NFS driver: Fix driver fails to verify virtual size for Glance with Cinder/NFS

Glance images stored in Cinder with NFS as backend are sized in the Cinder database to match the data size of the Image-volume instead of the virtual_size. This prevents storage resource to be unnecessarily allocated, but may also results into errors in operations that requires checking for volume size consistency. Such checks aims to prevent users from extending NFS volumes from within the virtual machine and outside of Cinder scope, by comparing the virtual size of the NFS image with its size stored in Cinder's database. This patch changes how volume size is verified to fail only when a volume virtual size has been extended in size instead of trying to verify the exact size in bytes. Closes-Bug: #2073146 Change-Id: I5c2216b72dda6bb3316ef30b352a6a8efe3a0429 Signed-off-by: Fernando Ferraz Silva <fesilva@redhat.com>
2025-06-24 16:05:56 -03:00
parent d961d3c889
commit c68475a3d0
2 changed files with 15 additions and 4 deletions
--- a/cinder/volume/drivers/nfs.py
+++ b/cinder/volume/drivers/nfs.py
@@ -16,6 +16,7 @@

 import binascii
 import errno
+import math
 import os
 import tempfile
 import time
@@ -170,13 +171,16 @@ class NfsDriver(remotefs.RemoteFSSnapDriverDistributed):
        if info.file_format not in ['raw', 'qcow2']:
            msg = _('nfs volume must be a valid raw or qcow2 image.')
            raise exception.InvalidVolume(reason=msg)
-
-        # Test if the size is accurate or if something tried to modify it
-        if info.virtual_size != volume.size * units.Gi:
+        virtual_size_gb = int(math.ceil(float(info.virtual_size) / units.Gi))
+        # Checks if the virtual size has been modified by any source other
+        # than the Cinder service. This prevents users from attaching a volume
+        # which virtual size has been extended from inside a virtual machine,
+        # by writing a modified qcow2 image to its block device.
+        if virtual_size_gb > volume.size:
            LOG.error('The volume virtual_size does not match the size in '
                      'cinder, aborting as we suspect an exploit. '
                      'Virtual Size is %(vsize)s and real size is %(size)s',
-                      {'vsize': info.virtual_size, 'size': volume.size})
+                      {'vsize': virtual_size_gb, 'size': volume.size})
            msg = _('The volume virtual_size does not match the size in '
                    'cinder, aborting as we suspect an exploit.')
            raise exception.InvalidVolume(reason=msg)
--- a/releasenotes/notes/bug-2073146-fix-volume-create-fails-with-glance-cinder-nfs-store-26c9db7c0a4923e4.yaml
+++ b/releasenotes/notes/bug-2073146-fix-volume-create-fails-with-glance-cinder-nfs-store-26c9db7c0a4923e4.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    NFS Driver `bug #2073146
+    <https://bugs.launchpad.net/cinder/+bug/2073146>`_: Fixed
+    volume create failing if source image is stored in
+    Glance using Cinder/NFS as store.