Clean steps don't actually run (CVE-2015-7514)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ironic |
Fix Released
|
Critical
|
aeva black | ||
Liberty |
Fix Released
|
Critical
|
Jim Rollenhagen | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
In playing with the latest code, it seems that ironic just drops all clean steps it's getting from the agent.
Since devstack drops the priority on erase_devices so it doesn't run, I added a clean step to the agent, and ran through cleaning.
stack@jim-
diff --git a/ironic_
index d755f8c..7590959 100644
--- a/ironic_
+++ b/ironic_
@@ -230,6 +230,9 @@ class HardwareManager
"""
raise errors.
+ def test_devstack(self, node, ports):
+ return 'hi devstack!'
+
def erase_devices(self, node, ports):
"""Erase any device that holds user data.
@@ -305,6 +308,13 @@ class HardwareManager
+ },
+ {
+ 'step': 'test_devstack',
+ 'priority': 20,
+ 'interface': 'deploy',
+ 'reboot_requested': False,
+ 'abortable': True
}
]
This results in the following logs, indicating that Ironic never attempted to run the new clean step:
2015-11-18 01:19:09.669 DEBUG oslo_concurrenc
orker_spawn" released by "ironic.
7/dist-
2015-11-18 01:19:09.670 DEBUG ironic.
last heartbeat at None. from (pid=27761) heartbeat /opt/stack/
2015-11-18 01:19:09.681 DEBUG ironic.
d to start cleaning. from (pid=27761) heartbeat /opt/stack/
2015-11-18 01:19:09.684 DEBUG ironic.
5a5722-
2015-11-18 01:19:09.945 DEBUG ironic.
d-4537-
', u'step': u'erase_devices', u'abortable': True, u'reboot_
p': u'test_devstack', u'abortable': True, u'reboot_
er': u'1.0'}}, error None, HTTP status code 200 from (pid=27761) _command /opt/stack/
.py:93
2015-11-18 01:19:09.965 DEBUG ironic.
795a5722-
gent_base_
2015-11-18 01:19:09.973 DEBUG ironic.
u on node 795a5722-
onic/conductor/
2015-11-18 01:19:09.976 DEBUG ironic.
lean called for node 795a5722-
tor/manager.py:885
2015-11-18 01:19:09.978 DEBUG ironic.
get exclusive lock on node 795a5722-
/ironic/
2015-11-18 01:19:09.989 DEBUG ironic.
22ad-4537-
k/ironic/
2015-11-18 01:19:09.992 DEBUG ironic.
n wait' in response to event 'resume' from (pid=27761) on_exit /opt/stack/
2015-11-18 01:19:09.992 DEBUG ironic.
aning' in response to event 'resume' from (pid=27761) on_enter /opt/stack/
2015-11-18 01:19:09.999 DEBUG oslo_concurrenc
orker_spawn" acquired by "ironic.
2.7/dist-
2015-11-18 01:19:10.001 DEBUG oslo_concurrenc
orker_spawn" released by "ironic.
7/dist-
2015-11-18 01:19:10.001 INFO ironic.
ining steps: []
Tracking this down further, it appears that at first boot, this conditional is true: https:/
Causing that method to return an empty list of clean steps.
This was released in 4.2.0 so will also need a backport.
CVE References
Changed in ironic: | |
importance: | Undecided → Critical |
status: | New → Confirmed |
no longer affects: | ironic/trunk |
summary: |
- Clean steps don't actually run + Clean steps don't actually run (CVE-2015-7514) |
information type: | Private Security → Public |
Changed in ironic: | |
assignee: | nobody → Devananda van der Veen (devananda) |
status: | Confirmed → In Progress |
Need to figure out how to validate this in the gate so it doesn't happen again. Add the same dummy clean step and check logs to see if it ran?