Fix CVE-2022-38060
Closes-Bug: #1985784
Change-Id: I66476a2b396e2cbe41e68ac51f57aae1806b2ed8
(cherry picked from commit 5b1da01798
)
This commit is contained in:
parent
bf43419734
commit
1011fc60c3
|
@ -93,27 +93,17 @@ Here is an example configuration file:
|
||||||
Passing the configuration file to the container
|
Passing the configuration file to the container
|
||||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
The configuration can be either passed via the ``KOLLA_CONFIG`` environment
|
The configuration to the container can be passed through a dedicated path:
|
||||||
variable or as a file bind-mounted into the container. When bind-mounting the
|
|
||||||
configuration file, the ``KOLLA_CONFIG_FILE`` environment variable controls
|
|
||||||
where the file is located in the container, the default path being
|
|
||||||
``/var/lib/kolla/config_files/config.json``.
|
``/var/lib/kolla/config_files/config.json``.
|
||||||
|
It is advised to ensure this path is mounted read-only for security reasons.
|
||||||
Passing the configuration file as environment variable:
|
|
||||||
|
|
||||||
.. code-block:: console
|
|
||||||
|
|
||||||
docker run -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS \
|
|
||||||
-e KOLLA_CONFIG='{ "command": "...", "permissions": [ { "path": "...", } ] }' \
|
|
||||||
kolla-image
|
|
||||||
|
|
||||||
Mounting the configuration file in the container:
|
Mounting the configuration file in the container:
|
||||||
|
|
||||||
.. code-block:: console
|
.. code-block:: console
|
||||||
|
|
||||||
docker run -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS \
|
docker run -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS \
|
||||||
-e KOLLA_CONFIG_FILE=/config.json \
|
-v /path/to/config.json:/var/lib/kolla/config_files/config.json:ro \
|
||||||
-v /path/to/config.json:/config.json kolla-image
|
kolla-image
|
||||||
|
|
||||||
.. _kolla_api_environment_variables:
|
.. _kolla_api_environment_variables:
|
||||||
|
|
||||||
|
@ -126,10 +116,6 @@ Variables to pass to the containers
|
||||||
The Kolla containers also understand some environment variables to change their
|
The Kolla containers also understand some environment variables to change their
|
||||||
behavior at runtime:
|
behavior at runtime:
|
||||||
|
|
||||||
* **KOLLA_CONFIG**: load kolla config from the environment, takes precedence
|
|
||||||
over ``KOLLA_CONFIG_FILE``.
|
|
||||||
* **KOLLA_CONFIG_FILE**: path to kolla json config file, defaults to
|
|
||||||
``/var/lib/kolla/config_files/config.json``.
|
|
||||||
* **KOLLA_CONFIG_STRATEGY** (required): Defines how the :ref:`kolla_start
|
* **KOLLA_CONFIG_STRATEGY** (required): Defines how the :ref:`kolla_start
|
||||||
script <kolla_api_external_config>` copies the configuration file. Must be
|
script <kolla_api_external_config>` copies the configuration file. Must be
|
||||||
one of:
|
one of:
|
||||||
|
|
|
@ -272,21 +272,8 @@ def validate_source(data):
|
||||||
|
|
||||||
|
|
||||||
def load_config():
|
def load_config():
|
||||||
def load_from_env():
|
|
||||||
config_raw = os.environ.get("KOLLA_CONFIG")
|
|
||||||
if config_raw is None:
|
|
||||||
return None
|
|
||||||
|
|
||||||
# Attempt to read config
|
|
||||||
try:
|
|
||||||
return json.loads(config_raw)
|
|
||||||
except ValueError:
|
|
||||||
raise InvalidConfig('Invalid json for Kolla config')
|
|
||||||
|
|
||||||
def load_from_file():
|
def load_from_file():
|
||||||
config_file = os.environ.get("KOLLA_CONFIG_FILE")
|
config_file = '/var/lib/kolla/config_files/config.json'
|
||||||
if not config_file:
|
|
||||||
config_file = '/var/lib/kolla/config_files/config.json'
|
|
||||||
LOG.info("Loading config file at %s", config_file)
|
LOG.info("Loading config file at %s", config_file)
|
||||||
|
|
||||||
# Attempt to read config file
|
# Attempt to read config file
|
||||||
|
@ -300,9 +287,7 @@ def load_config():
|
||||||
raise InvalidConfig(
|
raise InvalidConfig(
|
||||||
"Could not read file %s: %r" % (config_file, e))
|
"Could not read file %s: %r" % (config_file, e))
|
||||||
|
|
||||||
config = load_from_env()
|
config = load_from_file()
|
||||||
if config is None:
|
|
||||||
config = load_from_file()
|
|
||||||
|
|
||||||
LOG.info('Validating config file')
|
LOG.info('Validating config file')
|
||||||
validate_config(config)
|
validate_config(config)
|
||||||
|
|
|
@ -6,6 +6,8 @@
|
||||||
# anyone in the kolla group may sudo -E (set the environment)
|
# anyone in the kolla group may sudo -E (set the environment)
|
||||||
Defaults: %kolla setenv
|
Defaults: %kolla setenv
|
||||||
|
|
||||||
|
Defaults secure_path="/var/lib/kolla/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
|
||||||
# root may run any commands via sudo as the network seervice user. This is
|
# root may run any commands via sudo as the network seervice user. This is
|
||||||
# neededfor database migrations of existing services which have not been
|
# neededfor database migrations of existing services which have not been
|
||||||
# converted to run as a non-root user, but instead do that via sudo -E glance
|
# converted to run as a non-root user, but instead do that via sudo -E glance
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
Fixes CVE-2022-38060, a sudo privilege escalation vulnerability.
|
||||||
|
`LP#1985784 <https://launchpad.net/bugs/1889611>`__
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
To fix CVE-2022-38060, support for KOLLA_CONFIG and KOLLA_CONFIG_FILE
|
||||||
|
environment variables in kolla-built containers has been dropped.
|
||||||
|
Now, only the single trusted path of
|
||||||
|
``/var/lib/kolla/config_files/config.json`` will be utilised for loading
|
||||||
|
container config.
|
||||||
|
We believe this is a reasonable tradeoff as these environment variables
|
||||||
|
were not used by any known downstream and potential users in the wild
|
||||||
|
can easily adapt as this does not limit the functionality per se, only
|
||||||
|
making it stricter as to where the config can come from.
|
|
@ -59,24 +59,6 @@ class LoadFromFile(base.BaseTestCase):
|
||||||
mock.call().__exit__(None, None, None)], mo.mock_calls)
|
mock.call().__exit__(None, None, None)], mo.mock_calls)
|
||||||
|
|
||||||
|
|
||||||
class LoadFromEnv(base.BaseTestCase):
|
|
||||||
|
|
||||||
def test_load_ok(self):
|
|
||||||
in_config = json.dumps({'command': '/bin/true',
|
|
||||||
'config_files': {}})
|
|
||||||
|
|
||||||
mo = mock.mock_open()
|
|
||||||
with mock.patch.object(set_configs, 'open', mo):
|
|
||||||
with mock.patch.dict('os.environ', {'KOLLA_CONFIG': in_config}):
|
|
||||||
config = set_configs.load_config()
|
|
||||||
set_configs.copy_config(config)
|
|
||||||
self.assertEqual([mock.call('/run_command', 'w+'),
|
|
||||||
mock.call().__enter__(),
|
|
||||||
mock.call().write('/bin/true'),
|
|
||||||
mock.call().__exit__(None, None, None)],
|
|
||||||
mo.mock_calls)
|
|
||||||
|
|
||||||
|
|
||||||
FAKE_CONFIG_FILES = [
|
FAKE_CONFIG_FILES = [
|
||||||
set_configs.ConfigFile(
|
set_configs.ConfigFile(
|
||||||
'/var/lib/kolla/config_files/bar.conf',
|
'/var/lib/kolla/config_files/bar.conf',
|
||||||
|
|
Loading…
Reference in New Issue