[openstack-dev] [glance][ironic][cinder][nova] 'tar' as an image disk_format

Flavio Percoco flavio at redhat.com
Wed Jan 27 13:02:58 UTC 2016

On 27/01/16 08:20 -0430, Flavio Percoco wrote:
>On 26/01/16 09:11 +0000, Daniel P. Berrange wrote:
>>On Sun, Jan 24, 2016 at 12:00:16AM +0200, Duncan Thomas wrote:
>>>I guess my wisdom would be 'why'? What does this enable you to do that you
>>>couldn't do with similar ease with the formats we have and are people
>>>trying to do that frequently.
>>>We've seen in cinder that image formats have a definite security surface to
>>>them, and with glance adding arbitrary conversion pipelines, that surface
>>>is going to increase with every format we add. This should mean we tend
>>>towards being increasingly conservative I think.
>>Safely extracting tar file contents to create a disk image to run the VM
>>from is particularly non-trivial. There have been many security flaws in
>>the past with apps doing tar file unpacking in this kind of scenario. For
>>example, Docker has had not one, but *three* vulnerabilities in this area
>>CVE-2014-6407, CVE-2014-9356, and CVE-2014-9357. So unless there is a
>>pretty compelling reason, I'd suggest we stay away from supporting tar
>>as an image format, and require traditional image formats where we we can
>>treat the file payload as an opaque blob and thus avoid all these file
>>processing risks.
>From a Glance perspective, there wouldn't be much to do and most of the security
>issues would live in the Ironic side. However, as a community, I think we should
>send a clear message and protect our users and, in this case, the best way is to
>avoid adding this format as supported.
>In future works (image conversions and whatnot) this could impact Glance as well.

It was brought to my attention (thanks Erno) that we support OVA already. This
means we're basically exposed to the above already as the OVA container is a
tarball anyway.

Glance protects itself from this by either not doing anything to the image or
isolating operations on the image to specific workers (of course, this goes in
addition to other security measures).

The difference, though, is that OVA files are a known container format for
images, whereas tar.gz isn't.


>>|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
>>|: http://libvirt.org              -o-             http://virt-manager.org :|
>>|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
>>|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
>>OpenStack Development Mailing List (not for usage questions)
>>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>Flavio Percoco

>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

Flavio Percoco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160127/48177937/attachment.pgp>

More information about the OpenStack-dev mailing list