nova-lxd

config-drive needs to be better secured

Series ocata
Bug #1675741

Bug #1675741 reported by James Page on 2017-03-24

258

This bug affects 1 person

	Status	Importance	Assigned to
nova-lxd	Fix Released	High	James Page
Newton	Fix Committed	High	Unassigned
Ocata	Fix Committed	High	Unassigned

Bug Description

The config-drive support in nova-lxd presents a directory on the host directly into the container at /config-drive:

# cd /config-drive
# df -h .
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 39G 2.4G 37G 7% /config-drive

This directory is write-able by the root user within the container, but writes directly to the host OS FS which would allow an unpriviledged container to fill the host OS root filesystem.

I think we can make the config-drive read-only - so setting the 'readonly' flag on the configuration profile should be sufficient.

James Page (james-page) on 2017-03-24

Changed in nova-lxd:
status:	New → Triaged
importance:	Undecided → High

James Page (james-page) on 2017-03-24

information type:

Private Security → Public Security

James Page (james-page) on 2017-03-24

Changed in nova-lxd:
assignee:	nobody → James Page (james-page)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-24: Fix merged to nova-lxd (master)

Reviewed: https://review.openstack.org/449618
Committed: https://git.openstack.org/cgit/openstack/nova-lxd/commit/?id=c3f55e797ec4cbb34b9238c352b6bf70f975c1b0
Submitter: Jenkins
Branch: master

commit c3f55e797ec4cbb34b9238c352b6bf70f975c1b0
Author: James Page <email address hidden>
Date: Fri Mar 24 13:14:18 2017 +0000

Ensure config-drive is read-only

    The /config-drive dir presented from the host OS should
    be presented as read only to ensure that the instance
    can write directly to the host OS filesystem.

Change-Id: I997ef68048fa0a77f9cb0b70c325b9b96c079e2f
Closes-Bug: 1675741

Changed in nova-lxd:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-28: Fix merged to nova-lxd (stable/newton)

Reviewed: https://review.openstack.org/450706
Committed: https://git.openstack.org/cgit/openstack/nova-lxd/commit/?id=8105b3ca18497440a960c266bd44e0979ec5159e
Submitter: Jenkins
Branch: stable/newton

commit 8105b3ca18497440a960c266bd44e0979ec5159e
Author: James Page <email address hidden>
Date: Fri Mar 24 13:14:18 2017 +0000

Ensure config-drive is read-only

    The /config-drive dir presented from the host OS should
    be presented as read only to ensure that the instance
    can write directly to the host OS filesystem.

    Change-Id: I997ef68048fa0a77f9cb0b70c325b9b96c079e2f
    Closes-Bug: 1675741
    (cherry picked from commit c3f55e797ec4cbb34b9238c352b6bf70f975c1b0)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-28: Fix merged to nova-lxd (stable/ocata)

Reviewed: https://review.openstack.org/450705
Committed: https://git.openstack.org/cgit/openstack/nova-lxd/commit/?id=ed05fa417c4a78970dd5bdcdd3e1922f3c07f0ac
Submitter: Jenkins
Branch: stable/ocata

commit ed05fa417c4a78970dd5bdcdd3e1922f3c07f0ac
Author: James Page <email address hidden>
Date: Fri Mar 24 13:14:18 2017 +0000

Ensure config-drive is read-only

    The /config-drive dir presented from the host OS should
    be presented as read only to ensure that the instance
    can write directly to the host OS filesystem.

    Change-Id: I997ef68048fa0a77f9cb0b70c325b9b96c079e2f
    Closes-Bug: 1675741
    (cherry picked from commit c3f55e797ec4cbb34b9238c352b6bf70f975c1b0)

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.