Cinder

tgtadm iscsi chap does not work

Bug #1329214 reported by ling-yun on 2014-06-12

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Critical	Tomoki Sekiyama	Cinder 2014.2 "juno"
	OpenStack Security Notes	Fix Released	Undecided	Michael McCune

Bug Description

When using LVMISCSIDriver and iscsi_helper tgtadm, it should support chap unidirectional authentication because target configuration file and db.volume has record chap user and chap passwd.
By testing, I found that tgtadm iscsi chap does not work.
Is it a security bug for iscsi_helper tgtadm?

My detail test work is as follows.
1. Test details as follows without modify the source code:
1) Devstack all in one server A(10.250.10.190); another testing server B(10.250.10.191)
2) create a vm VM-A and a cinder volume VOLUME-A, attach VOLUME-A to VM-A
3) server B directly login the iscsi target that server-A export and get VOLUME-A sucessfully .
iscsiadm -m discovery -t sendtargets -p 10.250.10.190
iscsiadm -m node -T iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e -p 10.250.10.190 -l --login

2. Test details as follows with modify the source code:
1) add creating user/passwd and binding user to tid code before leaving the function TgtAdm:create_iscsi_target.
        type, name, passwd = chap_auth.split()
        self._execute('tgtadm',
                      '--lld',
                      'iscsi',
                      '--mode',
                      'account',
                      '--op',
                      'new',
                      '--user',
                      name,
                      '--password',
                      passwd)
        self._execute('tgtadm',
                      '--lld',
                      'iscsi',
                      '--mode',
                      'account',
                      '--op',
                      'bind',
                      '--tid',
                      tid,
                      '--user',
                      name
                      )

2) try to login VOLUME-A as the steps in item 1, it reported an authorization error as follows.
root@devaio1:/etc/iscsi# iscsiadm -m node -T iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e -p 10.250.10.190 -l --login
Logging in to [iface: default, target: iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e, portal: 10.250.10.190,3260] (multiple)
iscsiadm: Could not login to [iface: default, target: iqn.2010-10.org.openstack:volume-ee32035f-73d2-4312-a468-c7773f90a75e, portal: 10.250.10.190,3260].
iscsiadm: initiator reported error (24 - iSCSI login failed due to authorization failure)
iscsiadm: Could not log into all portals

Tags:

ling-yun (zengyunling) on 2014-06-12

Changed in cinder:
assignee:	nobody → ling-yun (zengyunling)
assignee:	ling-yun (zengyunling) → nobody

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-06-12:

This may be a bug, but I fail to see the security vulnerability in it. Could you explain how this may constitute a vulnerability ?

Changed in ossa:
status:	New → Incomplete

Revision history for this message

ling-yun (zengyunling) wrote on 2014-06-12:

If cinder support tgtadm iscsi chap auth, we could only connect and mount volume with chap username and chap password in order to prevent Unauthorized access.
Now we could connect and mount volume without chap username and chap password, which would leave anybody to access volume arbitrarily.

Revision history for this message

ling-yun (zengyunling) wrote on 2014-06-16:

Did I explain clearly about the problem?
Looking forward to your feedback.

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-06-16:

Adding Cinder security contacts so that they can confirm the issue.

Revision history for this message

ling-yun (zengyunling) wrote on 2014-06-18:

hi stackers, looking forward to your feedback.

Revision history for this message

John Griffith (john-griffith) wrote on 2014-06-23:

Hi ling-yun,

Indeed, somewhere along the way we've broken setup of CHAP. I don't know that I would classify this as requiring a private security bug, but yes it's a bug that needs to be addressed.

Being that we keep the iscsi connection info away from the end-user I think we can just open this as a "regular" bug, but mark it higher priority.

Thanks!

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-06-24:

Yes, I don't think that qualifies as a vulnerability. It's a missing security feature that would result in generally strengthening the Cinder setup.

If you agree, I will open this bug publicly so that the bug can be fixed in future versions of Cinder as fast as possible.

