StarlingX

local registry could be accessed without authentication

Bug #1894930 reported by Lin Shuicheng on 2020-09-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Jerry Sun

Bug Description

Brief Description
-----------------
StarlingX's local registry (registry.local:9001) is designed as secure registry. Each user will be authenticated by username and password before grant access to it.
But with latest code, authentication is skipped due to there is default username and password configured in containerd. So user doesn't need provide auth info anymore, and could access registry.

This issue should relate to patch https://review.opendev.org/733941 which try to fix bug 1881353.

Severity
--------
Major

Steps to Reproduce
------------------
1. sudo docker pull busybox:latest
2. sudo docker login registry.local:9001 with admin account
3. sudo docker tag busybox:latest registry.local:9001/busybox:latest
4. sudo docker push registry.local:9001/busybox:latest
5. kubectl apply -f busybox.yaml

Here is the busybox.yaml file:
apiVersion: v1
kind: Pod
metadata:
  name: busybox
  namespace: default
spec:
  containers:
  - image: registry.local:9001/busybox:latest
    command:
      - sleep
      - "3600"
    imagePullPolicy: IfNotPresent
    name: busybox
  restartPolicy: Always

Expected Behavior
------------------
Pod should fail to run due to containerd cannot pull the image from registry due to lack of secret info.

Actual Behavior
----------------
Pod could run successfully.

Reproducibility
---------------
100%

System Configuration
--------------------
AIO

Branch/Pull Time/Commit
-----------------------
latest master code

Last Pass
---------
N/A

Timestamp/Logs
--------------
N/A

Test Activity
-------------
Developer Testing

Workaround
----------
N/A

Tags:

Ghada Khalil (gkhalil) on 2020-09-09

tags:	added: stx.5.0 stx.containers
Changed in starlingx:
importance:	Undecided → High
status:	New → Triaged
assignee:	nobody → Jerry Sun (jerry-sun-u)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-10-07: Fix proposed to containers (master)

Fix proposed to branch: master
Review: https://review.opendev.org/756557

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-10-07: Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/756558

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-10-07: Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/756559

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-10-20: Fix merged to containers (master)

Reviewed: https://review.opendev.org/756557
Committed: https://git.openstack.org/cgit/starlingx/containers/commit/?id=0c7c1ac2da3ccccd15ac2057aa51e7850246cca1
Submitter: Zuul
Branch: master

commit 0c7c1ac2da3ccccd15ac2057aa51e7850246cca1
Author: Jerry Sun <email address hidden>
Date: Wed Oct 7 12:22:52 2020 -0400

Registry Token Server Enhancements

    This commit enhances the registry token server with the following
    - "public" is now treated as a public repo and all Docker users are
      allowed to pull from it.
    - the "paused" and "acmesolver" images are treated as public images,
      where any user is allowed to pull. This is because acmesolver needs
      to be deployed in namespaces without access to the admin pull secret
    - the "mtce" repo is now closed to the "mtce" user. we are treating
      this repo as "reserved for internal use". This is because we are
      going to use "mtce" as a public user. Admin accounts can still
      push to the "mtce" repo

Partial-bug: 1894930

Change-Id: I8faeaffee61a483eb8802fbae3f5d14fda226004
Signed-off-by: Jerry Sun <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-10-20: Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/756559
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=0405a5529d7080944096061742be7c9a4684e50e
Submitter: Zuul
Branch: master

commit 0405a5529d7080944096061742be7c9a4684e50e
Author: Jerry Sun <email address hidden>
Date: Wed Oct 7 12:29:21 2020 -0400

Replace containerd Sysinv credentials with mtce credentials

    Sysinv credentials in the containerd config allowed kubernetes to
    deploy images without pull secrets. We replace the credentials with
    "mtce" user's credentials. The "mtce" user is treated as a public
    user and is not allowed to deploy non-public images.

Closes-Bug: 1894930
Depends-On: https://review.opendev.org/756557

Change-Id: I4a33c6aba50d98d42ef91c75bfc9c148d4ebd9fd
Signed-off-by: Jerry Sun <email address hidden>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-10-20: Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/756558
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=77a68d3cadf57103ef8a3cd42fae5f700413b0fd
Submitter: Zuul
Branch: master

commit 77a68d3cadf57103ef8a3cd42fae5f700413b0fd
Author: Jerry Sun <email address hidden>
Date: Wed Oct 7 12:28:08 2020 -0400

Replace containerd Sysinv credentials with mtce credentials

Partial-bug: 1894930
Depends-On: https://review.opendev.org/756557

Change-Id: Icf293a8c3e44a587d5392db57f612ea26b422f12
Signed-off-by: Jerry Sun <email address hidden>

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-11-16: Fix proposed to stx-puppet (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/762919

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.