OpenStack Compute (nova)

img_signature_hash_method and img_signature are inherited when creating a snapshot

Bug #1737513 reported by Lee Yarwood
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Lee Yarwood
Pike
Fix Committed
Medium
Brianna Poulos

Bug Description

Description
===========

If present both img_signature_hash_method and img_signature from the original image are used when creating a snapshot image in Glance. This will cause a failure when we update the image with actual content during the snapshot creation process as this original signature obviously no longer applies to the snapshot of the instance.

https://github.com/openstack/nova/blob/adedd4064765f688ea6426a952e73bb4469504f2/nova/compute/api.py#L2695-L2718

https://github.com/openstack/nova/blob/adedd4064765f688ea6426a952e73bb4469504f2/nova/virt/libvirt/driver.py#L1765-L1769

Both of these properties should be added to the non_inheritable_image_properties configurable and a test added to the the barbican tempest plugin to verify this behaviour.

https://github.com/openstack/nova/blob/1f29d4283aeeaa6d3cc42eaf72fdb9e2ae417caf/nova/conf/compute.py#L56-L72

Steps to reproduce
==================

1. Boot an instance using a signed image:

   nova boot --flavor 1 --image <image-id> signed_instance

2. Attempt to create a snapshot of this instance:

   nova image-create <instance-uuid> <snapshot-name>

Expected result
===============
Snapshot taken successfully.

Actual result
=============
Snapshot fails.

Environment
===========
1. Exact version of OpenStack you are running. See the following
  list for all releases: http://docs.openstack.org/releases/

   Master (Queens)

2. Which hypervisor did you use?
   (For example: Libvirt + KVM, Libvirt + XEN, Hyper-V, PowerKVM, ...)
   What's the version of that?

   N/A

2. Which storage type did you use?
   (For example: Ceph, LVM, GPFS, ...)
   What's the version of that?

   N/A

3. Which networking type did you use?
   (For example: nova-network, Neutron with OpenVSwitch, ...)

   N/A

Logs & Configs
==============

n-cpu log:

Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] Traceback (most recent call last):
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/opt/stack/nova/nova/compute/manager.py", line 231, in decorated_function
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] *args, **kwargs)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/opt/stack/nova/nova/compute/manager.py", line 3261, in snapshot_instance
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] task_states.IMAGE_SNAPSHOT)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/opt/stack/nova/nova/compute/manager.py", line 3293, in _snapshot_instance
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] update_task_state)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/opt/stack/nova/nova/virt/libvirt/driver.py", line 1769, in snapshot
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] image_file)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/opt/stack/nova/nova/image/api.py", line 132, in update
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] purge_props=purge_props)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/opt/stack/nova/nova/image/glance.py", line 528, in update
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] _reraise_translated_image_exception(image_id)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/opt/stack/nova/nova/image/glance.py", line 845, in _reraise_translated_image_exception
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] six.reraise(type(new_exc), new_exc, exc_trace)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/opt/stack/nova/nova/image/glance.py", line 526, in update
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] image = self._update_v2(context, sent_service_image_meta, data)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/opt/stack/nova/nova/image/glance.py", line 545, in _update_v2
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] image = self._upload_data(context, image_id, data)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/opt/stack/nova/nova/image/glance.py", line 430, in _upload_data
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] self._client.call(context, 2, 'upload', image_id, data)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/opt/stack/nova/nova/image/glance.py", line 175, in call
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] result = getattr(controller, method)(*args, **kwargs)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/usr/lib/python2.7/site-packages/glanceclient/common/utils.py", line 545, in inner
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] return RequestIdProxy(wrapped(*args, **kwargs))
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/usr/lib/python2.7/site-packages/glanceclient/v2/images.py", line 232, in upload
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] resp, body = self.http_client.put(url, headers=hdrs, data=body)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/usr/lib/python2.7/site-packages/keystoneauth1/adapter.py", line 313, in put
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] return self.request(url, 'PUT', **kwargs)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/usr/lib/python2.7/site-packages/glanceclient/common/http.py", line 349, in request
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] return self._handle_response(resp)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] File "/usr/lib/python2.7/site-packages/glanceclient/common/http.py", line 98, in _handle_response
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] raise exc.from_response(resp, resp.content)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3] ImageBadRequest: Request of image 75d1a99d-a19e-42fe-a766-6311fc57f583 got BadRequest response: 400 Bad Request: Signature verification failed for image 75d1a99d-a19e-42fe-a766-6311fc57f583: Signature verification failed (HTTP 400)
Dec 07 09:02:21 signature-test.rdocloud nova-compute[17790]: ERROR nova.compute.manager [instance: 1aff104b-5a9b-432e-b0b7-859dfe4c1cb3]

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/527046

Changed in nova:
assignee: nobody → Lee Yarwood (lyarwood)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/527046
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=82c823bcec5850f6876308ebcdbcb37312bf763f
Submitter: Zuul
Branch: master

commit 82c823bcec5850f6876308ebcdbcb37312bf763f
Author: Lee Yarwood <email address hidden>
Date: Mon Dec 11 10:08:34 2017 +0000

    conf: Do not inherit image signature props with snapshots

    All image signature properties should not be inherited from the metadata
    of the original image when creating a snapshot of an instance. Otherwise
    Glance will attempt to verify the signature of the snapshot image and
    fail as this has changed from that of the original.

    Closes-bug: #1737513
    Change-Id: Ia3d80bf2f81c7317fec117aecbc3c560d51a7d4e

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 17.0.0.0b3

This issue was fixed in the openstack/nova 17.0.0.0b3 development milestone.

Revision history for this message
Brianna Poulos (brianna-poulos) wrote :

@Lee Yarwood: Are you planning on backporting the fix for this bug to Pike in Nova?

If not, should the barbican-tempest-plugin test (added in https://review.openstack.org/#/c/527079/) be updated so that it is only run on Queens and newer versions? Otherwise, it will fail when it is run on the Pike stable branch (see http://logs.openstack.org/72/551372/3/gate/barbican-simple-crypto-devstack-tempest/41319ae/job-output.txt.gz#_2018-04-20_15_23_07_458333 )

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/565288

Matt Riedemann (mriedem)
Changed in nova:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/pike)

Reviewed: https://review.openstack.org/565288
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f8498c41cdfec2acde62a1da1abce917ac882c7d
Submitter: Zuul
Branch: stable/pike

commit f8498c41cdfec2acde62a1da1abce917ac882c7d
Author: Lee Yarwood <email address hidden>
Date: Mon Dec 11 10:08:34 2017 +0000

    conf: Do not inherit image signature props with snapshots

    All image signature properties should not be inherited from the metadata
    of the original image when creating a snapshot of an instance. Otherwise
    Glance will attempt to verify the signature of the snapshot image and
    fail as this has changed from that of the original.

    Closes-bug: #1737513
    Needed-By: https://review.openstack.org/551290
    Change-Id: Ia3d80bf2f81c7317fec117aecbc3c560d51a7d4e
    (cherry picked from commit 82c823bcec5850f6876308ebcdbcb37312bf763f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 16.1.4

This issue was fixed in the openstack/nova 16.1.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 16.1.5

This issue was fixed in the openstack/nova 16.1.5 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.