OpenStack Compute (nova)

XenAPI: Cached images are never re-used

Bug #1254714 reported by Bob Ball
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Critical
Bob Ball
OpenStack Compute (nova) 2014.1 "icehouse"

Bug Description

_create_cached_image_impl uses _find_cached_image to find the image - which in turn relies on the image name_label to be set. However, the bug is that at the end of _create_cached_image_impl the name_label is cleared - thus meaning the cached image is never re-used and always re-downloaded.

This has the dual effect of slowing down each server start which could have used the cached image and slowing down the "find_cached_image" function as it needs to search an ever larger number of VDIs.

Tags: xenserver
Bob Ball (bob-ball)
Changed in nova:
importance: Undecided → Medium
Revision history for this message
Bob Ball (bob-ball) wrote :

Upgraded to critical due to the security implications - if two tenants start a server with the same base image, the second tenant will see all writes performed by the first tenant.

This is only in trunk, and not Havana.

Changed in nova:
importance: Medium → Critical
Revision history for this message
Brian Elliott (belliott) wrote :

Nasty. Nice find!

Russell Bryant (russellb)
tags: added: xenserver
Revision history for this message
Thierry Carrez (ttx) wrote :

Exploring security implications

Russell Bryant (russellb)
Changed in nova:
milestone: none → icehouse-1
Revision history for this message
Thierry Carrez (ttx) wrote :

https://review.openstack.org/#/c/58281/

Changed in nova:
status: New → In Progress
Revision history for this message
Russell Bryant (russellb) wrote :

https://review.openstack.org/#/c/58281/

Thierry Carrez (ttx)
Changed in nova:
assignee: nobody → Bob Ball (bob-ball)
Revision history for this message
Bob Ball (bob-ball) wrote :

Fixed by https://review.openstack.org/#/c/58281/

Bug introduced in https://review.openstack.org/#/c/46706/ - which landed post-Havana

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/58281
Committed: http://github.com/openstack/nova/commit/a23371787d5cd6347d4afb10bb8abd0bd49dba1d
Submitter: Jenkins
Branch: master

commit a23371787d5cd6347d4afb10bb8abd0bd49dba1d
Author: Bob Ball <email address hidden>
Date: Mon Nov 25 13:06:45 2013 +0000

    XenAPI: Fix caching of images

    Clearing of the cached images' name_label means it can't be found in future.
    Name label of cloned VDI should be cleared so it is not found by the
    caching functions.

    Main impact of this is in test scenarios where the VM is always deleted, but
    a more subtle impact could be data leakage.

    Change-Id: I6bb80443d31128b7d5d47e4b252db5eb8ab86940
    Closes-bug: 1254714

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
information type: Public → Public Security
Revision history for this message
Thierry Carrez (ttx) wrote :

No OSSA, does not appear in any supported version

no longer affects: ossa
information type: Public Security → Public
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: icehouse-1 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.