)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":2424,"name":"Felipe Reyes","email":"felipe.reyes@canonical.com","username":"freyes"},"change_message_id":"936ce1ebc31956c1cc006161b136396c2bc5c7ba","unresolved":true,"context_lines":[{"line_number":13,"context_line":"[2] https://gitlab.com/libvirt/libvirt/-/commit/ec6ce6363a78aaaf6e3aa4c0e2d683d7d0cce183"},{"line_number":14,"context_line":"[3] https://gitlab.com/libvirt/libvirt/-/commit/b902cfece0db71c3421b0bfe0e05d1dbe7890c31"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Closes-bug: #1663304"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Signed-off-by: Brett Holman \u003cbrett.holman@canonical.com\u003e"},{"line_number":19,"context_line":"Change-Id: I7c190a6148f73fa1769ee66b078ac77165b6fcb1"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"d4393a3c_83fdd9df","line":16,"updated":"2025-07-14 13:55:20.000000000","message":"Please add `Related-Bug: #2069607` header too.","commit_id":"5b17b1ddab59d7cd962f093d41cc6af2238f36d5"},{"author":{"_account_id":36950,"name":"Brett Holman","display_name":"Brett Holman","email":"bpholman5@gmail.com","username":"holmanb"},"change_message_id":"e300fedb23a9cf18566ec75cc9e4e557b60ff32b","unresolved":false,"context_lines":[{"line_number":13,"context_line":"[2] https://gitlab.com/libvirt/libvirt/-/commit/ec6ce6363a78aaaf6e3aa4c0e2d683d7d0cce183"},{"line_number":14,"context_line":"[3] https://gitlab.com/libvirt/libvirt/-/commit/b902cfece0db71c3421b0bfe0e05d1dbe7890c31"},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"Closes-bug: #1663304"},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Signed-off-by: Brett Holman \u003cbrett.holman@canonical.com\u003e"},{"line_number":19,"context_line":"Change-Id: I7c190a6148f73fa1769ee66b078ac77165b6fcb1"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"af3e5690_b953f66d","line":16,"in_reply_to":"d4393a3c_83fdd9df","updated":"2025-07-15 20:51:51.000000000","message":"Thanks, done.","commit_id":"5b17b1ddab59d7cd962f093d41cc6af2238f36d5"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":22200,"name":"Chad Smith","email":"chad.smith@canonical.com"},"change_message_id":"badbd6308eef2768bc4af0dd94eb3f031bb7deda","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"c1f0a18f_1f871b75","updated":"2025-07-02 22:32:24.000000000","message":"Thanks for driving this Brett to ensure non-x86 has early boot detection where images support DMI. Validation still needed on the behavior but some unittests couldn\u0027t hurt.","commit_id":"d2e03e005b0af32f8746365011ab116b8f5a196c"},{"author":{"_account_id":2424,"name":"Felipe Reyes","email":"felipe.reyes@canonical.com","username":"freyes"},"change_message_id":"691f847936487f58271e0cfc39f09013c1d843e7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1dc5e221_885a3e49","updated":"2025-07-07 14:09:52.000000000","message":"Hi,\n\nI\u0027ve been trying to validate this patch with devstack on a arm64 box, I had to deal with a few issues (devstack on noble issue, now mysql/sqlalchemy raising \u0027too many connections\u0027 errors), nothing related to this patch though. I\u0027ll post here as soon as I get results of the testing.\n\n\n```\n$ lscpu\nArchitecture:             aarch64\n  CPU op-mode(s):         64-bit\n  ...\n```","commit_id":"5b17b1ddab59d7cd962f093d41cc6af2238f36d5"},{"author":{"_account_id":2424,"name":"Felipe Reyes","email":"felipe.reyes@canonical.com","username":"freyes"},"change_message_id":"6723223031c2702418f8420084fa58f0889a9f78","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"ade49ba1_deb69840","updated":"2025-07-09 18:20:11.000000000","message":"I was able to validate this patch on a arm64 box.