[Openstack-security] [Bug 1593799] Re: glance-manage db purge breaks image immutability promise
Luke Hinds
lhinds at redhat.com
Fri Sep 16 06:43:39 UTC 2016
Thanks Jeremy, I have this noted for next time.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1593799
Title:
glance-manage db purge breaks image immutability promise
Status in Glance:
Confirmed
Status in OpenStack Security Advisory:
Opinion
Status in OpenStack Security Notes:
Fix Released
Bug description:
Using glance-manage db purge command opens possibility to recycle
image-IDs.
When the row is deleted from the database the ID is not known by
glance anymore and thus it's not unique during the deployment
lifecycle. This opens possibility to following scenario:
1) End user boots VM from private/public/shared image.
2) Image owner deletes the image.
3) glance-manage db purge gets ran which deletes record that image has ever existed.
4) Either malicious user or someone unintentionally creates new image with same ID (being same user so having access to the image by owning it or it becoming public/shared(/possbly community at some point))
5) Same end user boots either snapshot from the original image or nova needs to migrate the VM to another host. Now the user's VM will be rebuilt on top of the new image. Worst case scenario the user had no idea that the image data changed in between.
This behavior breaks Glance image immutability promise that has bee
stated that the data related to image ID that has gone active will
never change.
We have two solutions for this. Either we introduce table to track the
deleted image-IDs and get glance to cross check that during the image
create or we leave it as is but issue notice/documentation what are
the implications if the purge is used transferring the responsibility
to the cloud operators.
This was partially discussed in the virtual glance midcycle meetup so
it might not be justified to leave this as private but I wanted to
leave that decision to VMT.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1593799/+subscriptions
More information about the Openstack-security
mailing list