.6.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-config-2.3.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-config-2.4.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-context-0.6.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-log-1.8.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-log-1.11.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-reports-0.1.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-reports-0.5.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-serialization-1.4.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-serialization-1.9.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-utils-2.0.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-utils-2.5.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-db-2.4.1[${PYTHON_USEDEP}]
+ <=dev-python/oslo-db-2.6.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-rootwrap-2.0.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-rootwrap-2.3.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-messaging-1.16.0[${PYTHON_USEDEP}]
+ !~dev-python/oslo-messaging-1.17.0[${PYTHON_USEDEP}]
+ !~dev-python/oslo-messaging-1.17.1[${PYTHON_USEDEP}]
+ <=dev-python/oslo-messaging-2.5.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-i18n-1.5.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-i18n-2.6.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-service-0.7.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-service-0.9.0[${PYTHON_USEDEP}]
+ >=dev-python/rfc3986-0.2.0[${PYTHON_USEDEP}]
+ <=dev-python/rfc3986-0.2.2[${PYTHON_USEDEP}]
+ >=dev-python/oslo-middleware-2.8.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-middleware-2.8.0[${PYTHON_USEDEP}]
+ >=dev-python/psutil-1.1.1[${PYTHON_USEDEP}]
+ <dev-python/psutil-2.0.0[${PYTHON_USEDEP}]
+ >=dev-python/oslo-versionedobjects-0.9.0[${PYTHON_USEDEP}]
+ <=dev-python/oslo-versionedobjects-0.10.0[${PYTHON_USEDEP}]
+ >=dev-python/alembic-0.8.0[${PYTHON_USEDEP}]
+ <=dev-python/alembic-0.8.20[${PYTHON_USEDEP}]
+ >=dev-python/os-brick-0.4.0[${PYTHON_USEDEP}]
+ <=dev-python/os-brick-0.5.0[${PYTHON_USEDEP}]
+ <=dev-python/libvirt-python-1.3.0[${PYTHON_USEDEP}]
+ app-emulation/libvirt[iscsi?]
+ novncproxy? ( www-apps/novnc )
+ sys-apps/iproute2
+ openvswitch? ( <=net-misc/openvswitch-2.4.0 )
+ rabbitmq? ( net-misc/rabbitmq-server )
+ memcached? ( net-misc/memcached
+ <=dev-python/python-memcached-1.57 )
+ sys-fs/sysfsutils
+ sys-fs/multipath-tools
+ net-misc/bridge-utils
+ compute? (
+ app-cdr/cdrkit
+ kvm? ( app-emulation/qemu )
+ xen? ( app-emulation/xen
+ app-emulation/xen-tools )
+ )
+ iscsi? (
+ sys-fs/lsscsi
+ >=sys-block/open-iscsi-2.0.872-r3
+ )"
+
+PATCHES=(
+ "${FILESDIR}"/cve-2015-7548-stable-liberty-0001.patch
+ "${FILESDIR}"/cve-2015-7548-stable-liberty-0002.patch
+ "${FILESDIR}"/cve-2015-7548-stable-liberty-0003.patch
+)
+
+pkg_setup() {
+ linux-info_pkg_setup
+ CONFIG_CHECK_MODULES="BLK_DEV_NBD VHOST_NET IP6_NF_FILTER IP6_NF_IPTABLES IP_NF_TARGET_REJECT \
+ IP_NF_MANGLE IP_NF_TARGET_MASQUERADE NF_NAT_IPV4 IP_NF_FILTER IP_NF_IPTABLES \
+ NF_CONNTRACK_IPV4 NF_DEFRAG_IPV4 NF_NAT_IPV4 NF_NAT NF_CONNTRACK NETFILTER_XTABLES \
+ ISCSI_TCP SCSI_DH DM_MULTIPATH DM_SNAPSHOT"
+ if linux_config_exists; then
+ for module in ${CONFIG_CHECK_MODULES}; do
+ linux_chkconfig_present ${module} || ewarn "${module} needs to be enabled in kernel"
+ done
+ fi
+ enewgroup nova
+ enewuser nova -1 -1 /var/lib/nova nova
+}
+
+python_prepare_all() {
+ sed -i '/^hacking/d' test-requirements.txt || die
+ distutils-r1_python_prepare_all
+}
+
+python_test() {
+ testr init
+ testr run --parallel || die "failed testsuite under python2.7"
+}
+
+python_install() {
+ distutils-r1_python_install
+
+ if use !compute-only; then
+ for svc in api cert conductor consoleauth network scheduler spicehtml5proxy xvpvncproxy; do
+ newinitd "${FILESDIR}/nova.initd" "nova-${svc}"
+ done
+ fi
+ use compute && newinitd "${FILESDIR}/nova.initd" "nova-compute"
+ use novncproxy && newinitd "${FILESDIR}/nova.initd" "nova-novncproxy"
+
+ diropts -m 0750 -o nova -g qemu
+ dodir /var/log/nova /var/lib/nova/instances
+ diropts -m 0750 -o nova -g nova
+
+ insinto /etc/nova
+ insopts -m 0640 -o nova -g nova
+ newins "${FILESDIR}/etc.liberty/api-paste.ini" "api-paste.ini"
+ newins "${FILESDIR}/etc.liberty/cells.json" "cells.json"
+ newins "${FILESDIR}/etc.liberty/logging_sample.conf" "logging_sample.conf"
+ newins "${DISTDIR}/liberty-nova.conf.sample" "nova.conf.sample"
+ newins "${FILESDIR}/etc.liberty/policy.json" "policy.json"
+ newins "${FILESDIR}/etc.liberty/rootwrap.conf" "rootwrap.conf"
+ #rootwrap filters
+ insinto /etc/nova/rootwrap.d
+ newins "${FILESDIR}/etc.liberty/rootwrap.d/api-metadata.filters" "api-metadata.filters"
+ newins "${FILESDIR}/etc.liberty/rootwrap.d/compute.filters" "compute.filters"
+ newins "${FILESDIR}/etc.liberty/rootwrap.d/network.filters" "network.filters"
+ #copy migration conf file (not coppied on install via setup.py script)
+ insopts -m 0644
+ insinto /usr/$(get_libdir)/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/
+ doins "nova/db/sqlalchemy/migrate_repo/migrate.cfg"
+ #copy the CA cert dir (not coppied on install via setup.py script)
+ cp -R "${S}/nova/CA" "${D}/usr/$(get_libdir)/python2.7/site-packages/nova/" || die "installing CA files failed"
+
+ #add sudoers definitions for user nova
+ insinto /etc/sudoers.d/
+ insopts -m 0600 -o root -g root
+ doins "${FILESDIR}/nova-sudoers"
+
+ if use iscsi ; then
+ # Install udev rules for handle iscsi disk with right links under /dev
+ udev_newrules "${FILESDIR}/openstack-scsi-disk.rules" 60-openstack-scsi-disk.rules
+
+ insinto /etc/nova/
+ doins "${FILESDIR}/scsi-openscsi-link.sh"
+ fi
+}
+
+pkg_postinst() {
+ if use iscsi ; then
+ elog "iscsid needs to be running if you want cinder to connect"
+ fi
+}
diff --git a/sys-cluster/nova/nova-2015.1.1-r3.ebuild b/sys-cluster/nova/nova-2015.1.1-r3.ebuild
deleted file mode 100644
index 40e2a43..0000000
--- a/sys-cluster/nova/nova-2015.1.1-r3.ebuild
+++ /dev/null
@@ -1,253 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-PYTHON_COMPAT=( python2_7 )
-
-inherit distutils-r1 eutils linux-info multilib user
-
-DESCRIPTION="Cloud computing fabric controller (main part of an IaaS system) in Python"
-HOMEPAGE="https://launchpad.net/nova"
-SRC_URI="https://launchpad.net/${PN}/kilo/${PV}/+download/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="amd64 x86"
-IUSE="+compute compute-only iscsi +kvm +memcached mysql +novncproxy openvswitch postgres +rabbitmq sqlite test xen"
-REQUIRED_USE="
- !compute-only? ( || ( mysql postgres sqlite ) )
- compute-only? ( compute !rabbitmq !memcached !mysql !postgres !sqlite )
- compute? ( ^^ ( kvm xen ) )"
-
-DEPEND="
- dev-python/setuptools[${PYTHON_USEDEP}]
- >=dev-python/pbr-0.8[${PYTHON_USEDEP}]
- <dev-python/pbr-1.0[${PYTHON_USEDEP}]
- app-admin/sudo
- test? (
- ${RDEPEND}
- >=dev-python/hacking-0.10.0[${PYTHON_USEDEP}]
- <dev-python/hacking-0.11[${PYTHON_USEDEP}]
- >=dev-python/coverage-3.6[${PYTHON_USEDEP}]
- >=dev-python/fixtures-0.3.14[${PYTHON_USEDEP}]
- <dev-python/fixtures-1.3.0[${PYTHON_USEDEP}]
- >=dev-python/mock-1.0[${PYTHON_USEDEP}]
- <dev-python/mock-1.1.0[${PYTHON_USEDEP}]
- >=dev-python/mox3-0.7.0[${PYTHON_USEDEP}]
- <dev-python/mox3-0.8.0[${PYTHON_USEDEP}]
- dev-python/mysql-python[${PYTHON_USEDEP}]
- dev-python/psycopg[${PYTHON_USEDEP}]
- >=dev-python/python-barbicanclient-3.0.1[${PYTHON_USEDEP}]
- <dev-python/python-barbicanclient-3.1.0[${PYTHON_USEDEP}]
- >=dev-python/python-ironicclient-0.4.1[${PYTHON_USEDEP}]
- <dev-python/python-ironicclient-0.6.0[${PYTHON_USEDEP}]
- >=dev-python/subunit-0.0.18[${PYTHON_USEDEP}]
- >=dev-python/requests-mock-0.6.0[${PYTHON_USEDEP}]
- >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
- !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}]
- <dev-python/sphinx-1.3[${PYTHON_USEDEP}]
- >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}]
- <dev-python/oslo-sphinx-2.6.0[${PYTHON_USEDEP}]
- >=dev-python/oslotest-1.5.1[${PYTHON_USEDEP}]
- <dev-python/oslotest-1.6.0[${PYTHON_USEDEP}]
- >=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}]
- >=dev-python/testtools-0.9.36[${PYTHON_USEDEP}]
- !~dev-python/testtools-1.2.0[${PYTHON_USEDEP}]
- >=dev-python/tempest-lib-0.4.0[${PYTHON_USEDEP}]
- <dev-python/tempest-lib-0.5.0[${PYTHON_USEDEP}]
- >=dev-python/suds-0.4[${PYTHON_USEDEP}]
- >=dev-python/oslo-vmware-0.11.1[${PYTHON_USEDEP}]
- <dev-python/oslo-vmware-0.12.0[${PYTHON_USEDEP}]
- )"
-
-# barbicanclient is in here for doc generation
-RDEPEND="
- compute-only? (
- >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
- <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
- )
- sqlite? (
- >=dev-python/sqlalchemy-0.9.7[sqlite,${PYTHON_USEDEP}]
- <=dev-python/sqlalchemy-0.9.99[sqlite,${PYTHON_USEDEP}]
- )
- mysql? (
- dev-python/mysql-python
- >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
- <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
