nova-compute doesn't check image signature if imagecache exists

Bug #1785668 reported by Oleksii on 2018-08-06
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
melanie witt

Bug Description

Description
===========
nova-compute doesn't verify image signature/certificate in barbican component if local imagecache exists for this image on compute node.

Steps to reproduce
==================
Preconditions:
Nova, Glance, Barbican components (Pike) are installed with default settings and policy.json. Environment has 1 compute node (to simplify the case).

* Create signed glance image. Please follow https://docs.openstack.org/glance/pike/user/signature.html
* Create separate project and user with "member" role in it.
* Login as member user and try to boot VM from your signed image.

Actual and expected result:
VM is not booted. Error:
Server <ID> failed to build and is in ERROR status
Details: {u'message': u'Build of instance <ID> aborted: Signature verification for the image failed: Unable to retrieve certificate with ID: <cert_ID>.', u'code': 500, u'created': u'2018-07-18T15:53:15Z'}

* Login as admin. Boot VM from the image.
Actual and expected result:
VM is Active.

* Login as member user again. Boot VM from the image.
Actual result:
VM is Active.

Expected result:
User doesn't have enough rights to boot VM, because image cannot be verified (cannot retrieve certificate from barbican). However, since compute node has imagecache of this image, nova-compute boots VM.

On compute node:
ls -la /var/lib/nova/instances/_base/
   total 38424
   drwxr-xr-x 2 nova nova 4096 Aug 5 17:12 .
   drwxr-xr-x 7 nova nova 4096 Aug 6 16:34 ..
   -rw-r--r-- 1 libvirt-qemu kvm 41126400 Aug 6 16:32 5dfc15a8b8ab3ac68ff5d442fed2564adbaa4149

Environment
===========
Openstack Pike,
nova 2:16.1.3-1~u16.04
python-novaclient 2:9.1.1-1~u16.04
qemu-kvm 1:2.11+dfsg-1.4~u16.04
libvirt 4.0.0-1.7~u16.04
python-libvirt 3.5.0-1.1~u16.04

Matt Riedemann (mriedem) on 2018-08-08
tags: added: image-cache
Changed in nova:
assignee: nobody → Xiaopengli (xiaopengleee)
assignee: Xiaopengli (xiaopengleee) → nobody
assignee: nobody → Xiaopengli (xiaopengleee)
assignee: Xiaopengli (xiaopengleee) → nobody
melanie witt (melwitt) wrote :

Indeed, I can see that the image verification code only executes when an image is downloaded from glance:

https://github.com/openstack/nova/blob/20bc0136d0665bafdcd379f19389a0a5ea7bf310/nova/image/glance.py#L387

To fix this, we need to run the verification routine even when an image is already cached on the compute node, if instance.trusted_certs or CONF.glance.verify_glance_signatures.

Changed in nova:
assignee: nobody → melanie witt (melwitt)
importance: Undecided → High
status: New → Triaged

Fix proposed to branch: master
Review: https://review.openstack.org/610189

Changed in nova:
status: Triaged → In Progress
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers