[Openstack] VFSLocalFS and password injection

J-P Methot jpmethot at gtcomm.net
Fri Sep 18 14:59:43 UTC 2015


On 2015-09-18 10:33 AM, Daniel P. Berrange wrote:
> On Fri, Sep 18, 2015 at 10:10:22AM -0400, J-P Methot wrote:
>> Hi,
>>
>> I have a question regarding the VFSLocalFS mechanism for password
>> injection. Basically, because of our infrastructure, we can't use
>> libguestfs for password injection and we do not want to inject password
>> through metadata. This leads us to use the openstack VFSLocalFS
>> mechanism for password injection.
> 
> NB, using VFSLocalFS is only suitable if you trust your guest disk
> images. Since it uses the host kernel to mount the guest filesystem,
> a malicious guest filesystem can exploit the host kernel. This is
> not just theoretical as there have been exploits in mainstream FS
> like ext3/4 before, not to mention all the obscure filesystem
> drivers linux has that few people probably audited.
> 

I see, thank you for the pointer. In our case we do trust our images as
customers cannot upload new OS images of in our infrastructure. However,
they can upload snapshots of the VM they created from the image. Since
they can modify the content of a vm, save it as a snapshot and then boot
from it, am I right to think this may be a potential vulnerability?

>> Now, the issue I got is that, on some images, password injection with
>> VFSLocalFS will work, while on others, it won't. This is not even OS
>> related, as on one image of debian 8 that I made myself it won't work,
>> but on the official image it will work.
> 
> I'd compare the way the images are partitioned, as that's most likely
> difference to cause some images to work and some fail.
> 
>> What is the requirement for VFSLocalFS to work? The compute logs do not
>> show any error, so I'm thinking it can only be because of something
>> inside the images I'm using.
> 
> It needs qemu-nbd to support qcow2 images, or loop devices to support
> raw files. It needs kpartx to support images containing LVM parititions.
> It is also sensitive to the 'inject_partition' nova.conf setting.
> 
> Regards,
> Daniel
> 


-- 
======================
Jean-Philippe Méthot
Administrateur système / System administrator
GloboTech Communications
Phone: 1-514-907-0050
Toll Free: 1-(888)-GTCOMM1
Fax: 1-(514)-907-0750
jpmethot at gtcomm.net
http://www.gtcomm.net




More information about the Openstack mailing list