- )
- postgres? (
- dev-python/psycopg:2
- >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
- <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
- )
- >=dev-python/boto-2.32.1[${PYTHON_USEDEP}]
- >=dev-python/decorator-3.4.0[${PYTHON_USEDEP}]
- >=dev-python/eventlet-0.16.1[${PYTHON_USEDEP}]
- !~dev-python/eventlet-0.17.0[${PYTHON_USEDEP}]
- >=dev-python/jinja-2.6[${PYTHON_USEDEP}]
- >=dev-python/keystonemiddleware-1.5.0[${PYTHON_USEDEP}]
- <dev-python/keystonemiddleware-1.6.0[${PYTHON_USEDEP}]
- >=dev-python/lxml-2.3[${PYTHON_USEDEP}]
- >=dev-python/routes-1.12.3-r1[${PYTHON_USEDEP}]
- !~dev-python/routes-2.0[${PYTHON_USEDEP}]
- >=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
- >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
- >=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
- dev-python/paste[${PYTHON_USEDEP}]
- ~dev-python/sqlalchemy-migrate-0.9.5[${PYTHON_USEDEP}]
- >=dev-python/netaddr-0.7.12[${PYTHON_USEDEP}]
- >=dev-python/paramiko-1.13.0[${PYTHON_USEDEP}]
- dev-python/pyasn1[${PYTHON_USEDEP}]
- >=dev-python/Babel-1.3[${PYTHON_USEDEP}]
- >=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}]
- >=dev-python/jsonschema-2.0.0[${PYTHON_USEDEP}]
- <dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}]
- >=dev-python/python-cinderclient-1.1.0[${PYTHON_USEDEP}]
- <dev-python/python-cinderclient-1.2.0[${PYTHON_USEDEP}]
- >=dev-python/python-neutronclient-2.3.11[${PYTHON_USEDEP}]
- <dev-python/python-neutronclient-2.5.0[${PYTHON_USEDEP}]
- >=dev-python/python-glanceclient-0.15.0[${PYTHON_USEDEP}]
- <dev-python/python-glanceclient-0.18.0[${PYTHON_USEDEP}]
- >=dev-python/python-barbicanclient-3.0.1[${PYTHON_USEDEP}]
- <dev-python/python-barbicanclient-3.1.0[${PYTHON_USEDEP}]
- >=dev-python/six-1.9.0[${PYTHON_USEDEP}]
- >=dev-python/stevedore-1.3.0[${PYTHON_USEDEP}]
- <dev-python/stevedore-1.4.0[${PYTHON_USEDEP}]
- >=dev-python/websockify-0.6.0[${PYTHON_USEDEP}]
- <dev-python/websockify-0.7.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-concurrency-1.8.2[${PYTHON_USEDEP}]
- <dev-python/oslo-concurrency-1.9.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-config-1.9.3[${PYTHON_USEDEP}]
- <dev-python/oslo-config-1.10.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}]
- <dev-python/oslo-context-0.3.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-log-1.0.0[${PYTHON_USEDEP}]
- <dev-python/oslo-log-1.1.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-serialization-1.4.0[${PYTHON_USEDEP}]
- <dev-python/oslo-serialization-1.5.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-utils-1.4.0[${PYTHON_USEDEP}]
- <dev-python/oslo-utils-1.5.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-db-1.7.0[${PYTHON_USEDEP}]
- <dev-python/oslo-db-1.8.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-rootwrap-1.6.0[${PYTHON_USEDEP}]
- <dev-python/oslo-rootwrap-1.7.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-messaging-1.8.0[${PYTHON_USEDEP}]
- <dev-python/oslo-messaging-1.9.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-i18n-1.5.0[${PYTHON_USEDEP}]
- <dev-python/oslo-i18n-1.6.0[${PYTHON_USEDEP}]
- >=dev-python/rfc3986-0.2.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-middleware-1.0.0[${PYTHON_USEDEP}]
- <dev-python/oslo-middleware-1.1.0[${PYTHON_USEDEP}]
- >=dev-python/psutil-1.1.1[${PYTHON_USEDEP}]
- <dev-python/psutil-2.0.0[${PYTHON_USEDEP}]
- dev-python/libvirt-python[${PYTHON_USEDEP}]
- app-emulation/libvirt[iscsi?]
- novncproxy? ( www-apps/novnc )
- sys-apps/iproute2
- openvswitch? ( net-misc/openvswitch )
- rabbitmq? ( net-misc/rabbitmq-server )
- memcached? ( net-misc/memcached
- dev-python/python-memcached )
- sys-fs/sysfsutils
- sys-fs/multipath-tools
- net-misc/bridge-utils
- compute? (
- app-cdr/cdrkit
- kvm? ( app-emulation/qemu )
- xen? ( app-emulation/xen
- app-emulation/xen-tools )
- )
- iscsi? (
- sys-fs/lsscsi
- >=sys-block/open-iscsi-2.0.872-r3
- )"
-
-PATCHES=(
- "${FILESDIR}/CVE-2015-3241-kilo.patch"
- "${FILESDIR}/CVE-2015-3280_2015.1.1.patch.patch"
-)
-
-pkg_setup() {
- linux-info_pkg_setup
- CONFIG_CHECK_MODULES="BLK_DEV_NBD VHOST_NET IP6_NF_FILTER IP6_NF_IPTABLES IP_NF_TARGET_REJECT \
- IP_NF_MANGLE IP_NF_TARGET_MASQUERADE NF_NAT_IPV4 IP_NF_FILTER IP_NF_IPTABLES \
- NF_CONNTRACK_IPV4 NF_DEFRAG_IPV4 NF_NAT_IPV4 NF_NAT NF_CONNTRACK NETFILTER_XTABLES \
- ISCSI_TCP SCSI_DH DM_MULTIPATH DM_SNAPSHOT"
- if linux_config_exists; then
- for module in ${CONFIG_CHECK_MODULES}; do
