On Fri, 2024-07-19 at 21:44 +0000, Jeremy Stanley wrote:
On 2024-07-19 23:23:38 +0200 (+0200), Dmitriy Rabotyagov wrote:
Wait, I just started realizing the bugfix ..
So basically all previously uploaded images not in raw format are useless after upgrading so the safe version of cinder/nova? [...]
I'm no expert in Glance matters, but my understanding is that with OSSA-2024-001 fixes in place you can't lie about the kind of image you're uploading. If you upload QCOW2 you must upload it as QCOW2 type and not try to pretend that it's a raw image, or upload an ISO as ISO type and not try to claim that it's raw. If you want to upload a different image type than what the cloud wants you to upload, then Glance should still be able to perform image conversion for you as well.
Previously, you could pretend a QCOW2 was raw, and then rely on QEmu's image auto-detection to figure out what it really was, but that's dangerous because QEmu is not intended to be used with untrusted images and some specially-crafted images can be used by an attacker to get copies of arbitrary files off the server where its tools (even the qemu-img executable) are run. Glance now has an image inspection feature which doesn't rely on QEmu itself to determine whether an image is safe enough to hand off to QEmu tools or might be used to root your cloud.
yes the way we mitigated this CVE was by adding logic that allow use to validate the source fromat matches what it was specified as in glance. so image conversion is still a thing that you can do nova for example still allow you to configre the comptue hosts to use raw or qcow images and you can then boot a vm form any format qemu can convert form provided you uploaded it to glance and declard the format correctly we have ci converge ensuring you can boot form a amazon ami image the cirros uec images with nova configured to use qcow for the guest vm root disk. all of that still works but if you upload a qcow as a raw image to glance then nova and cinder will say "no you said this was raw this is unsafe" and refues to proceed. we are currently missing that for iso format but its on our todo list to build out more tempest coverage for image formats that are reasonable to use. its still possible to have the old conversion behavior provided you dont lie about the format when uploading it to glance. we also do other check to introspect the format for unsafe features. for qcow backing files are an example of a generally unsafe feature. qcow image used with openstack should be single file flat images with no refernce to backing files or other external files.