\n\nThe relevant section of the libvirt\u0027s xml produced is:\n\n```\n  \u003csysinfo type\u003d\u0027smbios\u0027\u003e\n    \u003csystem\u003e\n      \u003centry name\u003d\u0027manufacturer\u0027\u003eOpenStack Foundation\u003c/entry\u003e\n      \u003centry name\u003d\u0027product\u0027\u003eOpenStack Nova\u003c/entry\u003e\n      \u003centry name\u003d\u0027version\u0027\u003e31.1.0\u003c/entry\u003e\n      \u003centry name\u003d\u0027serial\u0027\u003ed00bd281-1ac1-46ac-a3fe-c35fedb105a8\u003c/entry\u003e\n      \u003centry name\u003d\u0027uuid\u0027\u003ed00bd281-1ac1-46ac-a3fe-c35fedb105a8\u003c/entry\u003e\n      \u003centry name\u003d\u0027family\u0027\u003eVirtual Machine\u003c/entry\u003e\n    \u003c/system\u003e\n  \u003c/sysinfo\u003e\n```\n\nWhen running a plucky[0] image without configdrive and with configdrive produced a functional instance, for example here it\u0027s a chunk of the console log where it can found that the instance got the ssh key from the metadata service.\n\n```\ntest-server-plucky login: [  146.882603] sh[1065]: Completed socket interaction for boot stage config\n[  147.005670] cloud-init[690]: Cloud-init v. 25.1.2-0ubuntu0~25.04.1 running \u0027modules:final\u0027 at Wed, 09 Jul 2025 14:49:59 +0000. Up 146.95 seconds.\nci-info: +++++++++++++++++++++++++++++++++Authorized keys from /home/ubuntu/.ssh/authorized_keys for user ubuntu+++++++++++++++++++++++++++++++++\nci-info: +---------+-------------------------------------------------------------------------------------------------+---------+----------------+\nci-info: | Keytype |                                       Fingerprint (sha256)                                      | Options |    Comment     |\nci-info: +---------+-------------------------------------------------------------------------------------------------+---------+----------------+\nci-info: | ssh-rsa | fd:4a:49:f7:ac:ed:bf:1a:24:c1:c3:c9:e2:e6:65:8f:d0:ca:ab:dd:ab:72:1e:8b:b9:55:b6:f1:3b:6d:ad:3e |    -    | stack@mitchell |\nci-info: +---------+-------------------------------------------------------------------------------------------------+---------+----------------+\n```\n\nHere it\u0027s the full output for the testing instances, console log and libvirt xml\n\nstack@mitchell:~/devstack$ openstack console log show test-server-plucky | pastebinit\nhttps://paste.ubuntu.com/p/kJmKnWQk4R/\nstack@mitchell:~/devstack$ openstack console log show test-server-plucky-configdrive | pastebinit\nhttps://paste.ubuntu.com/p/djDWkCNBkz/\nstack@mitchell:~/devstack$ sudo virsh dumpxml instance-00000001 | pastebinit\nhttps://paste.ubuntu.com/p/hVvrYfmbF6/\nstack@mitchell:~/devstack$ sudo virsh dumpxml instance-00000002 | pastebinit\nhttps://paste.ubuntu.com/p/B5ttd3XpJT/\n\n\n[0] Plucky contains the changes in cloud-init we are trying to address with this change.","commit_id":"5b17b1ddab59d7cd962f093d41cc6af2238f36d5"},{"author":{"_account_id":36950,"name":"Brett Holman","display_name":"Brett Holman","email":"bpholman5@gmail.com","username":"holmanb"},"change_message_id":"24b4c28a4ecb225f71e3433301de1ae10e669b7b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"5ef31589_31e349e2","in_reply_to":"ade49ba1_deb69840","updated":"2025-08-06 00:44:58.000000000","message":"Thanks for validating this Felipe.","commit_id":"5b17b1ddab59d7cd962f093d41cc6af2238f36d5"},{"author":{"_account_id":36950,"name":"Brett Holman","display_name":"Brett Holman","email":"bpholman5@gmail.com","username":"holmanb"},"change_message_id":"e300fedb23a9cf18566ec75cc9e4e557b60ff32b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"a49b52bc_77355cef","updated":"2025-07-15 20:51:51.000000000","message":"Thank you for the reviews @smooney@redhat.com, @felipe.reyes@canonical.com, and @chad.smith@canonical.com. I just pushed a change to add the commit message tag and addressed all outstanding review