[openstack-dev] [glance][ironic][cinder][nova] 'tar' as an image disk_format

Daniel P. Berrange berrange at redhat.com
Wed Jan 27 13:18:08 UTC 2016

On Wed, Jan 27, 2016 at 08:32:58AM -0430, Flavio Percoco wrote:
> On 27/01/16 08:20 -0430, Flavio Percoco wrote:
> >On 26/01/16 09:11 +0000, Daniel P. Berrange wrote:
> >>On Sun, Jan 24, 2016 at 12:00:16AM +0200, Duncan Thomas wrote:
> >>>I guess my wisdom would be 'why'? What does this enable you to do that you
> >>>couldn't do with similar ease with the formats we have and are people
> >>>trying to do that frequently.
> >>>
> >>>We've seen in cinder that image formats have a definite security surface to
> >>>them, and with glance adding arbitrary conversion pipelines, that surface
> >>>is going to increase with every format we add. This should mean we tend
> >>>towards being increasingly conservative I think.
> >>
> >>Safely extracting tar file contents to create a disk image to run the VM
> >>from is particularly non-trivial. There have been many security flaws in
> >>the past with apps doing tar file unpacking in this kind of scenario. For
> >>example, Docker has had not one, but *three* vulnerabilities in this area
> >>CVE-2014-6407, CVE-2014-9356, and CVE-2014-9357. So unless there is a
> >>pretty compelling reason, I'd suggest we stay away from supporting tar
> >>as an image format, and require traditional image formats where we we can
> >>treat the file payload as an opaque blob and thus avoid all these file
> >>processing risks.
> >
> >++
> >
> >From a Glance perspective, there wouldn't be much to do and most of the security
> >issues would live in the Ironic side. However, as a community, I think we should
> >send a clear message and protect our users and, in this case, the best way is to
> >avoid adding this format as supported.
> >
> >In future works (image conversions and whatnot) this could impact Glance as well.
> It was brought to my attention (thanks Erno) that we support OVA already. This
> means we're basically exposed to the above already as the OVA container is a
> tarball anyway.
> Glance protects itself from this by either not doing anything to the image or
> isolating operations on the image to specific workers (of course, this goes in
> addition to other security measures).
> The difference, though, is that OVA files are a known container format for
> images, whereas tar.gz isn't.

NB nova doesn't do anything with OVA files either. IIRC, the only virt driver
that supports them is VMWare, and Nova just passes the file through as-is
to VMWare for processing. For libvirt / KVM we don't support OVS files at
all, partly because we don't want to be in the business of unpacking them
and turning them into disk images ourselves.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the OpenStack-dev mailing list