[CVE-2019-3895] Set image owner id

This patch ensures [controller_worker]/amp_image_owner_id is set. This
configuration option restricts Glance image selection to a specific
owner ID. This is a recommended security setting.

Closes-Bug: #1830607

Change-Id: I14b69b9fb5234cf79a4d7e85de5f16df5ef7f7a2
(cherry picked from commit e7c5eab712)
This commit is contained in:
Carlos Goncalves 2019-05-13 13:37:12 +02:00
parent 71c099f209
commit 728e59ed5e
4 changed files with 62 additions and 6 deletions

View File

@ -69,6 +69,7 @@
ca_private_key_path: "{{ ca_private_key_path }}"
ca_passphrase: "{{ ca_passphrase }}"
client_cert_path: "{{ client_cert_path }}"
auth_project_name: "{{ auth_project_name }}"
environment:
OS_USERNAME: "{{ os_username }}"
OS_USER_DOMAIN_NAME: "Default"

View File

@ -41,3 +41,15 @@
src: "manager-post-deploy.conf.j2"
selevel: s0
setype: svirt_sandbox_file_t
- name: gather facts about the service project
shell: |
openstack project show "{{ auth_project_name }}" -c id -f value
register: project_id_result
- name: setting [controller_worker]/amp_image_owner_id
become: true
become_user: root
ini_file:
path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common/post-deploy.conf"
section: controller_worker
option: amp_image_owner_id
value: "{{ project_id_result.stdout }}"

View File

@ -19,13 +19,38 @@
amphora_image: "{{ (image_file_result.stat.path | basename | splitext)[0] }}"
when: amphora_image is not defined and image_file_result.stat.exists and not symlnk_check.stat.islnk
- name: check there an image in glance already
- name: gather facts about the service project
shell: |
openstack image show {{ amphora_image }} -c checksum -f value
openstack project show "{{ auth_project_name }}" -c id -f value
register: project_id_result
- name: check there's an image in glance already
shell: |
openstack image list --property owner={{ project_id_result.stdout }} --private --name {{ amphora_image }} -c ID -f value
environment:
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
OS_PROJECT_NAME: "{{ auth_project_name }}"
register: glance_id_result
ignore_errors: true
- name: set image id fact
set_fact:
image_id: "{{ glance_id_result.stdout }}"
when: glance_id_result.rc == 0
- name: get checksum if there's an image in glance already
shell: |
openstack image show {{ glance_id_result.stdout }} -c checksum -f value
environment:
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
OS_PROJECT_NAME: "{{ auth_project_name }}"
when: image_id is defined
register: glance_results
ignore_errors: true
- name: get md5 from glance if image already exists there
- name: set current_md5 fact from glance if image already exists there
set_fact:
current_md5: "{{ glance_results.stdout }}"
when: glance_results.rc == 0
@ -37,10 +62,14 @@
- name: move existing image if the names match and the md5s are not the same
shell: |
ts=`openstack image show {{ amphora_image }} -f value -c created_at`
ts=`openstack image show {{ image_id }} -f value -c created_at`
ts=${ts//:/}
ts=${ts//-/}
openstack image set {{ amphora_image }} --name "{{ amphora_image }}_$ts"
openstack image set {{ image_id }} --name "{{ amphora_image }}_$ts"
environment:
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
OS_PROJECT_NAME: "{{ auth_project_name }}"
when: replace_image is defined and replace_image
- name: decide whether to upload new image
@ -73,7 +102,11 @@
--container-format bare --tag {{ amp_image_tag }} \
--file {{ raw_filename|default(image_filename) }} \
--property hw_architecture={{ amp_hw_arch }} \
{{ amphora_image }}
--private {{ amphora_image }}
environment:
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
OS_PROJECT_NAME: "{{ auth_project_name }}"
register: image_result
changed_when: "image_result.stdout != ''"
when: image_file_result.stat.exists and upload_image is defined

View File

@ -0,0 +1,10 @@
---
security:
- |
Fixed a vulnerability where an attacker may cause new Octavia amphorae to
run based on any arbitrary image (CVE-2019-3895).
fixes:
- |
Ensure [controller_worker]/amp_image_owner_id is set. This configuration
option restricts Glance image selection to a specific owner ID. This is a
recommended security setting.