openstack/ironic
Code Issues Proposed changes
9550eca761
ironic/doc/source/install
History
Julia Kreger c996aafa6d CVE-2024-44982: Harden all image handling and conversion code 
It was recently learned by the OpenStack community that running qemu-img
on untrusted images without a format pre-specified can present a
security risk. Furthermore, some of these specific image formats have
inherently unsafe features. This is rooted in how qemu-img operates
where all image drivers are loaded and attempt to evaluate the input data.
This can result in several different vectors which this patch works to
close.

This change imports the qemu-img handling code from Ironic-Lib into
Ironic, and image format inspection code, which has been developed by
the wider community to validate general safety of images before converting
them for use in a deployment.

This patch contains functional changes related to the hardening of these
calls including how images are handled, and updates documentation to
provide context and guidance to operators.

Closes-Bug: 2071740
Change-Id: I7fac5c64f89aec39e9755f0930ee47ff8f7aed47
Signed-off-by: Julia Kreger <juliaashleykreger@gmail.com>
2024-09-04 15:18:58 -07:00
..
include [codespell] Fixing Spelling Mistakes 2024-02-12 19:58:56 +00:00
refarch Link to configuration options 2024-08-09 18:45:51 +01:00
standalone [codespell] Fixing Spelling Mistakes 2024-02-12 19:58:56 +00:00
advanced.rst Stop documenting netboot and the boot_option capability 2022-08-01 16:36:25 +02:00
configdrive.rst Docs: replace nova cli calls with openstack 2022-06-16 11:41:44 +12:00
configure-cleaning.rst Delete unavailable py2 package 2021-05-10 09:47:52 +00:00
configure-compute.rst Delete unavailable py2 package 2021-05-10 09:47:52 +00:00
configure-esp.rst Decompose the Redfish documentation 2024-06-13 12:37:11 +02:00
configure-glance-images.rst CVE-2024-44982: Harden all image handling and conversion code 2024-09-04 15:18:58 -07:00
configure-glance-swift.rst docs: use openstackdocstheme extlink extension 2019-10-08 11:12:05 +02:00
configure-identity.rst Policy json to yaml migration 2021-01-04 13:40:54 -08:00
configure-integration.rst Doc - IPv6 Provisioning 2020-04-02 17:26:48 +02:00
configure-ipmi.rst [codespell] Fixing Spelling Mistakes 2024-02-12 19:58:56 +00:00
configure-ipv6-networking.rst Link to configuration options 2024-08-09 18:45:51 +01:00
configure-networking.rst [codespell] Fixing Spelling Mistakes 2024-02-12 19:58:56 +00:00
configure-nova-flavors.rst Update .rst files 2020-11-16 20:27:13 +13:00
configure-pxe.rst Link to configuration options 2024-08-09 18:45:51 +01:00
configure-tenant-networks.rst Link to configuration options 2024-08-09 18:45:51 +01:00
creating-images.rst Rework the user guide 2021-05-10 17:18:13 +02:00
deploy-ramdisk.rst devstack: use CentOS 9 for DIB IPA builds 2022-05-25 08:57:15 -07:00
enabling-drivers.rst Bye-bye iSCSI deploy, you served us well 2021-05-04 14:28:25 +02:00
enabling-https.rst Delete unavailable py2 package 2021-05-10 09:47:52 +00:00
enrollment.rst Better handle missing inspection_network 2024-08-22 15:32:22 +02:00
get_started.rst docs: use openstackdocstheme extlink extension 2019-10-08 11:12:05 +02:00
index.rst Rework the user guide 2021-05-10 17:18:13 +02:00
install-obs.rst Stop splitting installation docs per distros 2023-07-14 11:38:10 +02:00
install-rdo.rst Stop splitting installation docs per distros 2023-07-14 11:38:10 +02:00
install-ubuntu.rst Stop splitting installation docs per distros 2023-07-14 11:38:10 +02:00
install.rst Stop splitting installation docs per distros 2023-07-14 11:38:10 +02:00
next-steps.rst Move install guide into new doc/source/install location 2017-07-05 12:16:37 +01:00
setup-drivers.rst Decompose the Redfish documentation 2024-06-13 12:37:11 +02:00
standalone.rst Rework the user guide 2021-05-10 17:18:13 +02:00
troubleshooting.rst Remove all references to the "cpus" property 2023-03-28 11:53:26 +02:00