- linux_chkconfig_present ${module} || ewarn "${module} needs to be enabled in kernel"
- done
- fi
- enewgroup nova
- enewuser nova -1 -1 /var/lib/nova nova
-}
-
-python_prepare() {
- distutils-r1_python_prepare
- sed -i 's/python/python2\.7/g' tools/config/generate_sample.sh || die
-}
-
-python_compile() {
- distutils-r1_python_compile
- ./tools/config/generate_sample.sh -b ./ -p nova -o etc/nova || die
-}
-
-python_test() {
- testr init
- testr run --parallel || die "failed testsuite under python2.7"
-}
-
-python_install() {
- distutils-r1_python_install
-
- if use !compute-only; then
- for svc in api cert conductor consoleauth network scheduler spicehtml5proxy xvpvncproxy; do
- newinitd "${FILESDIR}/nova.initd" "nova-${svc}"
- done
- fi
- use compute && newinitd "${FILESDIR}/nova.initd" "nova-compute"
- use novncproxy && newinitd "${FILESDIR}/nova.initd" "nova-novncproxy"
-
- diropts -m 0750 -o nova -g qemu
- dodir /var/log/nova /var/lib/nova/instances
- diropts -m 0750 -o nova -g nova
-
- insinto /etc/nova
- insopts -m 0640 -o nova -g nova
- newins "etc/nova/nova.conf.sample" "nova.conf"
- doins "etc/nova/api-paste.ini"
- doins "etc/nova/logging_sample.conf"
- doins "etc/nova/policy.json"
- doins "etc/nova/rootwrap.conf"
- #rootwrap filters
- insinto /etc/nova/rootwrap.d
- doins "etc/nova/rootwrap.d/api-metadata.filters"
- doins "etc/nova/rootwrap.d/compute.filters"
- doins "etc/nova/rootwrap.d/network.filters"
- #copy migration conf file (not coppied on install via setup.py script)
- insopts -m 0644
- insinto /usr/$(get_libdir)/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/
- doins "nova/db/sqlalchemy/migrate_repo/migrate.cfg"
- #copy the CA cert dir (not coppied on install via setup.py script)
- cp -R "${S}/nova/CA" "${D}/usr/$(get_libdir)/python2.7/site-packages/nova/" || die "installing CA files failed"
-
- #add sudoers definitions for user nova
- insinto /etc/sudoers.d/
- insopts -m 0600 -o root -g root
- doins "${FILESDIR}/nova-sudoers"
-
- if use iscsi ; then
- # Install udev rules for handle iscsi disk with right links under /dev
- udev_newrules "${FILESDIR}/openstack-scsi-disk.rules" 60-openstack-scsi-disk.rules
-
- insinto /etc/nova/
- doins "${FILESDIR}/scsi-openscsi-link.sh"
- fi
-}
-
-pkg_postinst() {
- if use iscsi ; then
- elog "iscsid needs to be running if you want cinder to connect"
- fi
-}
diff --git a/sys-cluster/nova/nova-2015.1.2.ebuild b/sys-cluster/nova/nova-2015.1.2.ebuild
deleted file mode 100644
index b516ec7..0000000
--- a/sys-cluster/nova/nova-2015.1.2.ebuild
+++ /dev/null
@@ -1,253 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-PYTHON_COMPAT=( python2_7 )
-
-inherit distutils-r1 eutils linux-info multilib user
-
-DESCRIPTION="Cloud computing fabric controller (main part of an IaaS system) in Python"
-HOMEPAGE="https://launchpad.net/nova"
-SRC_URI="https://launchpad.net/${PN}/kilo/${PV}/+download/${P}.tar.gz"
-
-LICENSE="Apache-2.0"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE="+compute compute-only iscsi +kvm +memcached mysql +novncproxy openvswitch postgres +rabbitmq sqlite test xen"
-REQUIRED_USE="
- !compute-only? ( || ( mysql postgres sqlite ) )
- compute-only? ( compute !rabbitmq !memcached !mysql !postgres !sqlite )
- compute? ( ^^ ( kvm xen ) )"
-
-DEPEND="
- dev-python/setuptools[${PYTHON_USEDEP}]
- >=dev-python/pbr-0.8[${PYTHON_USEDEP}]
- <dev-python/pbr-1.0[${PYTHON_USEDEP}]
- app-admin/sudo
- test? (
- ${RDEPEND}
- >=dev-python/coverage-3.6[${PYTHON_USEDEP}]
- >=dev-python/fixtures-0.3.14[${PYTHON_USEDEP}]
- <dev-python/fixtures-1.3.0[${PYTHON_USEDEP}]
- >=dev-python/mock-1.0[${PYTHON_USEDEP}]
- <dev-python/mock-1.1.0[${PYTHON_USEDEP}]
- >=dev-python/mox3-0.7.0[${PYTHON_USEDEP}]
- <dev-python/mox3-0.8.0[${PYTHON_USEDEP}]
- dev-python/mysql-python[${PYTHON_USEDEP}]
- dev-python/psycopg[${PYTHON_USEDEP}]
- >=dev-python/python-barbicanclient-3.0.1[${PYTHON_USEDEP}]
- <dev-python/python-barbicanclient-3.1.0[${PYTHON_USEDEP}]
- >=dev-python/python-ironicclient-0.4.1[${PYTHON_USEDEP}]
- <dev-python/python-ironicclient-0.6.0[${PYTHON_USEDEP}]
- >=dev-python/subunit-0.0.18[${PYTHON_USEDEP}]
- >=dev-python/requests-mock-0.6.0[${PYTHON_USEDEP}]
- >=dev-python/sphinx-1.1.2[${PYTHON_USEDEP}]
- !~dev-python/sphinx-1.2.0[${PYTHON_USEDEP}]
- <dev-python/sphinx-1.3[${PYTHON_USEDEP}]
- >=dev-python/oslo-sphinx-2.5.0[${PYTHON_USEDEP}]
- <dev-python/oslo-sphinx-2.6.0[${PYTHON_USEDEP}]
- >=dev-python/oslotest-1.5.1[${PYTHON_USEDEP}]
- <dev-python/oslotest-1.6.0[${PYTHON_USEDEP}]
