kolla-ansible

show_multiple_locations by default is harmful

Bug #1992153 reported by Radosław Piliszek
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Medium
Unassigned

Bug Description

When Ceph-Glance integration is enabled, Kolla Ansible configures ``show_multiple_locations = True`` in glance-api.conf which causes Glance to display image locations. This is generally considered insecure because it may reveal sensitive data [1]. Furthermore, it happens that the default Ceph perms cause fatal ERRORs with this setting: 1) when Glance wants to remove an image, it cannot list children because Cinder or Nova might have created a linked volume clone behind the scenes and it is put in another pool (volumes/vms) which Glance cannot normally access; 2) when Nova wants to create an image, it lacks permission to write to the images pool.

Thus, I propose that Kolla Ansible stops setting this by default and relies on the working defaults.
The downside is that this disables optimisations in Cinder and Nova. On the other hand, these optimisations have nasty behaviour of being linked directly to the original image, preventing its removal. Finally, I believe the biggest downside to this being set by Kolla Ansible automatically is that it is undocumented that this extra is being done. In my opinion, Kolla should strive to stay close to the defaults as long as they work properly and deviate only in clear cases which this is not.

[1] https://docs.openstack.org/glance/yoga/configuration/glance_api.html#DEFAULT.show_multiple_locations

OpenStack Infra (hudson-openstack)
Changed in kolla-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/860097
Committed: https://opendev.org/openstack/kolla-ansible/commit/da292982b179d690778fbaaedbe3f9775261150f
Submitter: "Zuul (22348)"
Branch: master

commit da292982b179d690778fbaaedbe3f9775261150f
Author: Radosław Piliszek <email address hidden>
Date: Mon Oct 3 16:49:27 2022 +0200

    Stop showing image locations

    This is generally considered insecure because it may reveal
    sensitive data [1].
    Furthermore, it happens that the default Ceph perms cause fatal
    ERRORs with this setting:
    1) when Glance wants to remove an image, it cannot list children
    because Cinder or Nova might have created a linked volume clone
    behind the scenes and it is put in another pool (volumes/vms)
    which Glance cannot normally access;
    2) when Nova wants to create an image, it lacks permissions
    to write to the images pool.

    Thus, I propose that Kolla Ansible stops setting this by default
    and relies on the working defaults.
    The downside is that this disables optimisations in Cinder and Nova.
    On the other hand, these optimisations have nasty behaviour of
    being linked directly to the original image, preventing its removal.

    [1] https://docs.openstack.org/glance/yoga/configuration/glance_api.html#DEFAULT.show_multiple_locations

    Change-Id: I63ee9a6eefd8593f2169bba34dbb699f413d7cf8
    Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/860093
    Depends-On: https://review.opendev.org/c/openstack/kolla-ansible/+/860291
    Closes-Bug: #1992153

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 15.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 15.0.0.0rc1 release candidate.

Revision history for this message
Yusuf Güngör (yusuf2) wrote :

Hi, this change causes to create image sourced volume duration from 5 seconds to 2 minutes or more. We have to override this config. Is this duration acceptable for others?

When not set 'show_multiple_locations' and default is False:

$ echo "Volume Create Start Time: $(date)"; volume_id=$(openstack volume create --size 8 --image 9684c8c3-ebe6-4b8e-96d5-f3a159e7056a test-volume-without-multiple-locations -f value -c id); while [ $(openstack volume show $volume_id -f value -c status) != "available" ]; do sleep 1; done; echo "Volume Create Finish Time: $(date)"

Volume Create Start Time: Fri Aug 4 10:35:29 +03 2023
Volume Create Finish Time: Fri Aug 4 10:37:43 +03 2023

When not set 'show_multiple_locations = True':

$ echo "Volume Create Start Time: $(date)"; volume_id=$(openstack volume create --size 8 --image 9684c8c3-ebe6-4b8e-96d5-f3a159e7056a test-volume-with-multiple-locations -f value -c id); while [ $(openstack volume show $volume_id -f value -c status) != "available" ]; do sleep 1; done; echo "Volume Create Finish Time: $(date)"

Volume Create Start Time: Fri Aug 4 10:45:10 +03 2023
Volume Create Finish Time: Fri Aug 4 10:45:15 +03 2023

Revision history for this message
Yusuf Güngör (yusuf2) wrote :

I have not tested but this change cause another problems too: https://bugzilla.redhat.com/show_bug.cgi?id=1749379

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.