Comment 0 for bug 1253980
Revision history for this message
| Phil Day (philip-day) wrote DoS attack via setting os_type in snapshots. | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
If the os_type metadata is set of an image, the ephemeral disk backing file for that image will be named ephemeral_
Because the user can change os_type they can use this to create new ephemeral backing files.
Nova image cache management does not include deleting ephemeral backing files (presumably because they are expected to be a small, stable set.
Hence a user can fill the disk with ephemeral backing files via the following:
1) Spawn a instance
2) Create a snapshot from it, delete the original instance
3) In a loop:
generate a random os_type
set os_type to the snapshot
spawn and instance from it, and then delete the instance
Every iteration will generate an ephemeral backing file on a compute host. With a stacking scheduling policy there is a good chance of hitting the same host repeatedly until its disk is full.
Possible mitigations:
i) Only use “os_type” in the ephemeral file name if there is a specific mkfs command defined, otherwise use “default” (Currently for undefined os-types it will use the default mkfs command, but still uses os_type in the name.
ii) Limit the values of os_type to those that have a specific mkfs_comamnd + default (validate in the API layer). This would provide a clearer indication that the type is not supported
iii) Include unused ephemeral backing files in the image cache clean up processing
The above list is not exclusive. i) is the easiest and most immediate fix, but ii) and iii) are also worth considering