- >=dev-python/testrepository-0.0.18[${PYTHON_USEDEP}]
- >=dev-python/testtools-0.9.36[${PYTHON_USEDEP}]
- !~dev-python/testtools-1.2.0[${PYTHON_USEDEP}]
- >=dev-python/tempest-lib-0.4.0[${PYTHON_USEDEP}]
- <dev-python/tempest-lib-0.5.0[${PYTHON_USEDEP}]
- >=dev-python/suds-0.4[${PYTHON_USEDEP}]
- >=dev-python/oslo-vmware-0.11.1[${PYTHON_USEDEP}]
- <dev-python/oslo-vmware-0.12.0[${PYTHON_USEDEP}]
- )"
-
-# barbicanclient is in here for doc generation
-RDEPEND="
- compute-only? (
- >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
- <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
- )
- sqlite? (
- >=dev-python/sqlalchemy-0.9.7[sqlite,${PYTHON_USEDEP}]
- <=dev-python/sqlalchemy-0.9.99[sqlite,${PYTHON_USEDEP}]
- )
- mysql? (
- dev-python/mysql-python
- >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
- <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
- )
- postgres? (
- dev-python/psycopg:2
- >=dev-python/sqlalchemy-0.9.7[${PYTHON_USEDEP}]
- <=dev-python/sqlalchemy-0.9.99[${PYTHON_USEDEP}]
- )
- >=dev-python/boto-2.32.1[${PYTHON_USEDEP}]
- >=dev-python/decorator-3.4.0[${PYTHON_USEDEP}]
- >=dev-python/eventlet-0.16.1[${PYTHON_USEDEP}]
- !~dev-python/eventlet-0.17.0[${PYTHON_USEDEP}]
- >=dev-python/jinja-2.6[${PYTHON_USEDEP}]
- >=dev-python/keystonemiddleware-1.5.0[${PYTHON_USEDEP}]
- <dev-python/keystonemiddleware-1.6.0[${PYTHON_USEDEP}]
- >=dev-python/lxml-2.3[${PYTHON_USEDEP}]
- >=dev-python/routes-1.12.3-r1[${PYTHON_USEDEP}]
- !~dev-python/routes-2.0[${PYTHON_USEDEP}]
- >=dev-python/webob-1.2.3[${PYTHON_USEDEP}]
- >=dev-python/greenlet-0.3.2[${PYTHON_USEDEP}]
- >=dev-python/pastedeploy-1.5.0-r1[${PYTHON_USEDEP}]
- dev-python/paste[${PYTHON_USEDEP}]
- >=dev-python/sqlalchemy-migrate-0.9.5[${PYTHON_USEDEP}]
- !~dev-python/sqlalchemy-migrate-0.9.8[${PYTHON_USEDEP}]
- <dev-python/sqlalchemy-migrate-0.10.0[${PYTHON_USEDEP}]
- >=dev-python/netaddr-0.7.12[${PYTHON_USEDEP}]
- >=dev-python/paramiko-1.13.0[${PYTHON_USEDEP}]
- dev-python/pyasn1[${PYTHON_USEDEP}]
- >=dev-python/Babel-1.3[${PYTHON_USEDEP}]
- >=dev-python/iso8601-0.1.9[${PYTHON_USEDEP}]
- >=dev-python/jsonschema-2.0.0[${PYTHON_USEDEP}]
- <dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}]
- >=dev-python/python-cinderclient-1.1.0[${PYTHON_USEDEP}]
- <dev-python/python-cinderclient-1.2.0[${PYTHON_USEDEP}]
- >=dev-python/python-neutronclient-2.4.0[${PYTHON_USEDEP}]
- <dev-python/python-neutronclient-2.5.0[${PYTHON_USEDEP}]
- >=dev-python/python-glanceclient-0.15.0[${PYTHON_USEDEP}]
- <dev-python/python-glanceclient-0.18.0[${PYTHON_USEDEP}]
- >=dev-python/python-barbicanclient-3.0.1[${PYTHON_USEDEP}]
- <dev-python/python-barbicanclient-3.1.0[${PYTHON_USEDEP}]
- >=dev-python/six-1.9.0[${PYTHON_USEDEP}]
- >=dev-python/stevedore-1.3.0[${PYTHON_USEDEP}]
- <dev-python/stevedore-1.4.0[${PYTHON_USEDEP}]
- >=dev-python/websockify-0.6.0[${PYTHON_USEDEP}]
- <dev-python/websockify-0.7.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-concurrency-1.8.2[${PYTHON_USEDEP}]
- <dev-python/oslo-concurrency-1.9.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-config-1.9.3[${PYTHON_USEDEP}]
- <dev-python/oslo-config-1.10.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-context-0.2.0[${PYTHON_USEDEP}]
- <dev-python/oslo-context-0.3.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-log-1.0.0[${PYTHON_USEDEP}]
- <dev-python/oslo-log-1.1.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-serialization-1.4.0[${PYTHON_USEDEP}]
- <dev-python/oslo-serialization-1.5.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-utils-1.4.0[${PYTHON_USEDEP}]
- !~dev-python/oslo-utils-1.4.1[${PYTHON_USEDEP}]
- <dev-python/oslo-utils-1.5.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-db-1.7.0[${PYTHON_USEDEP}]
- <dev-python/oslo-db-1.8.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-rootwrap-1.6.0[${PYTHON_USEDEP}]
- <dev-python/oslo-rootwrap-1.7.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-messaging-1.8.0[${PYTHON_USEDEP}]
- <dev-python/oslo-messaging-1.9.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-i18n-1.5.0[${PYTHON_USEDEP}]
- <dev-python/oslo-i18n-1.6.0[${PYTHON_USEDEP}]
- >=dev-python/rfc3986-0.2.0[${PYTHON_USEDEP}]
- >=dev-python/oslo-middleware-1.0.0[${PYTHON_USEDEP}]
- <dev-python/oslo-middleware-1.1.0[${PYTHON_USEDEP}]
- >=dev-python/psutil-1.1.1[${PYTHON_USEDEP}]
- <dev-python/psutil-2.0.0[${PYTHON_USEDEP}]
- dev-python/libvirt-python[${PYTHON_USEDEP}]
- app-emulation/libvirt[iscsi?]