comments.","commit_id":"4fa600954ff3e63742c01e8f01e68a2183adea13"},{"author":{"_account_id":36950,"name":"Brett Holman","display_name":"Brett Holman","email":"bpholman5@gmail.com","username":"holmanb"},"change_message_id":"24b4c28a4ecb225f71e3433301de1ae10e669b7b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"40609ab8_ee99137e","updated":"2025-08-06 00:44:58.000000000","message":"Thanks for the latest round of reviews @smooney@redhat.com. I just responded to your latest comments.","commit_id":"026a75f6f8245c34cc72012acd3d03b28848e5cd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"11382cbfd16c029816940b63ebb8b4e4e7136ebd","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":4,"id":"0e0ef007_31a31303","updated":"2025-08-05 20:49:23.000000000","message":"im still not conviced we should do this in nova and would liek to see more input form the wider nova core team.\n\n@rene.ribaud@gmail.com this is personally too much of a feature for me to be comfortable back porting this as to me it make no x86 less secure by leaking the package information via the metadata api so im every tempted to -2 this but i think it would be a good topic for a future irc meeting or perhaps the next ptg.\n\ncan you try and bring this to the wider team.\n\nfrom my perspective the dmi interface is an internal implementation detail that cloud-init shoudl not really be relying on to determine if its openstack since it only works for hte libvirt driver and is there for not portable across virt drivers or today architectures.\n\ni think our repsocne shoudl be to continue to recommend that distos ship cloud images with the open stack datasouce enabled with probe for the metadta adress when config drive is not enabled effectively reverting the change that the cloud-init team made.\n\nif we want to develop some other porable way to detect that is openstack that is a feature we can consider but im reluctant to consier this a valid nova bug as reported.","commit_id":"026a75f6f8245c34cc72012acd3d03b28848e5cd"},{"author":{"_account_id":36950,"name":"Brett Holman","display_name":"Brett Holman","email":"bpholman5@gmail.com","username":"holmanb"},"change_message_id":"819039534273fca56cc6bb8a616536ebe709cab5","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":4,"id":"cb2d13dd_60ad27ff","updated":"2025-07-18 20:55:26.000000000","message":"recheck - failed test nova.tests.functional.regressions.test_bug_1938326.TestMigrateFromDownHost.test_migrate_from_disabled_host","commit_id":"026a75f6f8245c34cc72012acd3d03b28848e5cd"},{"author":{"_account_id":36950,"name":"Brett Holman","display_name":"Brett Holman","email":"bpholman5@gmail.com","username":"holmanb"},"change_message_id":"24b4c28a4ecb225f71e3433301de1ae10e669b7b","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":4,"id":"aad2f1c4_e120b2ba","in_reply_to":"0e0ef007_31a31303","updated":"2025-08-06 00:44:58.000000000","message":"\u003e from my perspective the dmi interface is an internal implementation detail that cloud-init shoudl not really be relying on to determine if its openstack since it only works for hte libvirt driver and is there for not portable across virt drivers or today architectures.\n\nThis argument applies to x86 too. Do you expect to be able to remove the current DMI data from x86 instances?\n\nCloud-init\u0027s identification of the libvirt driver differs from the lxc driver identification which is also different from the ironic (lack of) identification. These differences already exist. The proposed change does not add a fourth way, it just extends an existing x86 libvirt capability to other architectures.\n\n\u003e i think our repsocne shoudl be to continue to recommend that distos ship cloud images with the open stack datasouce enabled with probe for the metadta adress when config drive is not enabled effectively reverting the change that the cloud-init team made.