Glance

Image data stays in backend if image signature verification fails

  1. Series queens
  2. Bug #1736336
Bug #1736336 reported by Abhishek Kekane
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
Fix Released
High
Abhishek Kekane
Glance rocky-1 "17.0.0.0b1"
Queens
Fix Released
High
Abhishek Kekane
Glance queens-stable-2 "16.0.2"

Bug Description

If image signature verification is enabled then while creating the image if verfication fails then it returns vaild error, deletes image from the database but image data stays in the bakend forever.

Ideally if image verfication fails then it should delete the data from the backend as well.

Pre-requisites:
1. Ensure Barbican is enabled
2. Create Keys and Certificate (Reference https://etherpad.openstack.org/p/mitaka-glance-image-signing-instructions#90)
3. Create Signature (Reference https://etherpad.openstack.org/p/mitaka-glance-image-signing-instructions#184) and note down output of 'signature_64'
4. Create context and upload certificate using context (Reference https://etherpad.openstack.org/p/glance-image-signing-create-context) and note down output of 'cert_uuid'

Steps to reproduce:
1. Upload Image to Glance, with Signature Metadata
   img_signature_certificate_uuid = 'fb67edd2-95ef-404b-9af2-910708c6d9b7'
   img_signature_hash_method = 'SHA-256'
   img_signature_key_type = 'RSA-PSS'
   img_signature = 'ezccBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4HBKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYbbsqW6d/obgM=' (different which is noted in Pre-requisites section Point 4 as 'signature_64')

   $ glance image-create --property name=cirrosSignedImage_goodSignature --property is-public=true --container-format bare --disk-format qcow2 --property img_signature='abcdBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4HBKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYbbsqW6d/obgM=' --property img_signature_certificate_uuid='fb67edd2-95ef-404b-9af2-910708c6d9b7' --property img_signature_hash_method='SHA-256' --property img_signature_key_type='RSA-PSS' --file cirros-0.3.2-source.tar.gz

Note:
'img_signature' starts with 'ezcc...' but in create command I have passed as 'abcd..'

Actual Output:
+--------------------------------+----------------------------------------------------------------------------------+
| Property | Value |
+--------------------------------+----------------------------------------------------------------------------------+
| checksum | None |
| container_format | bare |
| created_at | 2017-12-05T07:04:38Z |
| disk_format | qcow2 |
| id | 6e8bec71-2176-4bcc-a732-2f76c5ac589f |
| img_signature | abcdBYtJEdj2gOrN09woioHwi2rDVvBsmRI0i+9EYAYdE7E6FV8jzJD9BImcq/m7Dm6yZZPkCUHz+y4H |
| | BKeYqK0+otcz921zaeqcKGBvU1t7J9AL0hEgJbWg0RY6RXqDXpsOQrrkrHuna4O+BUOp6sPwb3j2eFYb |
| | bsqW6d/obgM= |
| img_signature_certificate_uuid | fb67edd2-95ef-404b-9af2-910708c6d9b7 |
| img_signature_hash_method | SHA-256 |
| img_signature_key_type | RSA-PSS |
| is-public | true |
| min_disk | 0 |
| min_ram | 0 |
| name | cirrosSignedImage_goodSignature |
| owner | 4f186fe25c934eeb95186fd0c5afda49 |
| protected | False |
| size | None |
| status | queued |
| tags | [] |
| updated_at | 2017-12-05T07:04:38Z |
| virtual_size | None |
| visibility | shared |
+--------------------------------+----------------------------------------------------------------------------------+
$ 400 Bad Request: Signature verification failed for image 6e8bec71-2176-4bcc-a732-2f76c5ac589f: Signature verification failed (HTTP 400)

Expected Output:
$ 400 Bad Request: Signature verification failed for image 6e8bec71-2176-4bcc-a732-2f76c5ac589f: Signature verification failed (HTTP 400)

NOTE: Image data stays in backend
$ ls -lah /opt/stack/data/glance/images/6e8bec71-2176-4bcc-a732-2f76c5ac589f

total 15M
drwxr-xr-x. 2 centos centos 270 Dec 5 07:04 .
drwxr-xr-x. 5 centos centos 46 Dec 5 04:42 ..
-rw-r--r--. 1 centos centos 420K Dec 5 07:04 6e8bec71-2176-4bcc-a732-2f76c5ac589f

Glance-api logs:
Dec 05 07:04:38 signature-test.rdocloud <email address hidden>[25628]: ERROR glance.api.v2.image_data [None req-b81d5e9c-8d5c-4b48-b7c8-efe546c3aa97 demo admin] Signature verification failed for image 6e8bec71-2176-4bcc-a732-2f76c5ac589f: Signature verification failed: SignatureVerificationError: Signature verification failed

Abhishek Kekane (abhishek-kekane)
Changed in glance:
assignee: nobody → Abhishek Kekane (abhishek-kekane)
Brian Rosmaita (brian-rosmaita)
Changed in glance:
status: New → Triaged
importance: Undecided → High
milestone: none → queens-3
Abhishek Kekane (abhishek-kekane)
tags: added: queens-backport-potential
Changed in glance:
milestone: queens-3 → rocky-1
Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

Change proposed to master: https://review.openstack.org/#/c/529083/

Changed in glance:
status: Triaged → In Progress
Brian Rosmaita (brian-rosmaita)
tags: removed: queens-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/529083
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=7c3a9c83da0b673b293131db74f6ca35613a1815
Submitter: Zuul
Branch: master

commit 7c3a9c83da0b673b293131db74f6ca35613a1815
Author: Pranali Deore <email address hidden>
Date: Tue Dec 19 19:50:01 2017 +0530

    Cleaning image data when image signature verification fails

    While creating an image, image data stays in backend if image
    signature verification fails.

    After raising SignatureVerificationError exception, image status is
    being set to 'killed' in DB but the image data remains as it is in
    the backend.

    Adding delete_from_backend() call to cleanup the data from backend when
    Singature Verification fails.

    Closes-Bug: #1736336
    Change-Id: I2a1a7addd33050cc8845aec24479aa4d1bc26ca0

Changed in glance:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/glance 17.0.0.0b1

This issue was fixed in the openstack/glance 17.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (stable/queens)

Reviewed: https://review.openstack.org/562255
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=01a76a09513a1e1c6fa55826be2e7e26ff5f4e82
Submitter: Zuul
Branch: stable/queens

commit 01a76a09513a1e1c6fa55826be2e7e26ff5f4e82
Author: Pranali Deore <email address hidden>
Date: Tue Dec 19 19:50:01 2017 +0530

    Cleaning image data when image signature verification fails

    While creating an image, image data stays in backend if image
    signature verification fails.

    After raising SignatureVerificationError exception, image status is
    being set to 'killed' in DB but the image data remains as it is in
    the backend.

    Adding delete_from_backend() call to cleanup the data from backend when
    Singature Verification fails.

    Closes-Bug: #1736336
    Change-Id: I2a1a7addd33050cc8845aec24479aa4d1bc26ca0
    (cherry picked from commit 7c3a9c83da0b673b293131db74f6ca35613a1815)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/glance queens-eol

This issue was fixed in the openstack/glance queens-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.