Fuel for OpenStack

Insecure partition layout: Adjust partition layout on MOS slave nodes

Bug #1526329 reported by Adam Heczko on 2015-12-15

258

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	In Progress	High	Grzegorz Szafrański	Fuel for OpenStack 10.0
Mitaka	Won't Fix	High	MOS Linux	Fuel for OpenStack 9.0
Mirantis OpenStack	Won't Fix	High	Fuel Python (Deprecated)

Bug Description

Observed on:
All slave nodes deployed by Fuel

Problem description:
Currently Fuel partitions target installation disk on SLAVE nodes as follows (controller example, MOS 7.0):
root@contr1:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/os-root 50G 2.6G 45G 6% /
none 4.0K 0 4.0K 0% /sys/fs/cgroup
udev 7.9G 12K 7.9G 1% /dev
tmpfs 1.6G 123M 1.5G 8% /run
none 5.0M 0 5.0M 0% /run/lock
none 7.9G 60M 7.8G 1% /run/shm
none 100M 0 100M 0% /run/user
/dev/vda3 196M 39M 148M 21% /boot
/dev/mapper/logs-log 9.8G 5.2G 4.1G 57% /var/log
/dev/mapper/mysql-root 20G 6.3G 13G 34% /var/lib/mysql

Solution proposal:
In order to improve security and meet certain compliance requirements it is required to adjust current partition layout.
Let’s introduce new partitions as follows:
/home , 10G
/tmp , 10G
/horizon , 20G
/var/log/audit , 5G

As a result we'd like to have following partition layout on slave nodes (controller example):
/
/sys/fs/cgroup
/dev
/run
/run/lock
/run/shm
/run/user
/boot
/var/log
/var/lib/mysql
/home
/horizon
/var/log/audit

See original description

Tags:

Adam Heczko (aheczko-mirantis) on 2015-12-15

Changed in fuel:
milestone:	none → 8.0
importance:	Undecided → High

Ilya Kutukov (ikutukov) on 2015-12-15

Changed in fuel:
assignee:	nobody → Fuel Library Team (fuel-library)
status:	New → Confirmed
tags:	added: area-library

Revision history for this message

Bogdan Dobrelya (bogdando) wrote on 2015-12-15:

This is not a bug but a feature. Request.

tags:	added: feature
Changed in fuel:
importance:	High → Wishlist

Alexey Shtokolov (ashtokolov) on 2015-12-18

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Fuel Enhancements (fuel-enhancements-team)

Adam Heczko (aheczko-mirantis) on 2015-12-22

description:

updated

Alexey Shtokolov (ashtokolov) on 2015-12-22

Changed in fuel:
status:	Confirmed → Triaged
importance:	Wishlist → High
assignee:	Fuel Enhancements (fuel-enhancements-team) → Fuel Library Team (fuel-library)

Revision history for this message

Sergii Golovatiuk (sgolovatiuk) wrote on 2015-12-24:

I do not understand why we need separate partition for horizon.

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2015-12-26:

Because of this bug: https://bugs.launchpad.net/fuel/+bug/1518082

Revision history for this message

Alex Schultz (alex-schultz) wrote on 2015-12-28:

Currently (I believe) the horizon partition is /var/lib/horizon, do we need to move it to /horizon or is it ok to leave it as /var/lib/horizon?

Revision history for this message

Matthew Mosesohn (raytrac3r) wrote on 2015-12-28:

+1 to keep /var/lib/horizon

Revision history for this message

Michael Polenchuk (mpolenchuk) wrote on 2016-01-11:

I guess this not a library bug (partition's scheme resides in fuel-web & applies by fuel-agent)

Ivan Ponomarev (ivanzipfer) on 2016-01-11

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Fuel Python Team (fuel-python)
tags:	added: area-python removed: area-library

Alexey Shtokolov (ashtokolov) on 2016-01-20

Changed in fuel:
milestone:	8.0 → 9.0

Revision history for this message

Roman Prykhodchenko (romcheg) wrote on 2016-03-23:

Moving a feature bug to the Newton release.