\n\nI recommend against network probing in platform-agnostic cloud images, see CVE-2024-6174.\n\nInstances which probe network addresses for platform identification are exploitable on untrusted networks. Assuming that cloud images are always launched on trusted networks is incorrect, even if it is true in the case of nova.\n\n\u003e if we want to develop some other porable way to detect that is openstack that is a feature we can consider but im reluctant to consier this a valid nova bug as reported.\n\nIf this proposal is unwanted by upstream, feel free to close this PR.","commit_id":"026a75f6f8245c34cc72012acd3d03b28848e5cd"},{"author":{"_account_id":36950,"name":"Brett Holman","display_name":"Brett Holman","email":"bpholman5@gmail.com","username":"holmanb"},"change_message_id":"24b4c28a4ecb225f71e3433301de1ae10e669b7b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"47ac43ef_b3b7806f","in_reply_to":"cb2d13dd_60ad27ff","updated":"2025-08-06 00:44:58.000000000","message":"Done","commit_id":"026a75f6f8245c34cc72012acd3d03b28848e5cd"},{"author":{"_account_id":2424,"name":"Felipe Reyes","email":"felipe.reyes@canonical.com","username":"freyes"},"change_message_id":"df654c1e0bcb8c73444c9630483c1c0ba4ef4a86","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":4,"id":"db39f5a9_87c2698f","in_reply_to":"cb2d13dd_60ad27ff","updated":"2025-08-05 20:20:51.000000000","message":"hi Brett, Zuul is happy now, any chance you have some cycles to review the patch?","commit_id":"026a75f6f8245c34cc72012acd3d03b28848e5cd"}],"nova/virt/libvirt/driver.py":[{"author":{"_account_id":22200,"name":"Chad Smith","email":"chad.smith@canonical.com"},"change_message_id":"badbd6308eef2768bc4af0dd94eb3f031bb7deda","unresolved":true,"context_lines":[{"line_number":7071,"context_line":"            if arch in ("},{"line_number":7072,"context_line":"                fields.Architecture.I686,"},{"line_number":7073,"context_line":"                fields.Architecture.X86_64,"},{"line_number":7074,"context_line":"                fields.Architecture.AARCH64,"},{"line_number":7075,"context_line":"                fields.Architecture.ARMV7,"},{"line_number":7076,"context_line":"                fields.Architecture.ARMV7B,"},{"line_number":7077,"context_line":"                fields.Architecture.MIPS64EL,"},{"line_number":7078,"context_line":"                fields.Architecture.MIPS"},{"line_number":7079,"context_line":"            ):"},{"line_number":7080,"context_line":"                guest.sysinfo \u003d self._get_guest_config_sysinfo(instance)"},{"line_number":7081,"context_line":"                guest.os_smbios \u003d vconfig.LibvirtConfigGuestSMBIOS()"}],"source_content_type":"text/x-python","patch_set":1,"id":"780f1653_0361a422","line":7078,"range":{"start_line":7074,"start_character":0,"end_line":7078,"end_character":40},"updated":"2025-07-02 22:32:24.000000000","message":"Can we add a unit test for this functionality here maybe something like the following: Otherwise LGTM! cloud-init reacts to such SMBIOS.product_name so this will shore up early detection of cloud-init OpenStack datasource on non-x86.\n```diff\ndiff --git a/nova/tests/fixtures/libvirt.py b/nova/tests/fixtures/libvirt.py\nindex 22e3f55d85..e59ed38258 100644\n--- a/nova/tests/fixtures/libvirt.py\n+++ b/nova/tests/fixtures/libvirt.py\n@@ -2270,7 +2270,9 @@ class Connection(object):\n         # the correct \"host\" architecture\n         _capabilities \u003d [\n             \u0027\u003ccapabilities\u003e\\n\u0027,\n-            fake_libvirt_data.CAPABILITIES_HOST_TEMPLATES[os.uname().machine],\n+            fake_libvirt_data.CAPABILITIES_HOST_TEMPLATES.get(\n+                os.uname().machine,\n+                fake_libvirt_data.CAPABILITIES_HOST_I686_TEMPLATE)\n         ] + list(fake_libvirt_data.CAPABILITIES_GUEST.values()) + [\n             \u0027\u003c/capabilities\u003e\u0027,\n         ]\ndiff --git a/nova/tests/unit/virt/libvirt/test_driver.py b/nova/tests/unit/virt/libvirt/test_driver.py\nindex 044c8fb013..a6b415a5d7 100644\n--- a/nova/tests/unit/virt/libvirt/test_driver.py\n+++ b/nova/tests/unit/virt/libvirt/test_driver.py\n@@ -3145,6 +3145,37 @@ class LibvirtConnTestCase(test.NoDBTestCase,\n         self.assertEqual(\"N/A\",\n                          cfg.metadata[0].owner.projectname)\n \n+    @mock.patch.object(host.Host, \"_check_machine_type\", new\u003dmock.Mock())\n+    def test_get_guest_config_smbios_in_qemu(self):\n+        \"\"\"SMBIOS product_name present in qemu/kvm for certain arches.\"\"\"\n+        self.flags(virt_type\u003d\u0027qemu\u0027, group\u003d\u0027libvirt\u0027)\n+        drvr \u003d libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), True)\n+        instance_ref \u003d objects.Instance(**self.test_instance)\n+        image_meta \u003d objects.ImageMeta.from_dict(self.test_image_meta)\n+        with self.subTest(\"SMBIOS product_name exists in x86, arm and mips\"):\n+            for arch in (fields.Architecture.X86_64,\n+                         fields.Architecture.AARCH64,\n+                         fields.Architecture.ARMV7,\n+                         fields.Architecture.MIPS):\n+                self.mock_uname.return_value \u003d fakelibvirt.os_uname(\n+                    \u0027Linux\u0027, \u0027\u0027, \u00275.4.0-0-generic\u0027, \u0027\u0027, arch)\n+                cfg \u003d drvr._get_guest_config(instance_ref,\n+                                             _fake_network_info(self),\n+                                             image_meta, {\u0027mapping\u0027: {}})\n+                self.assertEqual(\n+                    cfg.sysinfo.system_product, version.product_string())\n+        with self.subTest(\"SMBIOS absent in qemu/PPC64\"):\n+                arch \u003d fields.Architecture.PPC64\n+                self.mock_uname.return_value \u003d fakelibvirt.os_uname(\n+                    \u0027Linux\u0027, \u0027\u0027, \u00275.4.0-0-generic\u0027, \u0027\u0027, arch)\n+                drvr \u003d libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), True)\n+                instance_ref \u003d objects.Instance(**self.test_instance)\n+                image_meta \u003d objects.ImageMeta.from_dict(self.test_image_meta)\n+                cfg \u003d drvr._get_guest_config(instance_ref,\n+                                             _fake_network_info(self),\n+                                             image_meta, {\u0027mapping\u0027: {}})\n+                self.assertIsNone(cfg.sysinfo)\n+\n     def test_get_guest_config_lxc(self):\n         self.flags(virt_type\u003d\u0027lxc\u0027, group\u003d\u0027libvirt\u0027)\n         drvr \u003d libvirt_driver.LibvirtDriver(fake.FakeVirtAPI(), True)\n@@ -3161,6 +3192,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,\n         self.assertEqual(\"console\u003dtty0 console\u003dttyS0 console\u003dhvc0\",\n                          cfg.os_cmdline)\n         self.assertEqual(\"OpenStack Nova\", cfg.os_init_env[\u0027product_name\u0027])\n+        self.assertIsNone(cfg.sysinfo)  # No SMBIOS information exposed\n         self.assertIsNone(cfg.os_root)\n         self.assertEqual(4, len(cfg.devices))\n         self.assertIsInstance(cfg.devices[0],\n@@ -8161,6 +8193,7 @@ class LibvirtConnTestCase(test.NoDBTestCase,\n         cfg \u003d drvr._get_guest_config(instance_ref,\n                                      _fake_network_info(self),\n                                      image_meta, disk_info)\n+        self.assertEqual(cfg.sysinfo.system_product, version.product_string())\n         