Ubuntu
nova package

unnecessary dep: nova-api -> nova-cert

Bug #965356 reported by Soren Hansen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nova (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

nova-cert and nova-api don't need to run on the same machine.

In fact, doing so means you keep certificates on a publically exposed system, which is never a good idea.

Furthermore, there's no guarantee at all that reqeusts from nova-api to nova-cert will reach the cert server on the same host as it goes through the message queue, so if you have N nova-api servers, only one in every N requests to the cert service from nova-api will work.

If there's some reason these need to reside on the same system, that's a bug that should be filed against Nova. I know of no such bug.

Related branches

lp:~openstack-ubuntu-testing/nova/precise-essex-proposed
Chuck Short: Pending requested
Diff: 56 lines (+14/-4)
3 files modified
debian/changelog (+8/-0)
debian/control (+6/-3)
debian/nova-console.install (+0/-1)
lp:ubuntu/precise/nova
lp:~openstack-ubuntu-testing/nova/raring-grizzly

CVE References

Adam Gandelman (gandelman-a)
Changed in nova (Ubuntu):
status: New → Confirmed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2012.1~rc2-0ubuntu1

---------------
nova (2012.1~rc2-0ubuntu1) precise; urgency=low

  [ Adam Gandelman ]
  * debian/control: Remove unncessary nova-cert dependency from nova-api.
    (LP: #965356)
  * debian/nova-common.postinst: Clean up spacing, remove redundant chown,
    set blanket 0700 nova.nova permissions on /etc/nova/
  * debian/nova-compute-{kvm, lxc, uml, xen}.postinst: Set proper permissions
    on /etc/nova/nova-compute.conf (LP: #861459)
  * debian/nova-common.postinst: Ensure default nova.sqlite database is not
    world-readable.
  * debian/{rules, nova-common.{install, postinst}}: Install api-paste.ini 0600
    with nova-common (in prepartion for proper nova-api-* package separation)
  * debian/{nova-common.nova-manage.logrotate,
    nova-network.nova-dhcpbridge.logrotate, rules}: Add lograte files,
    override_dh_installlogrotate. (LP: #942646)
  * Add manpage stubs for nova-api-ec2, nova-api-metadata,
    nova-api-os-{volume, compute}, nova-rootwrap. Use sphinx built manpage
    for nova-manage (nova-common.manpages)
  * debian/nova-compute-{kvm, xen, uml, qemu}.postinst: Remove calls to
    adduser since this is already handled from nova-compute.postsinst in a
    vendor neutral way. Silences lintian errors regarding adduser dependency

  [ Chuck Short ]
  * New upstream version.
  * debian/patches/libvirt-use-console-pipe.patch: Dropped.
  * debian/patches/nova-console-monitor.patch: Add console-monitor
    option.
  * debian/nova.conf: Enable use_console_monitor
  * debian/patches/fix-ubuntu-tests.patch: Fix nova testsuite.
  * debian/rules: fail package build if testsuite fails.
  * debian/patches/validate_server_name_length.patch: Dropped no longer
    needed.
  * debian/patches/fix-docs-build-without-network.patch: Some docs need
    a network connection in order to build. Disable fetching docs from
    the internet.
  * debian/patches/0001-fix-useexisting-deprecation-warnings.patch:
    Remove deprecated warnings with sqlalchemy.

  [ Tyler Hicks ]
  * SECURITY UPDATE: Denial of service via resource exhaustion in nova-api
    (LP: #968411)
    - debian/patches/validate_server_name_length.patch: Limit server names
      to a maximum of 255 characters to prevent nova-api log files from
      exhausting storage space. Based on upstream patch.
    - CVE-2012-1585
 -- Chuck Short <email address hidden> Mon, 02 Apr 2012 11:17:33 -0400

Changed in nova (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.