- novncproxy? ( www-apps/novnc )
- sys-apps/iproute2
- openvswitch? ( net-misc/openvswitch )
- rabbitmq? ( net-misc/rabbitmq-server )
- memcached? ( net-misc/memcached
- dev-python/python-memcached )
- sys-fs/sysfsutils
- sys-fs/multipath-tools
- net-misc/bridge-utils
- compute? (
- app-cdr/cdrkit
- kvm? ( app-emulation/qemu )
- xen? ( app-emulation/xen
- app-emulation/xen-tools )
- )
- iscsi? (
- sys-fs/lsscsi
- >=sys-block/open-iscsi-2.0.872-r3
- )"
-
-PATCHES=(
-)
-
-pkg_setup() {
- linux-info_pkg_setup
- CONFIG_CHECK_MODULES="BLK_DEV_NBD VHOST_NET IP6_NF_FILTER IP6_NF_IPTABLES IP_NF_TARGET_REJECT \
- IP_NF_MANGLE IP_NF_TARGET_MASQUERADE NF_NAT_IPV4 IP_NF_FILTER IP_NF_IPTABLES \
- NF_CONNTRACK_IPV4 NF_DEFRAG_IPV4 NF_NAT_IPV4 NF_NAT NF_CONNTRACK NETFILTER_XTABLES \
- ISCSI_TCP SCSI_DH DM_MULTIPATH DM_SNAPSHOT"
- if linux_config_exists; then
- for module in ${CONFIG_CHECK_MODULES}; do
- linux_chkconfig_present ${module} || ewarn "${module} needs to be enabled in kernel"
- done
- fi
- enewgroup nova
- enewuser nova -1 -1 /var/lib/nova nova
-}
-
-python_prepare_all() {
- sed -i '/^hacking/d' test-requirements.txt || die
- sed -i 's/python/python2\.7/g' tools/config/generate_sample.sh || die
- distutils-r1_python_prepare_all
-}
-
-python_compile() {
- distutils-r1_python_compile
- ./tools/config/generate_sample.sh -b ./ -p nova -o etc/nova || die
-}
-
-python_test() {
- testr init
- testr run --parallel || die "failed testsuite under python2.7"
-}
-
-python_install() {
- distutils-r1_python_install
-
- if use !compute-only; then
- for svc in api cert conductor consoleauth network scheduler spicehtml5proxy xvpvncproxy; do
- newinitd "${FILESDIR}/nova.initd" "nova-${svc}"
- done
- fi
- use compute && newinitd "${FILESDIR}/nova.initd" "nova-compute"
- use novncproxy && newinitd "${FILESDIR}/nova.initd" "nova-novncproxy"
-
- diropts -m 0750 -o nova -g qemu
- dodir /var/log/nova /var/lib/nova/instances
- diropts -m 0750 -o nova -g nova
-
- insinto /etc/nova
- insopts -m 0640 -o nova -g nova
- newins "etc/nova/nova.conf.sample" "nova.conf"
- doins "etc/nova/api-paste.ini"
- doins "etc/nova/logging_sample.conf"
- doins "etc/nova/policy.json"
- doins "etc/nova/rootwrap.conf"
- #rootwrap filters
- insinto /etc/nova/rootwrap.d
- doins "etc/nova/rootwrap.d/api-metadata.filters"
- doins "etc/nova/rootwrap.d/compute.filters"
- doins "etc/nova/rootwrap.d/network.filters"
- #copy migration conf file (not coppied on install via setup.py script)
- insopts -m 0644
- insinto /usr/$(get_libdir)/python2.7/site-packages/nova/db/sqlalchemy/migrate_repo/
- doins "nova/db/sqlalchemy/migrate_repo/migrate.cfg"
- #copy the CA cert dir (not coppied on install via setup.py script)
- cp -R "${S}/nova/CA" "${D}/usr/$(get_libdir)/python2.7/site-packages/nova/" || die "installing CA files failed"
-
- #add sudoers definitions for user nova
- insinto /etc/sudoers.d/
- insopts -m 0600 -o root -g root
- doins "${FILESDIR}/nova-sudoers"
-
- if use iscsi ; then
- # Install udev rules for handle iscsi disk with right links under /dev
- udev_newrules "${FILESDIR}/openstack-scsi-disk.rules" 60-openstack-scsi-disk.rules
-
- insinto /etc/nova/
- doins "${FILESDIR}/scsi-openscsi-link.sh"
- fi
-}
-
-pkg_postinst() {
- if use iscsi ; then
- elog "iscsid needs to be running if you want cinder to connect"
- fi
-}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-cluster/nova/, sys-cluster/nova/files/
@ 2016-01-07 20:24 Matt Thode
0 siblings, 0 replies; 4+ messages in thread
From: Matt Thode @ 2016-01-07 20:24 UTC (permalink / raw
To: gentoo-commits
commit: 328a6928c0d64686c5fabea981bae532f90b1144
Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
AuthorDate: Thu Jan 7 20:23:21 2016 +0000
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org>
CommitDate: Thu Jan 7 20:23:58 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=328a6928
sys-cluster/nova: fixing bug 571184 and bug 571198
Package-Manager: portage-2.2.26
.../files/cve-2015-7548-stable-liberty-0004.patch | 132 +++++++++++++++++++++
...nova-12.0.0-r1.ebuild => nova-12.0.0-r2.ebuild} | 1 +
2 files changed, 133 insertions(+)
diff --git a/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0004.patch b/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0004.patch
new file mode 100644
index 0000000..113e9f4
--- /dev/null
+++ b/sys-cluster/nova/files/cve-2015-7548-stable-liberty-0004.patch
@@ -0,0 +1,132 @@
+From cf197ec2d682fb4da777df2291ca7ef101f73b77 Mon Sep 17 00:00:00 2001
+From: Matt Riedemann <mriedem@us.ibm.com>
+Date: Mon, 16 Nov 2015 13:11:09 -0800
+Subject: xen: mask passwords in volume connection_data dict
+
+The connection_data dict can have credentials in it, so we need to scrub
+those before putting the stringified dict into the StorageError message
+and raising that up and when logging the dict.