self.assertEqual(cfg.os_mach_type, \"virt\")\n \n         num_ports \u003d 0\n\n```\nTested with python3 -m unittest","commit_id":"d2e03e005b0af32f8746365011ab116b8f5a196c"},{"author":{"_account_id":36950,"name":"Brett Holman","display_name":"Brett Holman","email":"bpholman5@gmail.com","username":"holmanb"},"change_message_id":"24b4c28a4ecb225f71e3433301de1ae10e669b7b","unresolved":true,"context_lines":[{"line_number":7071,"context_line":"            if arch in ("},{"line_number":7072,"context_line":"                fields.Architecture.I686,"},{"line_number":7073,"context_line":"                fields.Architecture.X86_64,"},{"line_number":7074,"context_line":"                fields.Architecture.AARCH64,"},{"line_number":7075,"context_line":"                fields.Architecture.ARMV7,"},{"line_number":7076,"context_line":"                fields.Architecture.ARMV7B,"},{"line_number":7077,"context_line":"                fields.Architecture.MIPS64EL,"},{"line_number":7078,"context_line":"                fields.Architecture.MIPS"},{"line_number":7079,"context_line":"            ):"},{"line_number":7080,"context_line":"                guest.sysinfo \u003d self._get_guest_config_sysinfo(instance)"},{"line_number":7081,"context_line":"                guest.os_smbios \u003d vconfig.LibvirtConfigGuestSMBIOS()"}],"source_content_type":"text/x-python","patch_set":1,"id":"4b84f220_0667c78b","line":7078,"range":{"start_line":7074,"start_character":0,"end_line":7078,"end_character":40},"in_reply_to":"1aef4529_a560e9cb","updated":"2025-08-06 00:44:58.000000000","message":"\u003e i dont think the version of the package shoudl be provided on any architecture.\n\nAre you saying that exposing the version to the guest would make something exploitable that otherwise wouldn\u0027t be? Can you please elaborate? \n \n\u003e ```\n\u003e                 fields.Architecture.AARCH64,\n\u003e                 fields.Architecture.ARMV7,\n\u003e                 fields.Architecture.ARMV7B,\n\u003e                 fields.Architecture.MIPS64EL,\n\u003e                 fields.Architecture.MIPS\n\u003e ```\n\u003e also have you tested all of the above?\n\nNot sure - @felipe.reyes@canonical.com?\n\n\u003e what about power pc and riscv?\n\nI see no evidence that RISCV is supported by nova and I see no evidence that PPC supports DMI. Please let me know if I missed something.","commit_id":"d2e03e005b0af32f8746365011ab116b8f5a196c"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"11382cbfd16c029816940b63ebb8b4e4e7136ebd","unresolved":true,"context_lines":[{"line_number":7071,"context_line":"            if arch in ("},{"line_number":7072,"context_line":"                fields.Architecture.I686,"},{"line_number":7073,"context_line":"                fields.Architecture.X86_64,"},{"line_number":7074,"context_line":"                fields.Architecture.AARCH64,"},{"line_number":7075,"context_line":"                fields.Architecture.ARMV7,"},{"line_number":7076,"context_line":"                fields.Architecture.ARMV7B,"},{"line_number":7077,"context_line":"                fields.Architecture.MIPS64EL,"},{"line_number":7078,"context_line":"                fields.Architecture.MIPS"},{"line_number":7079,"context_line":"            ):"},{"line_number":7080,"context_line":"                guest.sysinfo \u003d self._get_guest_config_sysinfo(instance)"},{"line_number":7081,"context_line":"                guest.os_smbios \u003d vconfig.LibvirtConfigGuestSMBIOS()"}],"source_content_type":"text/x-python","patch_set":1,"id":"1aef4529_a560e9cb","line":7078,"range":{"start_line":7074,"start_character":0,"end_line":7078,"end_character":40},"in_reply_to":"54659ca9_0eba3a6c","updated":"2025-08-05 20:49:23.000000000","message":"no i dont think we shoudl special case the versio info for jsut x86.