openstack/ironic
Code Issues Proposed changes
A service for managing and provisioning Bare Metal servers.
12,378 Commits 14 Branches 75 Tags 302 MiB
Python 98.1%
Shell 1.9%
188d436161
Go to file
Julia Kreger 188d436161 CVE-2024-44982: Harden all image handling and conversion code 
It was recently learned by the OpenStack community that running qemu-img
on un-trusted images without a format pre-specified can present a
security risk. Furthermore, some of these specific image formats have
inherently unsafe features. This is rooted in how qemu-img operates
where all image drivers are loaded and attempt to evaluate the input data.
This can result in several different vectors which this patch works to
close.

This change imports the qemu-img handling code from Ironic-Lib into
Ironic, and image format inspection code, which has been developed by
the wider community to validate general safety of images before converting
them for use in	a deployment.

This patch contains functional changes related to the hardening of these
calls including how images are handled, and updates documentation to
provide context and guidance to operators.

Closes-Bug: 2071740
Change-Id: I7fac5c64f89aec39e9755f0930ee47ff8f7aed47
Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
2024-09-04 15:20:23 -07:00
api-ref Add missing include for inventory API reference 2023-02-23 18:38:19 +01:00
devstack ci: stable-only: explicitly pin centos build 2024-05-03 10:54:42 -07:00
doc CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:20:23 -07:00
etc Bye-bye iSCSI deploy, you served us well 2021-05-04 14:28:25 +02:00
ironic CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:20:23 -07:00
playbooks/ci-workarounds CI: Save routing table information for troubleshooting 2022-07-20 11:02:39 -07:00
redfish-interop-profiles Follow-up to Redfish Interop Profile 2022-11-30 12:08:56 -05:00
releasenotes CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:20:23 -07:00
tools Add ports statistics to tools/benchmark scripts 2022-11-18 15:55:25 +01:00
zuul.d ci: pin CI to dnsmasq 2.85 2024-03-05 17:03:01 +00:00
.gitignore Migrate to stestr as unit tests runner 2017-09-22 08:56:34 +00:00
.gitreview Update .gitreview for stable/2023.1 2023-03-09 16:41:42 +00:00
.mailmap Add my new address to .mailmap 2020-04-13 07:29:37 -07:00
.stestr.conf Migrate to stestr as unit tests runner 2017-09-22 08:56:34 +00:00
bindep.txt Drop python2 from bindep.txt 2022-06-10 20:42:46 +03:00
CONTRIBUTING.rst Project Contributing updates for Goal 2020-02-20 02:01:21 +00:00
driver-requirements.txt stable-only: pin proliantutils/scciclient to prevent break 2024-03-04 20:44:45 -08:00
LICENSE Added project infrastructure needs. 2013-05-02 14:55:43 -04:00
README.rst Add ironic-specs link to readme.rst 2019-08-30 17:16:09 +08:00
requirements.txt Get conductor metric data 2023-02-23 11:39:07 -08:00
setup.cfg [iRMC] identify BMC firmware version 2023-01-16 18:38:57 +09:00
setup.py setup.py: Remove 'py_modules' 2023-01-04 12:01:18 +00:00
test-requirements.txt Bump min version of testtools 2022-10-13 09:03:24 +02:00
tox.ini Update TOX_CONSTRAINTS_FILE for stable/2023.1 2023-03-09 16:41:44 +00:00

README.rst

Ironic

Team and repository tags

image

Overview

Ironic consists of an API and plug-ins for managing and provisioning physical machines in a security-aware and fault-tolerant manner. It can be used with nova as a hypervisor driver, or standalone service using bifrost. By default, it will use PXE and IPMI to interact with bare metal machines. Ironic also supports vendor-specific plug-ins which may implement additional functionality.

Ironic is distributed under the terms of the Apache License, Version 2.0. The full terms and conditions of this license are detailed in the LICENSE file.

Project resources

Project status, bugs, and requests for feature enhancements (RFEs) are tracked in StoryBoard: https://storyboard.openstack.org/#!/project/943

For information on how to contribute to ironic, see https://docs.openstack.org/ironic/latest/contributor