Browse Source

[CVE-2019-3895] Set image owner id

This patch ensures [controller_worker]/amp_image_owner_id is set. This
configuration option restricts Glance image selection to a specific
owner ID. This is a recommended security setting.

Closes-Bug: #1830607

Change-Id: I14b69b9fb5234cf79a4d7e85de5f16df5ef7f7a2
(cherry picked from commit e7c5eab712)
(cherry picked from commit 728e59ed5e)
(cherry picked from commit 375192b136)
changes/03/663003/1
Carlos Goncalves 2 years ago
parent
commit
a80f1b0320
  1. 1
      playbooks/octavia-files.yaml
  2. 12
      playbooks/roles/octavia-controller-config/tasks/octavia.yml
  3. 45
      playbooks/roles/octavia-undercloud/tasks/image_mgmt.yml
  4. 10
      releasenotes/notes/octavia-set-image-owner-id-adb197d5daae54f1.yaml

1
playbooks/octavia-files.yaml

@ -67,6 +67,7 @@
ca_private_key_path: "{{ ca_private_key_path }}"
ca_passphrase: "{{ ca_passphrase }}"
client_cert_path: "{{ client_cert_path }}"
auth_project_name: "{{ auth_project_name }}"
environment:
OS_USERNAME: "{{ os_username }}"
OS_USER_DOMAIN_NAME: "Default"

12
playbooks/roles/octavia-controller-config/tasks/octavia.yml

@ -27,3 +27,15 @@
template:
dest: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf"
src: "manager-post-deploy.conf.j2"
- name: gather facts about the service project
shell: |
openstack project show "{{ auth_project_name }}" -c id -f value
register: project_id_result
- name: setting [controller_worker]/amp_image_owner_id
become: true
become_user: root
ini_file:
path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common/post-deploy.conf"
section: controller_worker
option: amp_image_owner_id
value: "{{ project_id_result.stdout }}"

45
playbooks/roles/octavia-undercloud/tasks/image_mgmt.yml

@ -19,13 +19,38 @@
amphora_image: "{{ (image_file_result.stat.path | basename | splitext)[0] }}"
when: amphora_image is not defined and image_file_result.stat.exists and not symlnk_check.stat.islnk
- name: check there an image in glance already
- name: gather facts about the service project
shell: |
openstack image show {{ amphora_image }} -c checksum -f value
openstack project show "{{ auth_project_name }}" -c id -f value
register: project_id_result
- name: check there's an image in glance already
shell: |
openstack image list --property owner={{ project_id_result.stdout }} --private --name {{ amphora_image }} -c ID -f value
environment:
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
OS_PROJECT_NAME: "{{ auth_project_name }}"
register: glance_id_result
ignore_errors: true
- name: set image id fact
set_fact:
image_id: "{{ glance_id_result.stdout }}"
when: glance_id_result.rc == 0
- name: get checksum if there's an image in glance already
shell: |
openstack image show {{ glance_id_result.stdout }} -c checksum -f value
environment:
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
OS_PROJECT_NAME: "{{ auth_project_name }}"
when: image_id is defined
register: glance_results
ignore_errors: true
- name: get md5 from glance if image already exists there
- name: set current_md5 fact from glance if image already exists there
set_fact:
current_md5: "{{ glance_results.stdout }}"
when: glance_results.rc == 0
@ -37,10 +62,14 @@
- name: move existing image if the names match and the md5s are not the same
shell: |
ts=`openstack image show {{ amphora_image }} -f value -c created_at`
ts=`openstack image show {{ image_id }} -f value -c created_at`
ts=${ts//:/}
ts=${ts//-/}
openstack image set {{ amphora_image }} --name "{{ amphora_image }}_$ts"
openstack image set {{ image_id }} --name "{{ amphora_image }}_$ts"
environment:
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
OS_PROJECT_NAME: "{{ auth_project_name }}"
when: replace_image is defined and replace_image
- name: decide whether to upload new image
@ -73,7 +102,11 @@
--container-format bare --tag {{ amp_image_tag }} \
--file {{ raw_filename|default(image_filename) }} \
--property hw_architecture={{ amp_hw_arch }} \
{{ amphora_image }}
--private {{ amphora_image }}
environment:
OS_USERNAME: "{{ auth_username }}"
OS_PASSWORD: "{{ auth_password }}"
OS_PROJECT_NAME: "{{ auth_project_name }}"
register: image_result
changed_when: "image_result.stdout != ''"
when: image_file_result.stat.exists and upload_image is defined

10
releasenotes/notes/octavia-set-image-owner-id-adb197d5daae54f1.yaml

@ -0,0 +1,10 @@
---
security:
- |
Fixed a vulnerability where an attacker may cause new Octavia amphorae to
run based on any arbitrary image (CVE-2019-3895).
fixes:
- |
Ensure [controller_worker]/amp_image_owner_id is set. This configuration
option restricts Glance image selection to a specific owner ID. This is a
recommended security setting.
Loading…
Cancel
Save