\n\nthe reaso x86 was sepcial cased before is when this was first added only x86 supprote this in libvirt and qemu.\n\ni dont think the version of the package shoudl be provided on any architecture.\n\nthat was kind of my point its not really a good idea ot expose it to\n\n```\n                fields.Architecture.AARCH64,\n                fields.Architecture.ARMV7,\n                fields.Architecture.ARMV7B,\n                fields.Architecture.MIPS64EL,\n                fields.Architecture.MIPS\n```\nalso have you tested all of the above?\nwhat about power pc and riscv?","commit_id":"d2e03e005b0af32f8746365011ab116b8f5a196c"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"4ff86316f5a84d1b593c57aad618cc7eb0887246","unresolved":true,"context_lines":[{"line_number":7071,"context_line":"            if arch in ("},{"line_number":7072,"context_line":"                fields.Architecture.I686,"},{"line_number":7073,"context_line":"                fields.Architecture.X86_64,"},{"line_number":7074,"context_line":"                fields.Architecture.AARCH64,"},{"line_number":7075,"context_line":"                fields.Architecture.ARMV7,"},{"line_number":7076,"context_line":"                fields.Architecture.ARMV7B,"},{"line_number":7077,"context_line":"                fields.Architecture.MIPS64EL,"},{"line_number":7078,"context_line":"                fields.Architecture.MIPS"},{"line_number":7079,"context_line":"            ):"},{"line_number":7080,"context_line":"                guest.sysinfo \u003d self._get_guest_config_sysinfo(instance)"},{"line_number":7081,"context_line":"                guest.os_smbios \u003d vconfig.LibvirtConfigGuestSMBIOS()"}],"source_content_type":"text/x-python","patch_set":1,"id":"d7c284c5_3c600bd4","line":7078,"range":{"start_line":7074,"start_character":0,"end_line":7078,"end_character":40},"in_reply_to":"780f1653_0361a422","updated":"2025-07-14 17:30:01.000000000","message":"the general problem with this si this is an internal interface that cloud-init shoudl not generally be using.\n\nits not portable across virt drivers so cloud image built for openstack shoudl not rely on detective this as it wont work on vmware or ironic or non libvirt backend.\n\nwe could do this but its still does not address the fact that cloud-init has now made a breaking changed to how the openbstack supprot is detected.\n\nthe only public way to do that is via inspecting the config drive or teh openstack endpoint on the metadata api vai the well knwo adresss. \n\n\nthe dmi info is configurable by the packager by createing a release file\n\n\n https://github.com/openstack/nova/blob/master/nova/version.py#L1-L67\n https://github.com/openstack/nova/blob/master/etc/nova/release.sample\n \nthe fact that this info is provider at all is also a security hardenign opertunity.\nthe provision of package information in dmi is consered a secuirty weakness as if you know its openstack and you know the nova version it potentally allows an attacker to try and infer if a cloud is vulnerable to sepcific exploirts.\n\nif we do this it will provide the package info on more plathforms\n\nhttps://github.com/openstack/nova/blob/54b65d5bf2b23fa8a4612fd3adddc8751192a807/nova/virt/libvirt/driver.py#L6200\n\nthat seams ill advised","commit_id":"d2e03e005b0af32f8746365011ab116b8f5a196c"},{"author":{"_account_id":36950,"name":"Brett Holman","display_name":"Brett Holman","email":"bpholman5@gmail.com","username":"holmanb"},"change_message_id":"e300fedb23a9cf18566ec75cc9e4e557b60ff32b","unresolved":false,"context_lines":[{"line_number":7071,"context_line":"            if arch in ("},{"line_number":7072,"context_line":"                fields.Architecture.I686,"},{"line_number":7073,"context_line":"                