OpenStack Compute (nova)

live_migrate task ignores extra_specs

Bug #1224014 reported by Bob Ball
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Undecided
Hans Lindgren
OpenStack Compute (nova) 2014.1 "icehouse"
OpenStack Security Advisory
Invalid
Undecided
Unassigned

Bug Description

The new live_migrate task in the conductor does not pass extra_specs from the flavor through to the filters - thus giving an incorrect result.

This showed up when using the TrustedFilter which depends on extra_specs (set by nova.scheduler.utils.build_request_spec) - however nova.conductor.tasks.live_migrate.LiveMigrationTask._get_candidate_destination does not use this build_request_spec and builds it's own - which missed this extra_specs value.

Marked as a security vulnerability as it means that the use of live migration will bypass filters intended to provide a secure environment such as TrustedFilter.

Revision history for this message
Jeremy Stanley (fungi) wrote :

I'm a little fuzzy on the risk boundaries this crosses and to what degree it's exploitable--can you provide an example exploit scenario for this vulnerability? Also, when you refer to it as "the new live_migrate task" does this mean it's only in master/milestone-proposed/havana and not affecting any stable release branches?

Changed in ossa:
status: New → Incomplete
Revision history for this message
Bob Ball (bob-ball) wrote :

It's not "exploitable" as such. The scenario is:

* Admin sets up a flavor to have a Trust requirement - so the instance will only boot on hosts which have been verified as trusted
* When booting the scheduler will correctly use the TrustedFilter to identify a host which is verified
* A live migration is requested by the administrator, without specifying a target host. In this scenario the conductor task does not correctly fill the parameters expected by the scheduler to enforce any trust requirements.

In this way an administrator may inadvertently move a VM to a host that may have been compromised (or, more precisely, that has not been verified as secure).

I have not checked the behavior for existing release branches - this is related to code accepted recently during H-3.

Revision history for this message
Thierry Carrez (ttx) wrote :

If this is havana-only, we should just open the bug and get it quickly fixed there (before release). We don't do OSSAs for vulnerabilities in the release-being-developed as long as the issue is fixed before final release, and this one would be questionable anyway (it's more like a bug with corner-case security consequences).

Let me know what you think of the idea of opening it.

Revision history for this message
Bob Ball (bob-ball) wrote :

Understood - I was in two minds about raising it as a security issue for those very reasons but decided to stick on the side of caution.
I'm very happy for it to just be opened up.

Jeremy Stanley (fungi)
information type: Private Security → Public
Changed in ossa:
status: Incomplete → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/46735

Changed in nova:
assignee: nobody → Hans Lindgren (hanlind)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to nova (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/48641

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to nova (master)

Reviewed: https://review.openstack.org/48641
Committed: http://github.com/openstack/nova/commit/2bea97bae6120005e77f99640dcaacf911f77868
Submitter: Jenkins
Branch: master

commit 2bea97bae6120005e77f99640dcaacf911f77868
Author: Hans Lindgren <email address hidden>
Date: Fri Sep 27 13:10:58 2013 +0200

    Ensure image property not set to None in build_request_spec()

    This is in preparation for having scheduler.util.build_request_spec()
    construct the request_spec in the live migration code. Specifically, this
    change is needed to avoid reintroducing bug #1199811.

    Change-Id: I0cc6b6ec7be7a0afbe184b208f2e16fd5cd4452c
    Related-Bug: #1224014

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/46735
Committed: http://github.com/openstack/nova/commit/e80121a2c5ccac42f857b0628ea6f340eda1ca3a
Submitter: Jenkins
Branch: master

commit e80121a2c5ccac42f857b0628ea6f340eda1ca3a
Author: Hans Lindgren <email address hidden>
Date: Fri Sep 27 13:11:21 2013 +0200

    Make LiveMigrateTask use build_request_spec()

    Some filters like TrustedFilter makes use of extra_specs. Currently,
    when live-migration uses the scheduler to select a host, it constructs
    a request_spec that has no extra_specs in it.

    By making use of the existing helper method build_request_spec(), the
    request to the scheduler will include extra_specs.

    Change-Id: I5bc6c6418653c256a42da7b0a343086ec9863da1
    Closes-Bug: #1224014

Russell Bryant (russellb)
Changed in nova:
milestone: none → icehouse-1
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: icehouse-1 → 2014.1
Revision history for this message
Openstack Gerrit (openstack-gerrit) wrote : Related fix proposed to nova (stable/havana)

Related fix proposed to branch: stable/havana
Review: https://review.openstack.org/91210

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on nova (stable/havana)

Change abandoned by liusheng (<email address hidden>) on branch: stable/havana
Review: https://review.openstack.org/91210

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.