Octavia should filter an Amphora image from a specific tenant

Currently marked neutron because no one could see it when it was octavia. Leaving neutron until we get launchpad sorted out.

This is a bug, but first you'd have to configure your cloud to allow any tenant to post public images, which is not the default.

I agree this is an issue and will work on a patch.

In testing this with a stock master (newton) devstack I disabled the security in glance API and then uploaded a tagged image using the demo user account (image 2). There are now two glance images tagged with the "amphora" tag.

stack@devstack:~/devstack$ glance image-list
+--------------------------------------+---------------------------------+
| ID | Name |
+--------------------------------------+---------------------------------+
| f0b08fe6-d5b6-4d48-916d-095c30f04bbc | amphora-x64-haproxy |
| 1082ac09-4caf-40ab-b848-ffbf007a375b | amphora-x64-haproxy2 |
| 4516dbf3-b995-4444-9836-68516e7d9d55 | cirros-0.3.3-x86_64-disk |
| 43d426bf-eaf0-4e37-89de-6f3469680609 | cirros-0.3.4-x86_64-uec |
| 848e862f-99ef-4ff3-aeca-c6358718bfea | cirros-0.3.4-x86_64-uec-kernel |
| 909d6608-9315-4364-9fbd-789c33eb4038 | cirros-0.3.4-x86_64-uec-ramdisk |
+--------------------------------------+---------------------------------+

When I booted a load balancer, I got the expected warning from Octavia:

2016-09-07 23:21:25.085 73535 WARNING octavia.compute.drivers.nova_driver [-] A single Glance image should be tagged with amphora tag, but 2 found. Using f0b08fe6-d5b6-4d48-916d-095c30f04bbc.

This indicated that with the current default configuration, octavia will still select the correct image.

Michael, the reason Octavia still choses the older image is due to bug 1618921, which will prevent people from easily upgrade their amphora image.
Once bug 1618921 is fixed, you'll notice it uses the last created image.

FYI there is a patch up for this here: https://review.openstack.org/#/c/367039/
I assume it is not getting linked due to the security nature of the bug.

Yes, the VMT recommends only attaching patches for security issues to the bug until it's made public, so we don't usually run into this for vulnerability:managed projects:

https://security.openstack.org/vmt-process.html#reception-embargo-reminder-private-issues

Bug-linking automation in our CI can't find private bugs in Launchpad, but if you're going to push a fix for a vulnerability to public code review it makes a lot of sense to switch the report to public security before doing so anyway. Also, even if this bug were public, the bug-linking automation would fail to find it because the reported task is currently for neutron but the change referencing it is pushed to octavia instead, so you'll want to fix that as well.

Now that there's a change in code review that claims to be security-relevant and refers directly to a bug most people will find they're unable to read, the issue is pretty clearly disclosed. Better to go ahead and switch this to public security or public depending on whether you consider it an exploitable vulnerability or not.

Reviewed: https://review.openstack.org/367039
Committed: https://git.openstack.org/cgit/openstack/octavia/commit/?id=d7d062a47ab54a540d81f13a0e5f3085ebfaa0d2
Submitter: Jenkins
Branch: master

commit d7d062a47ab54a540d81f13a0e5f3085ebfaa0d2
Author: Michael Johnson <email address hidden>
Date: Thu Sep 8 01:25:18 2016 +0000

    Option to restrict amp glance image owner

    This patch adds an optional configuration setting that allows an
    operator to restrict the amphora glance image selection to a specific
    owner id. This is a recommended security setting for clouds that
    allow user uploadable images.

    Change-Id: I73347b5b3e868d13974cd6ca6bada9cdf75773fe
    Closes-Bug: #1620629

This issue was fixed in the openstack/octavia 0.9.0 release.