fields.Architecture.X86_64,"},{"line_number":7074,"context_line":"                fields.Architecture.AARCH64,"},{"line_number":7075,"context_line":"                fields.Architecture.ARMV7,"},{"line_number":7076,"context_line":"                fields.Architecture.ARMV7B,"},{"line_number":7077,"context_line":"                fields.Architecture.MIPS64EL,"},{"line_number":7078,"context_line":"                fields.Architecture.MIPS"},{"line_number":7079,"context_line":"            ):"},{"line_number":7080,"context_line":"                guest.sysinfo \u003d self._get_guest_config_sysinfo(instance)"},{"line_number":7081,"context_line":"                guest.os_smbios \u003d vconfig.LibvirtConfigGuestSMBIOS()"}],"source_content_type":"text/x-python","patch_set":1,"id":"54659ca9_0eba3a6c","line":7078,"range":{"start_line":7074,"start_character":0,"end_line":7078,"end_character":40},"in_reply_to":"d7c284c5_3c600bd4","updated":"2025-07-15 20:51:51.000000000","message":"\u003e the general problem with this si this is an internal interface that cloud-init shoudl not generally be using.\n\u003e \n\u003e its not portable across virt drivers so cloud image built for openstack shoudl not rely on detective this as it wont work on vmware or ironic or non libvirt backend.\n\nFor cloud-init to identify which platform it is running on, it needs to detect the platform from a trusted (non-network) source of identification. Does any portable identification source exist for nova? If yes, that would be better than querying DMI. To my knowledge, no such thing exists.\n\nThis proposal is intended to reduce the impact of the fix for CVE-2024-6174 on openstack. In lieu of an upstream workaround for nova, the mitigation advice for those affected by the behavior change mostly boils down to “use config-drive if you can” otherwise it is “modify your image with a custom config setting”. Neither option is very friendly to those that are affected by this change, hence this proposal. Even if a workaround isn’t accepted into nova, the cloud-init team doesn’t plan to reverse course on the CVE fix.\n\n\u003e we could do this but its still does not address the fact that cloud-init has now made a breaking changed to how the openbstack supprot is detected.\n\nCorrect, cloud-init’s behavior changed. Cloud-init’s old behavior was insecure. It made non-amd64 instances on non-openstack platforms vulnerable. Previously, a device on the local network with address 169.254.169.254 had the ability to acquire root permissions on a cloud-init instance.\n\n\u003e the only public way to do that is via inspecting the config drive or teh openstack endpoint on the metadata api vai the well knwo adresss. \n\u003e \n\nSince a network identification source is the only portable way to detect openstack, I still think the DMI proposal here makes the situation better for those affected by this behavior change than doing nothing.\n \n\u003e the fact that this info is provider at all is also a security hardenign opertunity.\n\u003e the provision of package information in dmi is consered a secuirty weakness as if you know its openstack and you know the nova version it potentally allows an attacker to try and infer if a cloud is vulnerable to sepcific exploirts.\n\u003e \n\u003e if we do this it will provide the package info on more plathforms\n\u003e \n\u003e https://github.com/openstack/nova/blob/54b65d5bf2b23fa8a4612fd3adddc8751192a807/nova/virt/libvirt/driver.py#L6200\n\u003e \n\u003e that seams ill advised\n\nCloud-init doesn’t require the version info. Do you think that making a special case for non-x86 platforms in the name of security hardening would be worth the extra complexity of diverging logic? If that is preferred by nova maintainers, I’ll make the change.","commit_id":"d2e03e005b0af32f8746365011ab116b8f5a196c"}]}