Revision history for this message

ling-yun (zengyunling) wrote on 2014-06-24:

To John Griffith (john-griffith) & Thierry Carrez (ttx) :
OK, agree with both you two.
We should fix it up as soon as possible.

ling-yun (zengyunling) on 2014-06-24

Changed in cinder:
assignee:	nobody → ling-yun (zengyunling)

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-06-24:

Updated to a public bug, no advisory, tagged as possible security hardening feature/improvement.

information type:	Private Security → Public
tags:	added: security
no longer affects:	ossa

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-06-25: Fix proposed to cinder (master)

#10

Fix proposed to branch: master
Review: https://review.openstack.org/102420

Changed in cinder:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-08-12: Change abandoned on cinder (master)

#11

Change abandoned by Duncan Thomas (<email address hidden>) on branch: master
Review: https://review.openstack.org/102420
Reason: Abandoning change: No update for more than 14 days

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-14: Fix proposed to cinder (master)

#12

Fix proposed to branch: master
Review: https://review.openstack.org/128478

Changed in cinder:
assignee:	ling-yun (zengyunling) → Tomoki Sekiyama (tsekiyama)

John Griffith (john-griffith) on 2014-10-15

Changed in cinder:
importance:	Undecided → Critical
milestone:	none → juno-rc3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-15: Fix proposed to cinder (proposed/juno)

#13

Fix proposed to branch: proposed/juno
Review: https://review.openstack.org/128507

Revision history for this message

Nathan Kinder (nkinder) wrote on 2014-10-15:

#14

Did CHAP authentication ever work for this case? I would like to know if this is a regression. This seems worthy of a security note since people might assume that their volumes are protected when they are in-fact accessible.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-15: Fix merged to cinder (master)

#15

Reviewed: https://review.openstack.org/128478
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=e3563891545c801726d227f752cf99488ed5c7dd
Submitter: Jenkins
Branch: master

commit e3563891545c801726d227f752cf99488ed5c7dd
Author: Tomoki Sekiyama <email address hidden>
Date: Tue Oct 14 19:09:44 2014 -0400

Fix LVM iSCSI driver tgtadm CHAP authentication

    Currently CHAP Authentication in LVM iSCSI driver with tgtadm does not work.
    This is because the tgtadm helper creates the target configuration file
    with an 'IncomingUser' entry, which is ignored by tgtd.
    This patch fixes it to 'incominguser'.

Change-Id: I14871985a2a916834122f849238f05b75726bc1a
Closes-Bug: #1329214

Changed in cinder:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-15: Fix merged to cinder (proposed/juno)

#16

Reviewed: https://review.openstack.org/128507
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=be3d4604dc0566e0838959d998ff1d37755de6d3
Submitter: Jenkins
Branch: proposed/juno

commit be3d4604dc0566e0838959d998ff1d37755de6d3
Author: Tomoki Sekiyama <email address hidden>
Date: Tue Oct 14 19:09:44 2014 -0400

Fix LVM iSCSI driver tgtadm CHAP authentication

    Change-Id: I14871985a2a916834122f849238f05b75726bc1a
    Closes-Bug: #1329214
    (cherry picked from commit e3563891545c801726d227f752cf99488ed5c7dd)

Changed in cinder:
status:	Fix Committed → Fix Released

Revision history for this message

Tomoki Sekiyama (tsekiyama) wrote on 2014-10-15:

#17

Hi Nathan,

I'm not sure if it had worked, but it seems already broken in Jan '14 according to this page:
https://ask.openstack.org/en/users/2406/ale/?sort=recent

Thierry Carrez (ttx) on 2014-10-16

Changed in cinder:
milestone:	juno-rc3 → 2014.2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-16: Fix proposed to cinder (master)

#18

Fix proposed to branch: master
Review: https://review.openstack.org/128920

Steven Weston (steve.weston) on 2014-10-23

Changed in ossn:
assignee:	nobody → Steven Weston (steve.weston)

Steven Weston (steve.weston) on 2014-11-20

Changed in ossn:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-25: Change abandoned on cinder (master)

#19

Change abandoned by Mike Perez (<email address hidden>) on branch: master
Review: https://review.openstack.org/128920

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-10: Fix merged to cinder (master)

#20

Download full text (11.8 KiB)

Reviewed: https://review.openstack.org/128920
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=66494f54112fdfa135b3974c75aa388c8d1fb49e
Submitter: Jenkins
Branch: master

commit be3d4604dc0566e0838959d998ff1d37755de6d3
Author: Tomoki Sekiyama <email address hidden>
Date: Tue Oct 14 19:09:44 2014 -0400

