openstack-manuals

Security Guide - Chapter 43. Gap In Image-to-Instance Validation

Bug #1344327 reported by N Dillon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-manuals
Invalid
Medium
Unassigned

Bug Description

Currently States: "We hope that future versions of Compute and/or the Image Service will offer support for validating the image hash before each instance launch. An alternative option that would be even more powerful would be allow users to sign an image and then have the signature validated when the instance is launched."

Recommended Update: "A current gap in validation is that it must currently be done by hand when desired. OpenStack does not currently support validating the image hash or user signature before each instance launch."
-----------------------------------
Built: 2014-07-18T11:07:05 00:00
git SHA: 2dc0f54e2f4b1a51cfcf33c90c799d0f1b3a1cb7
URL: http://docs.openstack.org/security-guide/content/security-services-for-instances.html
source File: file:/home/jenkins/workspace/security-doc-tox-doc-publishdocs/security-guide/ch_security-services-for-instances.xml
xml:id: security-services-for-instances

Andreas Jaeger (jaegerandi)
Changed in openstack-manuals:
importance: Undecided → Medium
status: New → Confirmed
tags: added: low-hanging-fruit sec-guide
Revision history for this message
N Dillon (sicarie) wrote :

A note for whoever does this, please proofreed the recommendation as it states "A current gap in validation is that it must currently..." Where the second currently is redundant and should be removed.

Revision history for this message
N Dillon (sicarie) wrote :

This is now in Ch29, but wording has remained

Changed in openstack-manuals:
assignee: nobody → N Dillon (sicarie)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to security-doc (master)

Fix proposed to branch: master
Review: https://review.openstack.org/110130

Changed in openstack-manuals:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on security-doc (master)

Change abandoned by Nathaniel Dillon (<email address hidden>) on branch: master
Review: https://review.openstack.org/110130
Reason: Worked on rebasing this last night, didn't realize between last night and this morning the chapters had changed and by then had deleted local branch, will re-submit under different topic name.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to security-doc (master)

Fix proposed to branch: master
Review: https://review.openstack.org/111097

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on security-doc (master)

Change abandoned by Nathaniel Dillon (<email address hidden>) on branch: master
Review: https://review.openstack.org/111097
Reason: It's like Coke Classic - everyone prefers the original :)

N Dillon (sicarie)
Changed in openstack-manuals:
assignee: N Dillon (sicarie) → nobody
Revision history for this message
Andreas Jaeger (jaegerandi) wrote :

Looking at the discussion in the patch, I suggest to mark this bug as invalid. Do you agree?

Revision history for this message
N Dillon (sicarie) wrote :

Yeah, I think so - personally I think that things like 'we hope' and options for which there is no concrete tool or blueprint (or link to project page - I have not done the research to determine what OA/Ironic are doing to this end) shouldn't be in there as it does not relate specific guidance as to hardening (it just says what would be ideal), but I am not sure how to modify it to state that to the satisfaction of the reviewers.

Tom Fifield (fifieldt)
Changed in openstack-manuals:
status: In Progress → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.