+
+Note that strutils.mask_password converts the dict to a string using
+six.text_type so we don't have to do that conversion first.
+
+SecurityImpact
+
+Change-Id: Ic5f4d4c26794550a92481bf2b725ef5eafa581b2
+Closes-Bug: #1516765
+(cherry picked from commit 8b289237ed6d53738c22878decf0c429301cf3d0)
+---
+ nova/tests/unit/virt/xenapi/test_volume_utils.py | 16 ++++++++++++++--
+ nova/tests/unit/virt/xenapi/test_volumeops.py | 16 ++++++++++++++++
+ nova/virt/xenapi/volume_utils.py | 3 ++-
+ nova/virt/xenapi/volumeops.py | 6 +++++-
+ 4 files changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/nova/tests/unit/virt/xenapi/test_volume_utils.py b/nova/tests/unit/virt/xenapi/test_volume_utils.py
+index 6bd80b0..d08eede 100644
+--- a/nova/tests/unit/virt/xenapi/test_volume_utils.py
++++ b/nova/tests/unit/virt/xenapi/test_volume_utils.py
+@@ -165,14 +165,26 @@ class ParseVolumeInfoTestCase(stubs.XenAPITestBaseNoDB):
+ 'target_lun': None,
+ 'auth_method': 'CHAP',
+ 'auth_username': 'username',
+- 'auth_password': 'password'}}
++ 'auth_password': 'verybadpass'}}
+
+ def test_parse_volume_info_parsing_auth_details(self):
+ conn_info = self._make_connection_info()
+ result = volume_utils._parse_volume_info(conn_info['data'])
+
+ self.assertEqual('username', result['chapuser'])
+- self.assertEqual('password', result['chappassword'])
++ self.assertEqual('verybadpass', result['chappassword'])
++
++ def test_parse_volume_info_missing_details(self):
++ # Tests that a StorageError is raised if volume_id, target_host, or
++ # target_ign is missing from connection_data. Also ensures that the
++ # auth_password value is not present in the StorageError message.
++ for data_key_to_null in ('volume_id', 'target_portal', 'target_iqn'):
++ conn_info = self._make_connection_info()
++ conn_info['data'][data_key_to_null] = None
++ ex = self.assertRaises(exception.StorageError,
++ volume_utils._parse_volume_info,
++ conn_info['data'])
++ self.assertNotIn('verybadpass', six.text_type(ex))
+
+ def test_get_device_number_raise_exception_on_wrong_mountpoint(self):
+ self.assertRaises(
+diff --git a/nova/tests/unit/virt/xenapi/test_volumeops.py b/nova/tests/unit/virt/xenapi/test_volumeops.py
+index 0e840bb..58c3fa5 100644
+--- a/nova/tests/unit/virt/xenapi/test_volumeops.py
++++ b/nova/tests/unit/virt/xenapi/test_volumeops.py
+@@ -381,6 +381,22 @@ class AttachVolumeTestCase(VolumeOpsTestBase):
+ mock_intro.assert_called_once_with(self.session, "sr",
+ target_lun="lun")
+
++ @mock.patch.object(volume_utils, "introduce_vdi")
++ @mock.patch.object(volumeops.LOG, 'debug')
++ def test_connect_hypervisor_to_volume_mask_password(self, mock_debug,
++ mock_intro):
++ # Tests that the connection_data is scrubbed before logging.
++ data = {'auth_password': 'verybadpass'}
++ self.ops._connect_hypervisor_to_volume("sr", data)
++ self.assertTrue(mock_debug.called, 'LOG.debug was not called')
++ password_logged = False
++ for call in mock_debug.call_args_list:
++ # The call object is a tuple of (args, kwargs)
++ if 'verybadpass' in call[0]:
++ password_logged = True
++ break
++ self.assertFalse(password_logged, 'connection_data was not scrubbed')
++
+ @mock.patch.object(vm_utils, "is_vm_shutdown")
+ @mock.patch.object(vm_utils, "create_vbd")
+ def test_attach_volume_to_vm_plug(self, mock_vbd, mock_shutdown):
+diff --git a/nova/virt/xenapi/volume_utils.py b/nova/virt/xenapi/volume_utils.py
+index c7bfe32..af47e26 100644
+--- a/nova/virt/xenapi/volume_utils.py
++++ b/nova/virt/xenapi/volume_utils.py
+@@ -24,6 +24,7 @@ import string
+ from eventlet import greenthread
+ from oslo_config import cfg
+ from oslo_log import log as logging
++from oslo_utils import strutils
+
+ from nova import exception
+ from nova.i18n import _, _LE, _LW
+@@ -84,7 +85,7 @@ def _parse_volume_info(connection_data):
+ target_iqn is None):
+ raise exception.StorageError(
+ reason=_('Unable to obtain target information %s') %
+- connection_data)
++ strutils.mask_password(connection_data))
+ volume_info = {}
+ volume_info['id'] = volume_id
+ volume_info['target'] = target_host
+diff --git a/nova/virt/xenapi/volumeops.py b/nova/virt/xenapi/volumeops.py
+index f816853..b9e73e2 100644
+--- a/nova/virt/xenapi/volumeops.py
++++ b/nova/virt/xenapi/volumeops.py
+@@ -19,6 +19,7 @@ Management class for Storage-related functions (attach, detach, etc).
+
+ from oslo_log import log as logging
+ from oslo_utils import excutils
++from oslo_utils import strutils
+
+ from nova import exception
+ from nova.i18n import _LI, _LW
+@@ -91,7 +92,10 @@ class VolumeOps(object):
+ return (sr_ref, sr_uuid)
+
+ def _connect_hypervisor_to_volume(self, sr_ref, connection_data):
+- LOG.debug("Connect volume to hypervisor: %s", connection_data)
++ # connection_data can have credentials in it so make sure to scrub
++ # those before logging.
