Glance

When using locations image data is not immutable

Bug #1525947 reported by Stuart McLaren
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
New
Undecided
Unassigned

Bug Description

Bug https://bugs.launchpad.net/glance/+bug/1525915 points out that an image can be set back to queued which allows modifying the image bytes.

There is an alternative way to modify the bytes without having the image's status change from 'active'.

When using locations a location which may be directly modified can be used:

 $ glance --os-image-api-version 1 image-update --location http://example.com e2093a55-2aa2-454e-95b4-80a5a80f5043

In the above call http://example.com may be any domain/path which can be modified by the creator of the image.

Images whose locations have been added in this way have no checksum:

+------------------+--------------------------------------+
| Property | Value |
+------------------+--------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2015-12-14T14:53:41.000000 |
| deleted | False |
| deleted_at | None |
| disk_format | raw |
| id | e2093a55-2aa2-454e-95b4-80a5a80f5043 |
| is_public | False |
| min_disk | 0 |
| min_ram | 0 |
| name | http2 |
| owner | 1358057831f74e66953dd6f283874d34 |
| protected | False |
| size | 1270 |
| status | active |
| updated_at | 2015-12-14T14:55:03.000000 |
| virtual_size | None |
+------------------+--------------------------------------+

See original description
Stuart McLaren (stuart-mclaren)
description: updated
Jeremy Stanley (fungi)
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.