On discussing with Dan Smith, the related denial of service condition described in this report has been a known risk since the introduction of the feature and generally falls below the threshold for broad publication in an advisory. The related fixes merged back as far as stable/pike will mitigate it (or can be tuned to greater extremes to do so if necessary) and are accompanied by a security release note. Since this report is already public, I'm going to mark this as a security hardening opportunity (class D in our VMT report taxonomy[*]) with no OSSA task needed. If there is a strong objection that an advisory is needed, then we can revisit publishing one.
[*] https://security.openstack.org/vmt-process.html#incident-report- taxonomy ** Information type changed from Public Security to Public ** Changed in: ossa Status: Incomplete => Won't Fix ** Tags added: security -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1742102 Title: Simple user can disable compute Status in OpenStack Compute (nova): In Progress Status in OpenStack Compute (nova) pike series: New Status in OpenStack Compute (nova) queens series: New Status in OpenStack Security Advisory: Won't Fix Bug description: Hi, When I tested a fresh deploy of Pike, I created a private network with a little subnet like /28. If you try to create a lot of new instances, nova failed because which doesn't have free IP for the creation of new instances. The fail trace is https://thepasteb.in/p/zmh8qDG2ZYJIZ So after that, the trigger consecutive_build_service_disable_threshold up to 10 very fast and computes are disable. To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1742102/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
