e303a369dc
When IPA gets a non-raw image, it performs an on-the-fly conversion using qemu-img convert, as well as running qemu-img frequently to get basic information about the image before validating it. Now, we ensure that before any qemu-img calls are made, that we have inspected the image for safety and pass through the detected format. If given a disk_format=raw image and image streaming is enabled (default), we retain the existing behavior of not inspecting it in any way and streaming it bit-perfect to the device. In this case, we never use qemu-based tools on the image at all. If given a disk_format=raw image and image streaming is disabled, this change fixes a bug where the image may have been converted if it was not actually raw in the first place. We now stream these bit-perfect to the device. Adds two config options: - [DEFAULT]/disable_deep_image_inspection, which can be set to "True" in order to disable all security features. Do not do this. - [DEFAULT]/permitted_image_formats, default raw,qcow2, for image types IPA should accept. Both of these configuration options are wired up to be set by the lookup data returned by Ironic at lookup time. This uses a image format inspection module imported from Nova; this inspector will eventually live in oslo.utils, at which point we'll migrate our usage of the inspector to it. Closes-Bug: #2071740 Change-Id: I5254b80717cb5a7f9084e3eff32a00b968f987b7
49 lines
2.5 KiB
YAML
49 lines
2.5 KiB
YAML
---
|
|
security:
|
|
- |
|
|
Ironic-Python-Agent now checks any supplied image format value against
|
|
the detected format of the image file and will prevent deployments should
|
|
the values mismatch.
|
|
- |
|
|
Images previously misconfigured as raw despite being in another format,
|
|
in some non-default configurations, may have been mistakenly converted if
|
|
needed. Ironic-Python-Agent will no longer perform conversion in any case
|
|
for images with metadata indicating in raw format.
|
|
- |
|
|
Ironic-Python-Agent *always* inspects any non-raw user image content for
|
|
safety before running any qemu-based utilities on the image. This is
|
|
utilized to identify the format of the image and to verify the overall
|
|
safety of the image. Any images with unknown or unsafe feature uses are
|
|
explicitly rejected. This can be disabled in both IPA and Ironic by setting
|
|
``[conductor]disable_deep_image_inspection`` to ``True`` for the Ironic
|
|
deployment. Image inspection is the primary mitigation for CVE-2024-44082
|
|
being tracked in
|
|
`bug 2071740 <https://bugs.launchpad.net/ironic-python-agent/+bug/2071740>`_.
|
|
Operators may desire to set
|
|
``[conductor]conductor_always_validates_images`` on Ironic conductors to
|
|
mitigate the issue before they have upgraded their Ironic-Python-Agent.
|
|
- |
|
|
Ironic-Python-Agent now explicitly enforces a list of permitted image
|
|
types for deployment, defaulting to "raw" and "qcow2". Other image types
|
|
may work, but are not explicitly supported and must be enabled. This can
|
|
be modified by setting ``[conductor]permitted_image_formats`` for all
|
|
Ironic services.
|
|
fixes:
|
|
- |
|
|
Fixes multiple issues in the handling of images as it related to
|
|
execution of the ``qemu-img`` utility. When using this utility to convert
|
|
an unsafe image, a malicious user can extract information from a node
|
|
while Ironic-Python-Agent is deploying or converting an image.
|
|
Ironic-Python-Agent now inspects all non-raw images for safety, and never
|
|
runs qemu-based utilities on raw images. This fix is tracked as
|
|
CVE-2024-44082 and `bug 2071740 <https://bugs.launchpad
|
|
.net/ironic-python-agent/+bug/2071740>`_.
|
|
- |
|
|
Images with metadata indicating a "raw" disk format may have been
|
|
transparently converted from another format. Now, these images will have
|
|
their exact contents imaged to disk without modification.
|
|
upgrade:
|
|
- |
|
|
Deployers implementing their own ``HardwareManagers`` must to audit
|
|
their code for unsafe uses of `qemu-img` and related methods.
|