Fix LVM iSCSI driver tgtadm CHAP authentication

    Change-Id: I14871985a2a916834122f849238f05b75726bc1a
    Closes-Bug: #1329214
    (cherry picked from commit e3563891545c801726d227f752cf99488ed5c7dd)

commit f7ee62cc58d8b642af67510a310f6259492a4508
Author: Mitsuhiro Tanino <email address hidden>
Date: Tue Oct 14 12:41:41 2014 -0400

Export cinder volumes only if the status is 'in-use'

    Currently, cinder volumes are exported both 'in-use' and 'available'
    after restarting cinder-volume service.
    This behavior was introduced following commit.

      commit ffefe18334a9456250e1b6ff88b7b47fb366f374
      Author: Zhiteng Huang <email address hidden>
      Date: Sat Aug 23 18:32:57 2014 +0000

    If the volumes are attached to nova instances, they should be exported
    via tgtd after restarting cinder-volume.
    But the volumes which are not attached to instances must not be exported
    because everyone can connect these volumes.

This patch changes volume export behavior that exports a volume only if
the volume status is 'in-use'.

    Change-Id: I4c598c240b9290c81bd8001e5a0720c8c329aeb9
    Signed-off-by: Mitsuhiro Tanino <email address hidden>
    Closes-bug: #1381106
    (cherry picked from commit e2f28b967910625432be0eab6a851adf53ac58ea)

commit 01e7c516852e53df661b2eedc970c327c1ff10ce
Author: Vipin Balachandran <email address hidden>
Date: Fri Oct 10 23:06:27 2014 +0530

Revert "Relocate volume to compliant datastore"

    Commit 4be8913520f5e9fe4109ade101da9509e4a83360 introduced a regression
    which causes failures during cinder volume re-attach. This patch reverts
    commit 4be8913520f5e9fe4109ade101da9509e4a83360 as an immediate fix.

    Closes-Bug: #1379830
    Change-Id: I5dfbd45533489c3c81db8d256bbfd2f85614a357
    (cherry picked from commit 48cb82971e0418f9a629e2b39d0433dc2c0e6919)

commit 900d49723f65e87658381ff955559f54ac98c487
Author: Andreas Jaeger <email address hidden>
Date: Thu Oct 9 12:25:28 2014 +0200

Updated translations

    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_files cinder

Change-Id: I73f3bdccb4be98df95fa853864e465f4d83a8884

commit 8e94aaa2b28b491314fe8642061ac73e3fe8e966
Author: Navneet Singh <email address hidden>
Date: Thu Aug 28 16:03:41 2014 +0530

NetApp fix eseries unit test mock clean

...

Reviewed:  https://review.openstack.org/128920
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=66494f54112fdfa135b3974c75aa388c8d1fb49e
Submitter: Jenkins
Branch:    master

commit be3d4604dc0566e0838959d998ff1d37755de6d3
Author: Tomoki Sekiyama <tomoki.sekiyama@hds.com>
Date:   Tue Oct 14 19:09:44 2014 -0400

Fix LVM iSCSI driver tgtadm CHAP authentication
    
    Currently CHAP Authentication in LVM iSCSI driver with tgtadm does not work.
    This is because the tgtadm helper creates the target configuration file
    with an 'IncomingUser' entry, which is ignored by tgtd.
    This patch fixes it to 'incominguser'.
    
    Change-Id: I14871985a2a916834122f849238f05b75726bc1a
    Closes-Bug: #1329214
    (cherry picked from commit e3563891545c801726d227f752cf99488ed5c7dd)

commit f7ee62cc58d8b642af67510a310f6259492a4508
Author: Mitsuhiro Tanino <mitsuhiro.tanino@hds.com>
Date:   Tue Oct 14 12:41:41 2014 -0400

Export cinder volumes only if the status is 'in-use'
    
    Currently, cinder volumes are exported both 'in-use' and 'available'
    after restarting cinder-volume service.
    This behavior was introduced following commit.
    
      commit ffefe18334a9456250e1b6ff88b7b47fb366f374
      Author: Zhiteng Huang <zhithuang@ebaysf.com>
      Date: Sat Aug 23 18:32:57 2014 +0000
    
    If the volumes are attached to nova instances, they should be exported
    via tgtd after restarting cinder-volume.
    But the volumes which are not attached to instances must not be exported
    because everyone can connect these volumes.
    