Changed in fuel:
milestone:	9.0 → 10.0

Revision history for this message

Sergii Golovatiuk (sgolovatiuk) wrote on 2016-04-22:

Lowering this bug to medium as it doesn't meet the requirements of high bug.

Changed in fuel:
importance:	High → Medium

Dmitry Pyzhov (dpyzhov) on 2016-06-22

Changed in fuel:
assignee:	Fuel Python (Deprecated) (fuel-python) → Fuel Sustaining (fuel-sustaining-team)

Adam Heczko (aheczko-mirantis) on 2016-06-24

tags:	added: customer-found feature-security
summary:	- Adjust partition layout on all slave nodes to meet compliance - requirements + Insecure partition layout: Adjust partition layout on MOS slave nodes

Maksim Malchuk (mmalchuk) on 2016-06-24

no longer affects:

fuel/newton

Ivan Berezovskiy (iberezovskiy) on 2016-06-28

Changed in fuel:
assignee:	MOS Puppet Team (mos-puppet) → nobody

Dmitry Pyzhov (dpyzhov) on 2016-06-28

Changed in fuel:
assignee:	nobody → Fuel Sustaining (fuel-sustaining-team)

Revision history for this message

Vladimir Kozhukalov (kozhukalov) wrote on 2016-06-28:

Horizon now is on a separate partition [1], so the motivation for this bug to exist is not actual any more. As for possibility to configure partitioning scheme flexibly, it is definitely not a bug, but a feature request. This bug is rather 'Invalid'.

[1] https://review.openstack.org/#/c/253542

Changed in fuel:
status:	Triaged → Invalid

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2016-06-28:

#10

Bug is still valid because STIG compliance assessment fails.
http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-stig.html

Changed in fuel:
status:	Invalid → Triaged

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2016-06-29:

#11

As agreed with PdM we'll need to have fix this for MOS 9.1.
Partition layout requirements are described briefly here [1] and here [2]:

[1] http://people.redhat.com/swells/scap-security-guide/RHEL/7/output/table-rhel7-stig.html
[2] http://www.cyberciti.biz/faq/linux-add-nodev-nosuid-noexec-options-to-temporary-storage-partitions/

Changed in fuel:
importance:	Medium → High
assignee:	Fuel Sustaining (fuel-sustaining-team) → MOS Linux (mos-linux)

Adam Heczko (aheczko-mirantis) on 2016-06-29

Changed in mos:
status:	New → Triaged
importance:	Undecided → High
assignee:	nobody → Fuel Python (Deprecated) (fuel-python)
milestone:	none → 9.1
Changed in fuel:
status:	Triaged → Won't Fix

Adam Heczko (aheczko-mirantis) on 2016-07-06

Changed in fuel:
status:	Won't Fix → Triaged

Adam Heczko (aheczko-mirantis) on 2016-07-06

Changed in mos:
status:	Triaged → Won't Fix
Changed in fuel:
assignee:	MOS Linux (mos-linux) → Grzegorz Szafrański (gszafranski-mirantis)

OpenStack Infra (hudson-openstack) on 2016-07-12

Changed in fuel:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-12: Fix proposed to fuel-web (master)

#12

Fix proposed to branch: master
Review: https://review.openstack.org/340841

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-12: Change abandoned on fuel-web (master)

#13

Change abandoned by Grzegorz Szafrański (<email address hidden>) on branch: master
Review: https://review.openstack.org/340240
Reason: duplicate of c/340841/1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-13: Fix proposed to fuel-web (master)

#14

Fix proposed to branch: master
Review: https://review.openstack.org/341511

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-13: Change abandoned on fuel-web (master)

#15

Change abandoned by Grzegorz Szafrański (<email address hidden>) on branch: master
Review: https://review.openstack.org/341511
Reason: duplicate

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-12-18:

#16

Change abandoned by Andreas Jaeger (<email address hidden>) on branch: master
Review: https://review.opendev.org/340841
Reason: This repo is retired now, no further work will get merged.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.