[cinder] [glance] Image certificate validation when booting from volume
Sean Mooney
smooney at redhat.com
Fri Jan 20 10:04:05 UTC 2023
On Fri, 2023-01-20 at 10:16 +0300, İzzettin Erdem wrote:
> Hello everyone,
>
> I have a problem about booting signed images from cinder volumes. I am
> currently working on OpenStack Ussuri and I have Ceph storage as cinder
> backend. I have completed the necessary steps to enable glance image
> verification according to this document [1]. Now, I can create VMs from
> signed images -if I do not choose the *create new volume* option-.
>
> If I try to boot from volume, it throws an error message: "Image
> certificate validation is not supported when booting from volume".
> According to [2], Cinder already has an option to use signed images and it
> is enabled by default, but it seems it does not work. As opposed to this,
> [3] explains that Cinder has no ability to verify trusted images: *"As of
> the 18.0.0 Rocky release, trusted image certification validation is not
> supported with volume-backed (boot from volume) instances. The block
> storage service support may be available in a future release"*
>
> Is there any way to use trusted/signed images when booting from volume?
not as far as i am aware.
nova cannot verify the signiture of the image when [libvirt]/images_type=rbd becasue
a rogue admin could have gone to the ceph cluster after it was uploaded and modifed the base image in some way.
we dont actully download the image form glance or the ceph cluster in that configuration so we can loop over it
and calulate the hash then compare it to the one in glance.
the boot form voluem case is similer nova cannot verify the content of the volume iteslf.
at the time supprt was dded to nova in rocky cinder did not yet support doign the signiture verification when it created the
volume.
the cinder docs say
#
# Enable image signature verification.
#
# Cinder uses the image signature metadata from Glance and
# verifies the signature of a signed image while downloading
# that image. There are two options here.
#
# 1. ``enabled``: verify when image has signature metadata.
# 2. ``disabled``: verification is turned off.
#
# If the image signature cannot be verified or if the image
# signature metadata is incomplete when required, then Cinder
# will not create the volume and update it into an error
# state. This provides end users with stronger assurances
# of the integrity of the image data they are using to
# create volumes.
# (string value)
# Possible values:
# disabled - <No description provided>
# enabled - <No description provided>
#verify_glance_signatures = enabled
but if cinder and glance are using the same sotrage backend e.g. both are using rbd or galnce is using cinder as the backend
then i dont know if cinder actully supprot verifyign the signiture when doing a thing clone.
for volume backed glance images an admin could have mounted the cinder volume to a guest and modifed it and you woudl not
have a way to tell.
im not saying you can protect from a malissue admin, you cant. that is not really what this feature is for.
but the point im making is when a volume is cloned we do not to my knolsage reverify that the signiture still matches
so if there has been bitrot or any tamperign there is no point where the signiture can be reverifed.
>
> Thanks.
>
>
> 1 - https://docs.openstack.org/nova/ussuri/user/certificate-validation.html
> 2 -
> https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/cinder.conf.html
> 3 - https://docs.openstack.org/nova/ussuri/user/certificate-validation.html
More information about the openstack-discuss
mailing list