    This patch changes volume export behavior that exports a volume only if
    the volume status is 'in-use'.
    
    Change-Id: I4c598c240b9290c81bd8001e5a0720c8c329aeb9
    Signed-off-by: Mitsuhiro Tanino <mitsuhiro.tanino@hds.com>
    Closes-bug: #1381106
    (cherry picked from commit e2f28b967910625432be0eab6a851adf53ac58ea)

commit 01e7c516852e53df661b2eedc970c327c1ff10ce
Author: Vipin Balachandran <vbala@vmware.com>
Date:   Fri Oct 10 23:06:27 2014 +0530

Revert "Relocate volume to compliant datastore"
    
    Commit 4be8913520f5e9fe4109ade101da9509e4a83360 introduced a regression
    which causes failures during cinder volume re-attach. This patch reverts
    commit 4be8913520f5e9fe4109ade101da9509e4a83360 as an immediate fix.
    
    Closes-Bug: #1379830
    Change-Id: I5dfbd45533489c3c81db8d256bbfd2f85614a357
    (cherry picked from commit 48cb82971e0418f9a629e2b39d0433dc2c0e6919)

commit 900d49723f65e87658381ff955559f54ac98c487
Author: Andreas Jaeger <aj@suse.de>
Date:   Thu Oct 9 12:25:28 2014 +0200

Updated translations
    
    Commands run:-
    $ python setup.py extract_messages
    $ python setup.py update_catalog --no-fuzzy-matching \
      --ignore-obsolete=true
    $ source \
      ../openstack-infra/project-config/jenkins/scripts/common_translation_update.sh
    $ setup_loglevel_vars
    $ cleanup_po_files cinder
    
    Change-Id: I73f3bdccb4be98df95fa853864e465f4d83a8884

commit 8e94aaa2b28b491314fe8642061ac73e3fe8e966
Author: Navneet Singh <singn@netapp.com>
Date:   Thu Aug 28 16:03:41 2014 +0530

NetApp fix eseries unit test mock clean
    
    This patch fixes the issue of mock not getting
    cleaned for requests in unit tests.
    
    Closes-Bug: #1353506
    
    Change-Id: Iab401021d7f180ff1f2bf3ed79166699112cc367
    (cherry picked from commit 140956515327494a53de6ad09c35690624248f0a)

commit aaecfcf15e6b9defde5822453f2ae97aaf959408
Author: John Griffith <john.griffith8@gmail.com>
Date:   Tue Oct 7 11:49:58 2014 -0600

Make sure device support Direct before setting
    
    We added '-t none' option to the qemu-img convert operation
    in image_utils.py a while back to accomodate a couple of
    backend devices that didn't flush writes on disconnect.
    (Change: I7a04f683add8c23b9125fe837c4048ccc3ac224d)
    
    The only problem here is that some backend devices don't
    support Direct mode and raise an exception and fail when
    setting this option.
    
    This patch adds a simple check using dd to see if the dest
    supports the Direct flag and only sets '-t none' if the device
    does in fact support it.
    
    Additionally it was brought up that even yet other backends
    are using file devices not blk devices.  In their case setting
    Direct will still work, however it's sub-optimal as qemu-convert
    has internal mechanisms to make sure flushing etc are done
    correctly and efficiently for those devices.  So to accomodate
    that particular use case I'm also adding a check if blk dev
    that can be used for determining whether to set Direct for the
    qemu-convert process.
    
    Change-Id: I34127ac373ceadcfb6fc2662628b1a91eb7b0046
    Closes-Bug: 1375487
    (cherry picked from commit c42273fbc1983b146180c82b8a34b0d832a6f431)

commit a8cec39f8243fd4ee6c0a16fc0620d4b0980c749
Author: Juan Zuluaga <juan.c.zuluaga@oracle.com>
Date:   Wed Sep 24 18:51:07 2014 -0400

ZFSSA iSCSI vol create fails with vol type option
    
    Vol create with volume-type option is not working since
    volume_backend_name contains the class name as
    predefined string. No matter what was specified in cinder.conf
    as volume_backend_name, volume creation failed.
    Multi-backend option and using extra specs to create custom volumes
    won't work.
    The fix is to look whether volume_backend_name is part of the
    configuration or falls into the class name in case there is
    no backend name.
    