++ LOG.debug("Connect volume to hypervisor: %s",
++ strutils.mask_password(connection_data))
+ if 'vdi_uuid' in connection_data:
+ vdi_ref = volume_utils.introduce_vdi(
+ self._session, sr_ref,
+--
+cgit v0.11.2
+
diff --git a/sys-cluster/nova/nova-12.0.0-r1.ebuild b/sys-cluster/nova/nova-12.0.0-r2.ebuild
similarity index 99%
rename from sys-cluster/nova/nova-12.0.0-r1.ebuild
rename to sys-cluster/nova/nova-12.0.0-r2.ebuild
index 2ad958e..19b4011 100644
--- a/sys-cluster/nova/nova-12.0.0-r1.ebuild
+++ b/sys-cluster/nova/nova-12.0.0-r2.ebuild
@@ -212,6 +212,7 @@ PATCHES=(
"${FILESDIR}"/cve-2015-7548-stable-liberty-0001.patch
"${FILESDIR}"/cve-2015-7548-stable-liberty-0002.patch
"${FILESDIR}"/cve-2015-7548-stable-liberty-0003.patch
+ "${FILESDIR}"/cve-2015-7548-stable-liberty-0004.patch
)
pkg_setup() {
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-cluster/nova/, sys-cluster/nova/files/
@ 2016-11-29 0:47 Matt Thode
0 siblings, 0 replies; 4+ messages in thread
From: Matt Thode @ 2016-11-29 0:47 UTC (permalink / raw
To: gentoo-commits
commit: da2296468021ed90ac06a686a693c3dbbca381c8
Author: Matthew Thode <prometheanfire <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 29 00:45:37 2016 +0000
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org>
CommitDate: Tue Nov 29 00:47:13 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da229646
sys-cluster/nova: switch to cdrtools for bug 591784
Package-Manager: portage-2.3.0
sys-cluster/nova/files/nova-compute.conf | 2 ++
sys-cluster/nova/files/nova.initd | 11 ++++++++---
sys-cluster/nova/nova-2016.1.9999.ebuild | 3 ++-
sys-cluster/nova/nova-2016.2.9999.ebuild | 3 ++-
4 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/sys-cluster/nova/files/nova-compute.conf b/sys-cluster/nova/files/nova-compute.conf
new file mode 100644
index 00000000..b006794
--- /dev/null
+++ b/sys-cluster/nova/files/nova-compute.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+mkisofs_cmd = /usr/bin/mkisofs
diff --git a/sys-cluster/nova/files/nova.initd b/sys-cluster/nova/files/nova.initd
index e259fd9..a1ba549 100644
--- a/sys-cluster/nova/files/nova.initd
+++ b/sys-cluster/nova/files/nova.initd
@@ -1,5 +1,5 @@
#!/sbin/openrc-run
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
description="Starts ${SVCNAME} service for OpenStack"
@@ -8,10 +8,15 @@ command=/usr/bin/${SVCNAME}
command_background=yes
pidfile=/var/run/nova/${SVCNAME}.pid
required_files=/etc/nova/nova.conf
-start_stop_daemon_args="--quiet --user ${NOVA_USER:-nova}"
+start_stop_daemon_args="--quiet --user ${NOVA_USER:-nova} --config-file /etc/nova/nova.conf"
+if [[ "$SVCNAME" == nova-compute ]]; then
+ required_files="${required_files} /etc/nova/nova-compute.conf"
+ start_stop_daemon_args="${start_stop_daemon_args} --config-file /etc/nova/nova-compute.conf"
+fi
+
depend() {
- need net
+ use net
}
start_pre() {
diff --git a/sys-cluster/nova/nova-2016.1.9999.ebuild b/sys-cluster/nova/nova-2016.1.9999.ebuild
index 1c02b05..d9b2ff6 100644
--- a/sys-cluster/nova/nova-2016.1.9999.ebuild
+++ b/sys-cluster/nova/nova-2016.1.9999.ebuild
@@ -120,7 +120,7 @@ RDEPEND="
sys-fs/multipath-tools
net-misc/bridge-utils
compute? (
- app-cdr/cdrkit
+ app-cdr/cdrtools
sys-fs/dosfstools
app-emulation/qemu
)
@@ -170,6 +170,7 @@ python_install() {
insinto /etc/nova
insopts -m 0640 -o nova -g nova
newins "${DISTDIR}/mitaka-nova.conf.sample" "nova.conf.sample"
+ doins "${FILESDIR}/nova-compute.conf"
doins "${S}/etc/nova/"*
#rootwrap filters
insopts -m 0644
diff --git a/sys-cluster/nova/nova-2016.2.9999.ebuild b/sys-cluster/nova/nova-2016.2.9999.ebuild
index 27e0b1f..59fded1 100644
--- a/sys-cluster/nova/nova-2016.2.9999.ebuild
+++ b/sys-cluster/nova/nova-2016.2.9999.ebuild
@@ -132,7 +132,7 @@ RDEPEND="
sys-fs/multipath-tools
net-misc/bridge-utils
compute? (
- app-cdr/cdrkit
+ app-cdr/cdrtools
sys-fs/dosfstools
app-emulation/qemu
)
@@ -182,6 +182,7 @@ python_install() {
insinto /etc/nova
insopts -m 0640 -o nova -g nova
newins "${DISTDIR}/newton-nova.conf.sample" "nova.conf.sample"
+ doins "${FILESDIR}/nova-compute.conf"
doins "${S}/etc/nova/"*
#rootwrap filters
insopts -m 0644
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-11-29 0:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-18 22:29 [gentoo-commits] repo/gentoo:master commit in: sys-cluster/nova/, sys-cluster/nova/files/ Matt Thode
-- strict thread matches above, loose matches on Subject: below --
2016-01-07 17:56 Matt Thode
2016-01-07 20:24 Matt Thode
2016-11-29 0:47 Matt Thode
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox