Julia, Dmitry, and I met today in a video meeting to rapidly share context.

A few notes: Dmitry's concerns around if this code should live in ironic-lib or if we're OK patching Ironic/IPA only were resovled: we will be fine patching only IPA and Ironic.

Additionally, here are some notes for the meeting around the patch and the approach:

How to handle poisoned images in cache?
  * Ironic devs are OK with the cache getting cleared as time passed
  * Ironic devs should ensure the OSSA includes instructions to manually clear cache in paranoid situations


What changes are needed for each package?
* ironic-lib 
  * Patch to remove qemu-img module, not to be backported

* Ironic
  * Patch with embedded image inspector to be written and backported
  * Post-disclosure, once ready, master branch will remove embedded image inspector module in favor of the one in oslo-utils
  * The current patch may circumvent image streaming in some cases, which could cause a significant performance hit, almost to the point of a DoS. Instead, we should avoid significantly changing conductor performance by default, while giving users and option to inspect images earlier at the expense of performance.
  * We need to add a value, that regardless of the setting of image_download_type, would force all images to be inspected on-conductor. This would be disabled by default.
    * conductor_always_validates_images = false (default)
      * For cases where we expect image streaming or image would've never touched conductor, trust IPA validation to catch and error 
    * conductor_always_validates_images = true
      * Conductor downloads and security-checks all images by default
      * Major performance hit! Conductor DDoS possible with extreme-size raw images.
  * Ensure the description of "supported image types" config contains a list of images that we expect MAY work even though we don't support them explicitly


* IPA
  * Needs to independently inspect images that are passed through qemu-img for writing/conversion.
  * Cannot assume conductor has validated image is safe, due to various image streaming options

* IPA + Ironic
  * Ensure there are comments documenting:
    * to check IPA/Ironic code, anywhere we may be slightly duplicating code formerly-from-ironic-lib, instructing a dev to check the other similar code.
    * this code migrating to oslo.utils in future versions (this comment can be removed from backports)


When we eventually draft the OSSA, we want to mention the following:
  * Operators can manually purge image cache if they are concerned about existing cached images (note: by default this cache cleans every hour)
  * Ironic-lib is documented to not be supported for non-Ironic use cases. If anyone is using ironic-lib directly against our will: STOP. We are not patching qemu_img module in Ironic-Lib as part of this fix.
  * Information on how to report regressions / self-serve fixes (e.g. adding a new image type to allowlist)
  * Documentation telling users who refuse to update their IPA ramdisks (a behavior seen in the wild by many Ironic devs) to set conductor_always_validate_images to true.
  * Mention the new config blocking all but qcow2/raw images by default.


Additionally, as two of the people inside here are also Metal3 contributors, we discussed if it was valuable to do coordination cross-project. The Ironic consensus was that, after consulting with VMT team for their opinion, our preferred path is to notify the Metal3 security team, by emailing <email address hidden> (their equivalent to our VMT, with limited membership) at the point in time we release this patch under embargo.