    Closes-Bug: 1373621
    DocImpact
    
    (cherry picked from commit 5c61d57d3693523e9cbf11bf0b5b09bafe699247)
    
    Change-Id: I1bc501dd4c5689d96c7beb720b64112df1770232

commit 04cd35fd88768ec0f5d23619cec2df4981ee7d8c
Author: Sean McGinnis <sean_mcginnis@dell.com>
Date:   Fri Sep 26 15:21:35 2014 -0500

Handle eqlx SSH connection close on abort.
    
    EqualLogic array CLI operation timeout causes the
    SSH thread to be aborted. This would cause SSH
    sessions to be orphaned and hit a max connection
    limit on the array. This fix catches these aborts
    and makes sure the connection is closed.
    
    Change-Id: I9392fd5dd79eb44f252bf50217f17cc473e6f2f0
    Closes-Bug: 1374613
    (cherry picked from commit 5cb23b67c53437fc51a6b37acac477fba4d6a7ab)

commit 787b328518b2eec8275956835ae16488644e7d87
Author: Juan Zuluaga <juan.c.zuluaga@oracle.com>
Date:   Tue Sep 16 11:23:36 2014 -0400

ZFSSA iSCSI driver cannot add multple initiators to a group
    
    All initiators defined in zfssa_initiator property would be
    added to the group.
    Also fixed some typos related to initiators error messages.
    
    Change-Id: Iec6c90702e5aafa153b4a7f1e429974ac450afc0
    Closes-Bug: #1369750
    (cherry picked from commit f94d671e627dd7b5143422ffe739418fcfb51a70)

commit c566767d6a5041d1d86b1e199028d78772ebc508
Author: Patrick East <patrick.east@purestorage.com>
Date:   Tue Sep 30 11:47:42 2014 -0700

Fix race condition in ISCSIConnector _disconnect_volume_multipath_iscsi
    
    This is a similar issue as seen in
    https://bugs.launchpad.net/cinder/+bug/1375382
    
    The list of devices returned by driver.get_all_block_devices() in
    _disconnect_volume_multipath_iscsi will potentially contain broken
    symlinks as the SCSI devices have been deleted from calling
    self._linuxscsi.remove_multipath_device(device_realpath) right before
    _disconnect_volume_multipath_iscsi but the udev rule for the symlink
    may not yet have completed.
    
    Adding in a check to os.path.exists() will ensure that we will not
    consider the broken symlinks as an “in use” device.
    
    Change-Id: I79c9627e9b47127d3765fcec5b7e3bacef179630
    Closes-Bug: #1375946
    (cherry picked from commit 4541521de576297d9b7d4115b040ff54773d9d50)

commit 40eff25fce9a350d1872b083503e4306242961de
Author: Clinton Knight <cknight@netapp.com>
Date:   Fri Sep 26 12:07:44 2014 -0400

Deprecate / obsolete NetApp volume extra specs
    
    The NetApp Data ONTAP (Cluster-mode) NFS & iSCSI drivers for Juno support
    the Cinder pools feature, but the drivers are reporting two qualified
    extra specs that must be converted to unqualified extra specs in order to
    be used by the Cinder scheduler's capability filter. Furthermore, there
    are four extra specs that must be deprecated due to having the pools
    feature.  Warnings will be logged during volume creation if any of the
    obsolete or deprecated extra specs are seen in the volume type.
    
    Change-Id: I4dbd667610e481356304a12b8dae84cff61aa9d9
    Closes-bug: 1374630
    (cherry picked from commit 4cb4be4122a44dc99d6f29f065cdd32ae86273ce)

commit 2601acaec8d3c154f7638db0e7dad307d0efcc48
Author: Vincent Hou <sbhou@cn.ibm.com>
Date:   Fri Sep 12 16:10:02 2014 +0800

IBM Storwize driver: Retype the volume with correct empty QoS
    
    * Currently for Storwzie driver, if the new type does not have QoS
    configurations, the old QoS configurations remain in the volume after
    retyping it. It should be retyped into a volume with empty QoS for the
    Storwize driver.
    * Refactor three dicts into one for better maintainance of the QoS keys
    for Storwize driver.
    
