nova-compute doesn't check image signature if imagecache exists

Bug #1785668 reported by Oleksii
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
In Progress
High
melanie witt

Bug Description

Description
===========
nova-compute doesn't verify image signature/certificate in barbican component if local imagecache exists for this image on compute node.

Steps to reproduce
==================
Preconditions:
Nova, Glance, Barbican components (Pike) are installed with default settings and policy.json. Environment has 1 compute node (to simplify the case).

* Create signed glance image. Please follow https://docs.openstack.org/glance/pike/user/signature.html
* Create separate project and user with "member" role in it.
* Login as member user and try to boot VM from your signed image.

Actual and expected result:
VM is not booted. Error:
Server <ID> failed to build and is in ERROR status
Details: {u'message': u'Build of instance <ID> aborted: Signature verification for the image failed: Unable to retrieve certificate with ID: <cert_ID>.', u'code': 500, u'created': u'2018-07-18T15:53:15Z'}

* Login as admin. Boot VM from the image.
Actual and expected result:
VM is Active.

* Login as member user again. Boot VM from the image.
Actual result:
VM is Active.

Expected result:
User doesn't have enough rights to boot VM, because image cannot be verified (cannot retrieve certificate from barbican). However, since compute node has imagecache of this image, nova-compute boots VM.

On compute node:
ls -la /var/lib/nova/instances/_base/
   total 38424
   drwxr-xr-x 2 nova nova 4096 Aug 5 17:12 .
   drwxr-xr-x 7 nova nova 4096 Aug 6 16:34 ..
   -rw-r--r-- 1 libvirt-qemu kvm 41126400 Aug 6 16:32 5dfc15a8b8ab3ac68ff5d442fed2564adbaa4149

Environment
===========
Openstack Pike,
nova 2:16.1.3-1~u16.04
python-novaclient 2:9.1.1-1~u16.04
qemu-kvm 1:2.11+dfsg-1.4~u16.04
libvirt 4.0.0-1.7~u16.04
python-libvirt 3.5.0-1.1~u16.04

Tags: image-cache
Matt Riedemann (mriedem)
tags: added: image-cache
Changed in nova:
assignee: nobody → Xiaopengli (xiaopengleee)
assignee: Xiaopengli (xiaopengleee) → nobody
assignee: nobody → Xiaopengli (xiaopengleee)
assignee: Xiaopengli (xiaopengleee) → nobody
Revision history for this message
melanie witt (melwitt) wrote :

Indeed, I can see that the image verification code only executes when an image is downloaded from glance:

https://github.com/openstack/nova/blob/20bc0136d0665bafdcd379f19389a0a5ea7bf310/nova/image/glance.py#L387

To fix this, we need to run the verification routine even when an image is already cached on the compute node, if instance.trusted_certs or CONF.glance.verify_glance_signatures.

Changed in nova:
assignee: nobody → melanie witt (melwitt)
importance: Undecided → High
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/610189

Changed in nova:
status: Triaged → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.