Browse Source

Merge "Reject bad img formats for uploaded encrypted vols"

changes/93/804293/2
Zuul 4 months ago committed by Gerrit Code Review
parent
commit
938463e36c
  1. 14
      api-ref/source/v3/parameters.yaml
  2. 4
      api-ref/source/v3/volumes-v3-volumes-actions.inc
  3. 8
      cinder/api/contrib/volume_actions.py
  4. 32
      cinder/tests/unit/api/contrib/test_volume_actions.py
  5. 12
      releasenotes/notes/bug-193688-bb045badcd5aecad.yaml

14
api-ref/source/v3/parameters.yaml

@ -874,6 +874,13 @@ container_format:
in: body
required: false
type: string
container_format_upload:
description: |
Container format for the new image. Default is bare. (Note: Volumes
of an encrypted volume type must use a bare container format.)
in: body
required: false
type: string
control_location:
description: |
Notional service where encryption is performed. Valid values are
@ -1121,6 +1128,13 @@ disk_format:
in: body
required: false
type: string
disk_format_upload:
description: |
Disk format for the new image. Default is raw. (Note: volumes of an
encrypted volume type can only be uploaded in raw format.)
in: body
required: false
type: string
display_name:
description: |
The name of volume backend capabilities.

4
api-ref/source/v3/volumes-v3-volumes-actions.inc

@ -699,8 +699,8 @@ Request
- os-volume_upload_image: os-volume_upload_image
- image_name: image_name
- force: force_upload_vol
- disk_format: disk_format
- container_format: container_format
- disk_format: disk_format_upload
- container_format: container_format_upload
- visibility: visibility_min
- protected: protected

8
cinder/api/contrib/volume_actions.py

@ -217,6 +217,14 @@ class VolumeActionsController(wsgi.Controller):
"name": params["image_name"]}
if volume.encryption_key_id:
# encrypted volumes cannot be converted on upload
if (image_metadata['disk_format'] != 'raw'
or image_metadata['container_format'] != 'bare'):
msg = _("An encrypted volume uploaded as an image must use "
"'raw' disk_format and 'bare' container_format, "
"which are the defaults for these options.")
raise webob.exc.HTTPBadRequest(explanation=msg)
# Clone volume encryption key: the current key cannot
# be reused because it will be deleted when the volume is
# deleted.

32
cinder/tests/unit/api/contrib/test_volume_actions.py

@ -1003,6 +1003,38 @@ class VolumeImageActionsTest(test.TestCase):
id,
body=body)
@mock.patch.object(volume_api.API, 'get', fake_volume_get_obj)
def test_copy_volume_to_image_bad_disk_format_for_encrypted_vol(self):
id = ENCRYPTED_VOLUME_ID
vol = {"container_format": 'bare',
"disk_format": 'qcow2',
"image_name": 'image_name',
"force": True}
body = {"os-volume_upload_image": vol}
req = fakes.HTTPRequest.blank('/v3/%s/volumes/%s/action'
% (fake.PROJECT_ID, id))
self.assertRaises(webob.exc.HTTPBadRequest,
self.controller._volume_upload_image,
req,
id,
body=body)
@mock.patch.object(volume_api.API, 'get', fake_volume_get_obj)
def test_copy_volume_to_image_bad_container_format_for_encrypted_vol(self):
id = ENCRYPTED_VOLUME_ID
vol = {"container_format": 'ovf',
"disk_format": 'raw',
"image_name": 'image_name',
"force": True}
body = {"os-volume_upload_image": vol}
req = fakes.HTTPRequest.blank('/v3/%s/volumes/%s/action'
% (fake.PROJECT_ID, id))
self.assertRaises(webob.exc.HTTPBadRequest,
self.controller._volume_upload_image,
req,
id,
body=body)
@mock.patch.object(volume_api.API, "copy_volume_to_image")
def test_copy_volume_to_image_disk_format_ploop(self,
mock_copy_to_image):

12
releasenotes/notes/bug-193688-bb045badcd5aecad.yaml

@ -0,0 +1,12 @@
---
fixes:
- |
`Bug #1935688 <https://bugs.launchpad.net/cinder/+bug/1935688>`_:
Cinder only supports uploading a volume of an encrypted volume type as an
image to the Image service in ``raw`` format using a ``bare`` container
type. Previously, ``os-volume_upload_image`` action requests to the Block
Storage API specifying different format option values were accepted, but
would result in a later failure. This condition is now checked at the API
layer, and ``os-volume_upload_image`` action requests on a volume of an
encrypted type that specify unsupported values for ``disk_format`` or
``container_format`` now result in a 400 (Bad Request) response.
Loading…
Cancel
Save