Open Stack

On 05/24/2016 09:54 AM, Dan Smith wrote:
>> I like the idea of checking the md5 matches before each boot, as it
>> mirrors the check we do after downloading from glance. Its possible
>> thats very unlikely to spot anything that shouldn't already be worried
>> about by something else. It may just be my love of symmetry that makes
>> me like that idea?
>
> IMHO, checking this at boot after we've already checked it on download
> is not very useful. It supposes that the attacker was kind enough to
> visit our system before an instance was booted and not after. If I have
> rooted the system, it's far easier for me to show up after a bunch of
> instances are booted and modify the base images (or even better, the
> instance images themselves which are hard to validate from the host side).
>
> I would also point out that if I'm going to root a compute node, the
> first thing I'm going to do is disable the feature in nova-compute or in
> some other way cripple it so it can't do its thing.

It was my impression we were trying to prevent bitrot, not defend against an 
attacker that has gained control over the compute node.

Chris