[Openstack-operators] [openstack-dev] [nova] More file injection woes
mriedem at linux.vnet.ibm.com
Thu Nov 17 17:25:35 UTC 2016
On 11/14/2016 4:16 AM, Daniel P. Berrange wrote:
> On Fri, Nov 11, 2016 at 07:11:51PM -0600, Matt Riedemann wrote:
>> Chris Friesen reported a bug  where injected files on a server aren't in
>> the guest after it's evacuated to another compute host. This is because the
>> injected files aren't persisted in the nova database at all. Evacuate and
>> rebuild use similar code paths, but rebuild is a user operation and the
>> command line is similar to boot, but evacuate is an admin operation and the
>> admin doesn't have the original injected files.
>> We've talked about issues with file injection before  - in that case not
>> being able to tell if it can be honored and it just silently doesn't inject
>> the files but the server build doesn't fail. We could eventually resolve
>> that with capabilities discovery in the API.
>> There are other issues with file injection, like potential security issues,
>> and we've talked about getting rid of it for years because you can use the
>> config drive.
>> The metadata service is not a replacement, as noted in the code , because
>> the files aren't persisted in nova so they can't be served up later.
>> I'm sure we've talked about this before, but if we were to seriously
>> consider deprecating file injection, what does that look like? Thoughts off
>> the top of my head are:
>> 1. Add a microversion to the server create and rebuild REST APIs such that
>> the personality files aren't accepted unless:
>> a) you're also building the server with a config drive
>> b) or CONF.force_config_drive is True
>> c) or the image has the 'img_config_drive=mandatory' property
>> 2. Deprecate VFSLocalFS in Ocata for removal in Pike. That means libguestfs
>> is required. We'd do this because I think VFSLocalFS is the one with
>> potential security issues.
> Yes, VFSLocalFS is the dangerous one if used with untrustworthy disk images
> (essentially all public cloud images are untrustworth) because malicious
> images could be used to exploit bugs in the host kernels' filesystem drivers.
> This isn't theoretical - we've seen bugs in popular linux filesystems (ie
> ext3) lie mistakenly unfixed for years https://lwn.net/Articles/538898/
To circle back on this, we discussed it a bit in today's nova meeting
 and agreed that we'd deprecate the VFSLocalFS backend for file
injection in Ocata and remove it in Pike.
We also agreed to start working on a spec for the REST API changes
outlined above to deprecate file injection (personality files) as a
separate feature in the API. People using it today will need to rely on
config drive after it's deprecated in the API.
More information about the OpenStack-operators