openstack/security-doc
Code Issues Proposed changes

[security-guide]Update the content of the signed image validation

Browse Source 
Change-Id: Ic30b51c502a33551148320231d4e21974aedf5df
Closes-Bug: #1548470
This commit is contained in:
chen-xing
2016-03-03 16:02:43 +08:00
committed by Joel Coffman
parent 179a4b6fa9
commit b888977115
1 changed files with 17 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
security-guide/source/instance-management/security-services-for-instances.rst
View File

@@ -204,26 +204,28 @@ refer to the following section on Image Provenance.
Image provenance and validation Image provenance and validation
------------------------------- -------------------------------
Unfortunately, it is not currently possible to force Compute to As of the Mitaka release, the Compute service supports instance
validate an image hash immediately prior to starting an instance. signature validation just before starting an instance. The following
To understand the situation, we begin with a brief overview of how paragraph describes how images are typically handled (without
images are handled around the time of image launch. signature validation) when an instance is launched.
Images come from the glance service to the nova service on a node. Images come from the Image service to the Compute service on a node.
This transfer should be protected by running over TLS. Once the image This transfer should be protected by running over TLS. Once the image
is on the node, it is verified with a basic checksum and then it's is on the node, it is verified with a basic checksum and then its
disk is expanded based on the size of the instance being launched. If, disk is expanded based on the size of the instance being launched. If,
at a later time, the same image is launched with the same instance at a later time, the same image is launched with the same instance
size on this node, it will be launched from the same expanded image. size on this node, it is launched from the same expanded image.
Since this expanded image is not re-verified before launching, it Since this expanded image is not re-verified by default before
could be tampered with and the user would not have any way of knowing, launching, it is possible that it has undergone tampering. The user
beyond a manual inspection of the files in the resulting image. would not be aware of tampering, unless a manual inspection of the
files is performed in the resulting image.
We hope that future versions of Compute and/or the Image service will For additional security of images, you can enable instance signature
offer support for validating the image hash before each instance verification by setting the ``verify_glance_signatures`` flag to
launch. An alternative option that would be even more powerful would ``True`` in the ``/etc/nova/nova.conf`` file. When enabled, the Compute
be allow users to sign an image and then have the signature validated service automatically validates the signed instance prior to its launch.
when the instance is launched. For more information, see `Adding Signed Images <http://docs.openstack.org/openstack-ops/content/user_facing_images.html>`_
in the Operations Guide.
Instance migrations Instance migrations
~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~