)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"6b38e696b685d7ad8c75db59f12411e923473155","unresolved":false,"context_lines":[{"line_number":10,"context_line":"implemented the metadata cleanup during interface detach made an"},{"line_number":11,"context_line":"assumption that metadata only exists if the detached vif has tags."},{"line_number":12,"context_line":"However metadata exists for vif with vlan information as well. In such"},{"line_number":13,"context_line":"case the metadata is leaked during interface attach. This patch removes"},{"line_number":14,"context_line":"this assumption from the detach code path."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"[1] https://review.opendev.org/#/c/415520"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"bf51134e_b8f187e1","line":13,"range":{"start_line":13,"start_character":45,"end_line":13,"end_character":51},"updated":"2020-07-22 14:57:18.000000000","message":"Oh, I think you mean \"detach\" here?","commit_id":"26ba771b45519c441bef0dce9d2302d6e7ca9ed9"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"42ed8028df172bb72623216b2873f8d2b39db961","unresolved":false,"context_lines":[{"line_number":10,"context_line":"implemented the metadata cleanup during interface detach made an"},{"line_number":11,"context_line":"assumption that metadata only exists if the detached vif has tags."},{"line_number":12,"context_line":"However metadata exists for vif with vlan information as well. In such"},{"line_number":13,"context_line":"case the metadata is leaked during interface attach. This patch removes"},{"line_number":14,"context_line":"this assumption from the detach code path."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"[1] https://review.opendev.org/#/c/415520"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"9f560f44_293a14cb","line":13,"range":{"start_line":13,"start_character":45,"end_line":13,"end_character":51},"in_reply_to":"bf51134e_b8f187e1","updated":"2020-08-03 11:58:55.000000000","message":"Done","commit_id":"26ba771b45519c441bef0dce9d2302d6e7ca9ed9"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"20c4b03bbb3d71bc179a6f7e16a1f204ad2e1d89","unresolved":false,"context_lines":[{"line_number":9,"context_line":"When the blueprint virt-device-tagged-attach-detach [1] was"},{"line_number":10,"context_line":"implemented the metadata cleanup during interface detach made an"},{"line_number":11,"context_line":"assumption that metadata only exists if the detached vif has tags."},{"line_number":12,"context_line":"However metadata exists for vif with vlan information as well. In such"},{"line_number":13,"context_line":"case the metadata is leaked during interface detach. This patch removes"},{"line_number":14,"context_line":"this assumption from the detach code path."},{"line_number":15,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":3,"id":"9f560f44_0838e13a","line":12,"range":{"start_line":12,"start_character":36,"end_line":12,"end_character":61},"updated":"2020-08-04 00:19:17.000000000","message":"this happens in 2 cases\n\n1 the ligitimat case of vlan waware vms where we report the vlan info fo rthe turnk ports in the metadata service so that guest can create the vlan subports themselves\n\n2 the hack for allowing vm with sriov direct-physical network to connect to vlan networks. we really should never have allowed that but we did. in that case since nova cant enforce any vlan isolation or configure the PF to connect to a vlan we simpley report the vlan id of the neutron network to the vm via the metadata service. if you do not have a hierarchical port binding driver that configures the top of rack switch dynamically to restrict the vlans the pf can generate it can bypass tenant isoslation so this is a security risk in practice and is why the direct-physical vnic type is often disabled in public clouds among other reasons.\nsuch as no ablity to cold migrate, live migrate or shelve/unshevel. we currently dont block thos operation but they will all fail either silghtly(and look like they worked) or visably with a traceback.","commit_id":"31b855d654bf7663f5d78420291786aac62fed62"}],"nova/network/neutron.py":[{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"6b332f015f0584ca7b17cf73163377e6cf606285","unresolved":false,"context_lines":[{"line_number":1785,"context_line":"        return self.get_instance_nw_info(context, instance), port_allocation"},{"line_number":1786,"context_line":""},{"line_number":1787,"context_line":"    def _delete_nic_metadata(self, instance, vif):"},{"line_number":1788,"context_line":"        if not instance.device_metadata:"},{"line_number":1789,"context_line":"            # nothing to delete"},{"line_number":1790,"context_line":"            return"},{"line_number":1791,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"bf51134e_b8906798","line":1788,"updated":"2020-07-22 14:53:29.000000000","message":"nit: I\u0027d have put this above L1754","commit_id":"26ba771b45519c441bef0dce9d2302d6e7ca9ed9"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"42ed8028df172bb72623216b2873f8d2b39db961","unresolved":false,"context_lines":[{"line_number":1785,"context_line":"        return self.get_instance_nw_info(context, instance), port_allocation"},{"line_number":1786,"context_line":""},{"line_number":1787,"context_line":"    def _delete_nic_metadata(self, instance, vif):"},{"line_number":1788,"context_line":"        if not instance.device_metadata:"},{"line_number":1789,"context_line":"            # nothing to delete"},{"line_number":1790,"context_line":"            return"},{"line_number":1791,"context_line":""}],"source_content_type":"text/x-python","patch_set":2,"id":"9f560f44_29117453","line":1788,"in_reply_to":"bf51134e_b8906798","updated":"2020-08-03 11:58:55.000000000","message":"hm. I disagree. This condition is a guard for the iteration at L1792 to avoid the case when instance.device_metadata is None. The caller does not need to know if _delete_nic_metadata() iterates instance.device_metadata to delete the metadata associated to the vif.","commit_id":"26ba771b45519c441bef0dce9d2302d6e7ca9ed9"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"20c4b03bbb3d71bc179a6f7e16a1f204ad2e1d89","unresolved":false,"context_lines":[{"line_number":1751,"context_line":"        # Delete the VirtualInterface for the given port_id."},{"line_number":1752,"context_line":"        vif \u003d objects.VirtualInterface.get_by_uuid(context, port_id)"},{"line_number":1753,"context_line":"        if vif:"},{"line_number":1754,"context_line":"            if \u0027tag\u0027 in vif and vif.tag:"},{"line_number":1755,"context_line":"                self._delete_nic_metadata(instance, vif)"},{"line_number":1756,"context_line":"            vif.destroy()"},{"line_number":1757,"context_line":"        else:"},{"line_number":1758,"context_line":"            LOG.debug(\u0027VirtualInterface not found for port: %s\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"9f560f44_c81a69ca","side":"PARENT","line":1755,"range":{"start_line":1754,"start_character":11,"end_line":1755,"end_character":56},"updated":"2020-08-04 00:19:17.000000000","message":"ok so before it was leaking the metadata if the vif did not have a tag. presumably untill the port was delete? or just alyways? the reason i ask is we might need a nova audit or nova manage command to remove stale metadata if it was never cleaned.\n\ni guess worse case it will be deleted when the vm is deleted so we are proably ok without anything else","commit_id":"057891ac247fadfb9637d3e834f8b1ef3e39bc27"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"ea97cc5d357117d3834650aefb1e86ce43c1b284","unresolved":false,"context_lines":[{"line_number":1751,"context_line":"        # Delete the VirtualInterface for the given port_id."},{"line_number":1752,"context_line":"        vif \u003d objects.VirtualInterface.get_by_uuid(context, port_id)"},{"line_number":1753,"context_line":"        if vif:"},{"line_number":1754,"context_line":"            if \u0027tag\u0027 in vif and vif.tag:"},{"line_number":1755,"context_line":"                self._delete_nic_metadata(instance, vif)"},{"line_number":1756,"context_line":"            vif.destroy()"},{"line_number":1757,"context_line":"        else:"},{"line_number":1758,"context_line":"            LOG.debug(\u0027VirtualInterface not found for port: %s\u0027,"}],"source_content_type":"text/x-python","patch_set":3,"id":"9f560f44_ef25930a","side":"PARENT","line":1755,"range":{"start_line":1754,"start_character":11,"end_line":1755,"end_character":56},"in_reply_to":"9f560f44_c81a69ca","updated":"2020-08-05 16:26:55.000000000","message":"\u003e ok so before it was leaking the metadata if the vif did not have a\n \u003e tag. presumably untill the port was delete? or just alyways? the\n \u003e reason i ask is we might need a nova audit or nova manage command\n \u003e to remove stale metadata if it was never cleaned.\n \u003e \n \u003e i guess worse case it will be deleted when the vm is deleted so we\n \u003e are proably ok without anything else\n\nIt is leaked until the VM is deleted so while it is ugly from a running VM perspective of getting metadata for already detached interfaces I don\u0027t think this will use up much database space.","commit_id":"057891ac247fadfb9637d3e834f8b1ef3e39bc27"}]}