[openstack-dev] [glance][ironic][cinder][nova] 'tar' as an image disk_format

Flavio Percoco flavio at redhat.com
Wed Jan 27 12:50:28 UTC 2016

On 26/01/16 09:11 +0000, Daniel P. Berrange wrote:
>On Sun, Jan 24, 2016 at 12:00:16AM +0200, Duncan Thomas wrote:
>> I guess my wisdom would be 'why'? What does this enable you to do that you
>> couldn't do with similar ease with the formats we have and are people
>> trying to do that frequently.
>> We've seen in cinder that image formats have a definite security surface to
>> them, and with glance adding arbitrary conversion pipelines, that surface
>> is going to increase with every format we add. This should mean we tend
>> towards being increasingly conservative I think.
>Safely extracting tar file contents to create a disk image to run the VM
>from is particularly non-trivial. There have been many security flaws in
>the past with apps doing tar file unpacking in this kind of scenario. For
>example, Docker has had not one, but *three* vulnerabilities in this area
>CVE-2014-6407, CVE-2014-9356, and CVE-2014-9357. So unless there is a
>pretty compelling reason, I'd suggest we stay away from supporting tar
>as an image format, and require traditional image formats where we we can
>treat the file payload as an opaque blob and thus avoid all these file
>processing risks.


From a Glance perspective, there wouldn't be much to do and most of the security
issues would live in the Ironic side. However, as a community, I think we should
send a clear message and protect our users and, in this case, the best way is to
avoid adding this format as supported.

In future works (image conversions and whatnot) this could impact Glance as well.


>|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
>|: http://libvirt.org              -o-             http://virt-manager.org :|
>|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
>|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

Flavio Percoco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160127/863de078/attachment.pgp>

More information about the OpenStack-dev mailing list