Zun

Interactive exec via proxy

Bug #1735076 reported by hongbin
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Zun
Fix Released
Critical
hongbin

Bug Description

The current implementation of interactive execute [1][2][3][4] is as following:

1. client call server with /containers/<id>/exec
2. server return an URL of the Docker daemon
3. client use the URL to connect with Docker daemon directly

Allow clients to connect to Docker daemon in compute host is a big security issue. We should have a proxy process in between client and docker daemon. As a result, the proxy can authenticate the client before allowing the connection. Details are stated in this spec: https://review.openstack.org/#/c/396841/

[1] https://review.openstack.org/#/c/449330/3
[2] https://review.openstack.org/#/c/449306/3
[3] https://review.openstack.org/#/c/449360/
[4] https://review.openstack.org/#/c/445234/16

hongbin (hongbin034)
Changed in zun:
importance: Undecided → Critical
status: New → Triaged
hongbin (hongbin034)
Changed in zun:
assignee: nobody → hongbin (hongbin034)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to zun (master)

Fix proposed to branch: master
Review: https://review.openstack.org/563482

Changed in zun:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/572235

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to zun (master)

Reviewed: https://review.openstack.org/571991
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=48075909a9a66b35e45896eeaac65d8597648e3a
Submitter: Zuul
Branch: master

commit 48075909a9a66b35e45896eeaac65d8597648e3a
Author: Hongbin Lu <email address hidden>
Date: Sun Jun 3 21:52:13 2018 +0000

    Add exec_instances to data model

    Zun is going to implement a proxy for interactive execute.
    The first step is to introduce data model for tracking each
    exec instances of a container. An exec instance in Zun is
    an one-to-one mapping for exec instance in Docker.
    We will use it to track a docker's exec instance as well as
    a generated token for granting access of this exec instance.
    In the future, the websocket proxy will retrieve the token from
    incoming request and match it to the one stored in DB.
    The request will be rejected if the token doesn't match.

    This patch introduces the data model of exec_instance
    in DB api and objects layer. It basically contains three
    fields: container_id, exec_id, url, token.
    The container_id is the id of the container record in Zun.
    The exec_id is the ID of the docker's exec instance.
    The url is the docker daemon endpoint for the exec instance
    The token is as described above.

    Partial-Bug: #1735076
    Change-Id: Ib38a46c0e3f3aae58e1f562536b858bc4cd23bf8

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/563482
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=ed9e3ee72b4f5e8bda0f5b3b06360e1a9a53e30e
Submitter: Zuul
Branch: master

commit ed9e3ee72b4f5e8bda0f5b3b06360e1a9a53e30e
Author: Hongbin Lu <email address hidden>
Date: Mon Apr 23 01:51:44 2018 +0000

    Support websocket proxy for exec

    In before, interactive exec works as following:
    * Client makes an API call to server to request an interactive
      execution inside a container
    * Server returns a URL that is an endpoint of the docker daemon
    * Client connects to the docker's URL

    This approach is considered to be unsecure because it directly
    exposes docker API endpoint to end-users. This patch changes
    the workflow to mitigate the security risk. The new workflow
    is as following:
    * Client makes an API call to server to request an interactive
      execution inside a container
    * Server return a URL that is the websocket proxy server
    * Clients connects to the proxy server
    * The proxy server proxies the request to docker daemon

    The proxy server will validate each incoming requests before
    doing the proxy calls. The API endpoint of docker daemon will
    be hidden from end-users.

    Change-Id: I68e49b99eee9e6c22a9df2cc19a1d2ba5053489e
    Partial-Bug: #1735076

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Reviewed: https://review.openstack.org/572235
Committed: https://git.openstack.org/cgit/openstack/zun/commit/?id=64745c1fc525d821fc40490232f8d8692b4a1079
Submitter: Zuul
Branch: master

commit 64745c1fc525d821fc40490232f8d8692b4a1079
Author: Hongbin Lu <email address hidden>
Date: Tue Jun 5 00:58:05 2018 +0000

    Remove the unused url for container exec

    This url is not needed anymore since we are using websocket
    proxy for doing interactive execute now.

    Depends-On: I68d2b3daaaf8fb551d00774f01ad0ee88538f7ae
    Change-Id: I5792d01fcb3f360864c49ea7368dc470181a5a75
    Closes-Bug: #1735076

Changed in zun:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-zunclient 2.1.0

This issue was fixed in the openstack/python-zunclient 2.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/zun 2.0.0

This issue was fixed in the openstack/zun 2.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.