nova-compute doesn't check image signature if imagecache exists
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
In Progress
|
High
|
melanie witt |
Bug Description
Description
===========
nova-compute doesn't verify image signature/
Steps to reproduce
==================
Preconditions:
Nova, Glance, Barbican components (Pike) are installed with default settings and policy.json. Environment has 1 compute node (to simplify the case).
* Create signed glance image. Please follow https:/
* Create separate project and user with "member" role in it.
* Login as member user and try to boot VM from your signed image.
Actual and expected result:
VM is not booted. Error:
Server <ID> failed to build and is in ERROR status
Details: {u'message': u'Build of instance <ID> aborted: Signature verification for the image failed: Unable to retrieve certificate with ID: <cert_ID>.', u'code': 500, u'created': u'2018-
* Login as admin. Boot VM from the image.
Actual and expected result:
VM is Active.
* Login as member user again. Boot VM from the image.
Actual result:
VM is Active.
Expected result:
User doesn't have enough rights to boot VM, because image cannot be verified (cannot retrieve certificate from barbican). However, since compute node has imagecache of this image, nova-compute boots VM.
On compute node:
ls -la /var/lib/
total 38424
drwxr-xr-x 2 nova nova 4096 Aug 5 17:12 .
drwxr-xr-x 7 nova nova 4096 Aug 6 16:34 ..
-rw-r--r-- 1 libvirt-qemu kvm 41126400 Aug 6 16:32 5dfc15a8b8ab3ac
Environment
===========
Openstack Pike,
nova 2:16.1.3-1~u16.04
python-novaclient 2:9.1.1-1~u16.04
qemu-kvm 1:2.11+
libvirt 4.0.0-1.7~u16.04
python-libvirt 3.5.0-1.1~u16.04
tags: | added: image-cache |
Changed in nova: | |
assignee: | nobody → Xiaopengli (xiaopengleee) |
assignee: | Xiaopengli (xiaopengleee) → nobody |
assignee: | nobody → Xiaopengli (xiaopengleee) |
assignee: | Xiaopengli (xiaopengleee) → nobody |
Indeed, I can see that the image verification code only executes when an image is downloaded from glance:
https:/ /github. com/openstack/ nova/blob/ 20bc0136d0665ba fdcd379f19389a0 a5ea7bf310/ nova/image/ glance. py#L387
To fix this, we need to run the verification routine even when an image is already cached on the compute node, if instance. trusted_ certs or CONF.glance. verify_ glance_ signatures.