ironic-python-agent

Bug #2071740
Comment #128

Comment 128 for bug 2071740

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-09-05: Fix merged to ironic-python-agent (stable/2024.1)

#128

Reviewed: https://review.opendev.org/c/openstack/ironic-python-agent/+/927976
Committed: https://opendev.org/openstack/ironic-python-agent/commit/06fe5ff1782551e6f94640d47ea942ab81f18909
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit 06fe5ff1782551e6f94640d47ea942ab81f18909
Author: Jay Faulkner <email address hidden>
Date: Mon Mar 11 17:29:58 2024 +0100

Inspect non-raw images for safety

This is a backport of two changes merged together to facilitate
backporting:

The first is a refactor of disk utilities:

Import disk_{utils,partitioner} from ironic-lib

    With the iscsi deploy long gone, these modules are only used in IPA and
    in fact represent a large part of its critical logic. Having them
    separately sometimes makes fixing issues tricky if an interface of
    a function needs changing.

This change imports the code mostly as it is, just removing run_as_root and
a deprecated function, as well as moving configuration options to config.py.

Also migrates one relevant function from ironic_lib.utils.

The second is the fix for the security issue:

Inspect non-raw images for safety

    When IPA gets a non-raw image, it performs an on-the-fly conversion
    using qemu-img convert, as well as running qemu-img frequently to get
    basic information about the image before validating it.

Now, we ensure that before any qemu-img calls are made, that we have
inspected the image for safety and pass through the detected format.

    If given a disk_format=raw image and image streaming is enabled
    (default), we retain the existing behavior of not inspecting it in
    any way and streaming it bit-perfect to the device. In this case, we
    never use qemu-based tools on the image at all.

    If given a disk_format=raw image and image streaming is disabled, this
    change fixes a bug where the image may have been converted if it was not
    actually raw in the first place. We now stream these bit-perfect to the
    device.

    Adds two config options:
    - [DEFAULT]/disable_deep_image_inspection, which can be set to "True" in
      order to disable all security features. Do not do this.
    - [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types
      IPA should accept.

Both of these configuration options are wired up to be set by the lookup
data returned by Ironic at lookup time.

    This uses a image format inspection module imported from Nova; this
    inspector will eventually live in oslo.utils, at which point we'll
    migrate our usage of the inspector to it.

    Closes-Bug: #2071740
    Co-Authored-By: Dmitry Tantsur <email address hidden>
    Change-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7

Reviewed:  https://review.opendev.org/c/openstack/ironic-python-agent/+/927976
Committed: https://opendev.org/openstack/ironic-python-agent/commit/06fe5ff1782551e6f94640d47ea942ab81f18909
Submitter: "Zuul (22348)"
Branch:    stable/2024.1

commit 06fe5ff1782551e6f94640d47ea942ab81f18909
Author: Jay Faulkner <jay@jvf.cc>
Date:   Mon Mar 11 17:29:58 2024 +0100

Inspect non-raw images for safety
    
    This is a backport of two changes merged together to facilitate
    backporting:
    
    The first is a refactor of disk utilities:
    
    Import disk_{utils,partitioner} from ironic-lib
    
    With the iscsi deploy long gone, these modules are only used in IPA and
    in fact represent a large part of its critical logic. Having them
    separately sometimes makes fixing issues tricky if an interface of
    a function needs changing.
    
    This change imports the code mostly as it is, just removing run_as_root and
    a deprecated function, as well as moving configuration options to config.py.
    
    Also migrates one relevant function from ironic_lib.utils.
    
    The second is the fix for the security issue:
    
    Inspect non-raw images for safety
    
    When IPA gets a non-raw image, it performs an on-the-fly conversion
    using qemu-img convert, as well as running qemu-img frequently to get
    basic information about the image before validating it.
    
    Now, we ensure that before any qemu-img calls are made, that we have
    inspected the image for safety and pass through the detected format.
    
    If given a disk_format=raw image and image streaming is enabled
    (default), we retain the existing behavior of not inspecting it in
    any way and streaming it bit-perfect to the device. In this case, we
    never use qemu-based tools on the image at all.
    
    If given a disk_format=raw image and image streaming is disabled, this
    change fixes a bug where the image may have been converted if it was not
    actually raw in the first place. We now stream these bit-perfect to the
    device.
    
    Adds two config options:
    - [DEFAULT]/disable_deep_image_inspection, which can be set to "True" in
      order to disable all security features. Do not do this.
    - [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types
      IPA should accept.
    
    Both of these configuration options are wired up to be set by the lookup
    data returned by Ironic at lookup time.
    
    This uses a image format inspection module imported from Nova; this
    inspector will eventually live in oslo.utils, at which point we'll
    migrate our usage of the inspector to it.
    
    Closes-Bug: #2071740
    Co-Authored-By: Dmitry Tantsur <dtantsur@protonmail.com>
    Change-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7