Octavia should filter an Amphora image from a specific tenant

Bug #1620629 reported by Nir Magnezi
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Michael Johnson

Bug Description

_extract_amp_image_id_by_tag[1] list all images with the 'amphora' tag (or any other tag pre-defined in octavia.conf),
sort by creation date and uses the newest one.

Side note: at the time of filing this bug, it does not sort properly due to bug 1618921 , but when the fix for bug 1618921 gets merged, this will be the case.

For security reasons, _extract_amp_image_id_by_tag should also filter the images and use images owned by pre-defined tenant.

Currently, any non-admin tenant can tag an image with the 'amphora' tag and set it to public=True.
By doing that, Octavia will now use that newly added image starting from the next time a loadbalancer gets created for any tenant in that openstack setup.
Now, if for example the newly created image contains some pre-defined credentials and/or ssh keys so it is accessible via ssh, and if we take into account that each amphora is also connected to the lb-mgmt network. That is exposing that mgmt network for unauthorized access.

[1] https://github.com/openstack/octavia/blob/08570831754d9671fbd1756d668f55f191e47ca4/octavia/compute/drivers/nova_driver.py#L35

Nir Magnezi (nmagnezi)
summary: - Octavia should select an Amphora image from a specific tenant
+ Octavia should filter an Amphora image from a specific tenant
Nir Magnezi (nmagnezi)
affects: octavia → neutron
Revision history for this message
Doug Wiegley (dougwig) wrote :

Currently marked neutron because no one could see it when it was octavia. Leaving neutron until we get launchpad sorted out.

Changed in neutron:
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
Doug Wiegley (dougwig) wrote :

This is a bug, but first you'd have to configure your cloud to allow any tenant to post public images, which is not the default.

Revision history for this message
Michael Johnson (johnsom) wrote :

I agree this is an issue and will work on a patch.

tags: added: lbaas
Changed in neutron:
status: Confirmed → Triaged
assignee: nobody → Michael Johnson (johnsom)
Revision history for this message
Michael Johnson (johnsom) wrote :

In testing this with a stock master (newton) devstack I disabled the security in glance API and then uploaded a tagged image using the demo user account (image 2). There are now two glance images tagged with the "amphora" tag.

stack@devstack:~/devstack$ glance image-list
| ID | Name |
| f0b08fe6-d5b6-4d48-916d-095c30f04bbc | amphora-x64-haproxy |
| 1082ac09-4caf-40ab-b848-ffbf007a375b | amphora-x64-haproxy2 |
| 4516dbf3-b995-4444-9836-68516e7d9d55 | cirros-0.3.3-x86_64-disk |
| 43d426bf-eaf0-4e37-89de-6f3469680609 | cirros-0.3.4-x86_64-uec |
| 848e862f-99ef-4ff3-aeca-c6358718bfea | cirros-0.3.4-x86_64-uec-kernel |
| 909d6608-9315-4364-9fbd-789c33eb4038 | cirros-0.3.4-x86_64-uec-ramdisk |

When I booted a load balancer, I got the expected warning from Octavia:

2016-09-07 23:21:25.085 73535 WARNING octavia.compute.drivers.nova_driver [-] A single Glance image should be tagged with amphora tag, but 2 found. Using f0b08fe6-d5b6-4d48-916d-095c30f04bbc.

This indicated that with the current default configuration, octavia will still select the correct image.

Revision history for this message
Nir Magnezi (nmagnezi) wrote :

Michael, the reason Octavia still choses the older image is due to bug 1618921, which will prevent people from easily upgrade their amphora image.
Once bug 1618921 is fixed, you'll notice it uses the last created image.

Revision history for this message
Michael Johnson (johnsom) wrote :

FYI there is a patch up for this here: https://review.openstack.org/#/c/367039/
I assume it is not getting linked due to the security nature of the bug.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Yes, the VMT recommends only attaching patches for security issues to the bug until it's made public, so we don't usually run into this for vulnerability:managed projects:


Bug-linking automation in our CI can't find private bugs in Launchpad, but if you're going to push a fix for a vulnerability to public code review it makes a lot of sense to switch the report to public security before doing so anyway. Also, even if this bug were public, the bug-linking automation would fail to find it because the reported task is currently for neutron but the change referencing it is pushed to octavia instead, so you'll want to fix that as well.

Now that there's a change in code review that claims to be security-relevant and refers directly to a bug most people will find they're unable to read, the issue is pretty clearly disclosed. Better to go ahead and switch this to public security or public depending on whether you consider it an exploitable vulnerability or not.

information type: Private Security → Public Security
affects: neutron → octavia
tags: removed: lbaas
Changed in octavia:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to octavia (master)

Reviewed: https://review.openstack.org/367039
Committed: https://git.openstack.org/cgit/openstack/octavia/commit/?id=d7d062a47ab54a540d81f13a0e5f3085ebfaa0d2
Submitter: Jenkins
Branch: master

commit d7d062a47ab54a540d81f13a0e5f3085ebfaa0d2
Author: Michael Johnson <email address hidden>
Date: Thu Sep 8 01:25:18 2016 +0000

    Option to restrict amp glance image owner

    This patch adds an optional configuration setting that allows an
    operator to restrict the amphora glance image selection to a specific
    owner id. This is a recommended security setting for clouds that
    allow user uploadable images.

    Change-Id: I73347b5b3e868d13974cd6ca6bada9cdf75773fe
    Closes-Bug: #1620629

Changed in octavia:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/octavia 0.9.0

This issue was fixed in the openstack/octavia 0.9.0 release.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.