    DocImpact
    
    Change-Id: I2b2801a4ef72ef02c11392ed00b56f5263a8a7e4
    Closes-Bug: #1368595
    (cherry picked from commit 26de1b1d829849665dae921b8be739194b84515d)

commit d5efe6703297761215907eeaf703cec040e6ad25
Author: Tristan Cacqueray <tristan.cacqueray@enovance.com>
Date:   Fri Oct 3 19:57:01 2014 +0000

Sync latest processutils from oslo-incubator
    
    An earlier commit (Ia92aab76fa83d01c5fbf6f9d31df2463fc26ba5c) failed
    to address ssh_execute(). This change set addresses ssh_execute.
    
    ------------------------------------------------
    
    oslo-incubator head:
    
    commit 4990535fb5f3e2dc9b397e1a18c1b5dda94ef1c4
    Merge: 9f5c700 2a130bf
    Author: Jenkins <jenkins@review.openstack.org>
    Date:   Mon Sep 29 23:12:14 2014 +0000
    
        Merge "Script to list unreleased changes in all oslo projects"
    
    -----------------------------------------------
    
    The sync pulls in the following changes (newest to oldest):
    
    6a60f842 - Mask passwords in exceptions and error messages (SSH)
    
    -----------------------------------------------
    
    Change-Id: Ie0caf32469126dd9feb44867adf27acb6e383958
    Closes-Bug: #1377981
    (cherry picked from commit 5e4e1f7ea71f9b4c7bd15809c58bc7a1838ed567)

commit c70ef7d8d4d9479fe5d3f4a8387c4eac1dca274d
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Mon Oct 6 16:09:05 2014 +0000

Updated from global requirements
    
    Change-Id: I116f04494e596e470f8fec242466ac5fe21b222c

commit 79afa849658f689a9105473fdfba1d993684d3df
Author: Lucian Petrut <lpetrut@cloudbasesolutions.com>
Date:   Tue Sep 30 11:58:22 2014 +0300

Windows SMBFS: Handle volume_name in _qemu_img_info
    
    The volume_name is now parsed to the _qemu_img_info wrapper. As
    this method is not prone to security issues because this driver
    does not support raw images (at least not yet), we don't have to
    perform any checks on the backing image file path.
    
    Thus, this method simply ignores this argument that will be parsed
    by the base class methods.
    
    Related-Bug: #1350504
    
    Change-Id: I801a6338250ec2dc631c4058543f7d0088b3e4d4
    (cherry picked from commit 5e0ce63d6df39dcad5a0ef35553369e49c67dfb8)

commit 608ecf565f99b9840095ecff424e396c4bae631a
Author: Eric Harney <eharney@redhat.com>
Date:   Tue Sep 9 16:20:24 2014 -0400

Refuse invalid qcow2 backing files
    
    Don't allow qcow2 files that are pointing to backing files outside of:
    
    volume-<id>
    volume-<id>.<snap-id>
    volume-<id>.tmp-snap-<snap-id>
    
    (optionally prefixed with /mnt/path)
    
    Closes-Bug: #1350504
    
    Change-Id: Ic89cffc93940b7b119cfcde3362f304c9f2875df
    (cherry picked from commit dca3c8323cf8cf12aa8ce4ba21f647ce631e8153)

Revision history for this message

Dave Walker (davewalker) wrote on 2015-07-03:

#21

@steve.westom: The OSSN task is assigned to you, are you still working on this?

Thanks

Michael McCune (mimccune) on 2015-09-02

Changed in ossn:
assignee:	Steven Weston (steve.weston) → Michael McCune (mimccune)

Revision history for this message

Michael McCune (mimccune) wrote on 2015-09-03:

#22

OSSN review

https://review.openstack.org/#/c/219939

Revision history for this message

Nathan Kinder (nkinder) wrote on 2015-09-17:

#23

This has been published as OSSN-0058:

https://wiki.openstack.org/wiki/OSSN/OSSN-0058

Changed in ossn:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.