[Openstack-operators] [openstack-dev] [nova] More file injection woes

Matt Riedemann mriedem at linux.vnet.ibm.com
Thu Nov 17 17:25:35 UTC 2016


On 11/14/2016 4:16 AM, Daniel P. Berrange wrote:
> On Fri, Nov 11, 2016 at 07:11:51PM -0600, Matt Riedemann wrote:
>> Chris Friesen reported a bug [1] where injected files on a server aren't in
>> the guest after it's evacuated to another compute host. This is because the
>> injected files aren't persisted in the nova database at all. Evacuate and
>> rebuild use similar code paths, but rebuild is a user operation and the
>> command line is similar to boot, but evacuate is an admin operation and the
>> admin doesn't have the original injected files.
>>
>> We've talked about issues with file injection before [2] - in that case not
>> being able to tell if it can be honored and it just silently doesn't inject
>> the files but the server build doesn't fail. We could eventually resolve
>> that with capabilities discovery in the API.
>>
>> There are other issues with file injection, like potential security issues,
>> and we've talked about getting rid of it for years because you can use the
>> config drive.
>>
>> The metadata service is not a replacement, as noted in the code [3], because
>> the files aren't persisted in nova so they can't be served up later.
>>
>> I'm sure we've talked about this before, but if we were to seriously
>> consider deprecating file injection, what does that look like?  Thoughts off
>> the top of my head are:
>>
>> 1. Add a microversion to the server create and rebuild REST APIs such that
>> the personality files aren't accepted unless:
>>
>> a) you're also building the server with a config drive
>> b) or CONF.force_config_drive is True
>> c) or the image has the 'img_config_drive=mandatory' property
>>
>> 2. Deprecate VFSLocalFS in Ocata for removal in Pike. That means libguestfs
>> is required. We'd do this because I think VFSLocalFS is the one with
>> potential security issues.
>
> Yes, VFSLocalFS is the dangerous one if used with untrustworthy disk images
> (essentially all public cloud images are untrustworth) because malicious
> images could be used to exploit bugs in the host kernels' filesystem drivers.
> This isn't theoretical - we've seen bugs in popular linux filesystems (ie
> ext3) lie mistakenly unfixed for years https://lwn.net/Articles/538898/
>
> Regards,
> Daniel
>

To circle back on this, we discussed it a bit in today's nova meeting 
[1] and agreed that we'd deprecate the VFSLocalFS backend for file 
injection in Ocata and remove it in Pike.

We also agreed to start working on a spec for the REST API changes 
outlined above to deprecate file injection (personality files) as a 
separate feature in the API. People using it today will need to rely on 
config drive after it's deprecated in the API.

[1] 
http://eavesdrop.openstack.org/meetings/nova/2016/nova.2016-11-17-14.00.log.html

-- 

Thanks,

Matt Riedemann




More information about the OpenStack-operators mailing list