From a80f1b03203a4a13af7659be4a6e9e7651e216c0 Mon Sep 17 00:00:00 2001 From: Carlos Goncalves Date: Mon, 13 May 2019 13:37:12 +0200 Subject: [PATCH] [CVE-2019-3895] Set image owner id This patch ensures [controller_worker]/amp_image_owner_id is set. This configuration option restricts Glance image selection to a specific owner ID. This is a recommended security setting. Closes-Bug: #1830607 Change-Id: I14b69b9fb5234cf79a4d7e85de5f16df5ef7f7a2 (cherry picked from commit e7c5eab712e0f70ecbc6d225d4766e0fe0f3f884) (cherry picked from commit 728e59ed5e21e9c25dca27792d21f19d9bd2037f) (cherry picked from commit 375192b136e6dd2a92b4f80655a32390fe20d01b) --- playbooks/octavia-files.yaml | 1 + .../tasks/octavia.yml | 12 +++++ .../octavia-undercloud/tasks/image_mgmt.yml | 45 ++++++++++++++++--- ...a-set-image-owner-id-adb197d5daae54f1.yaml | 10 +++++ 4 files changed, 62 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/octavia-set-image-owner-id-adb197d5daae54f1.yaml diff --git a/playbooks/octavia-files.yaml b/playbooks/octavia-files.yaml index 70408bc94..ce7258dba 100644 --- a/playbooks/octavia-files.yaml +++ b/playbooks/octavia-files.yaml @@ -67,6 +67,7 @@ ca_private_key_path: "{{ ca_private_key_path }}" ca_passphrase: "{{ ca_passphrase }}" client_cert_path: "{{ client_cert_path }}" + auth_project_name: "{{ auth_project_name }}" environment: OS_USERNAME: "{{ os_username }}" OS_USER_DOMAIN_NAME: "Default" diff --git a/playbooks/roles/octavia-controller-config/tasks/octavia.yml b/playbooks/roles/octavia-controller-config/tasks/octavia.yml index ca015a7dd..6ecff82c3 100644 --- a/playbooks/roles/octavia-controller-config/tasks/octavia.yml +++ b/playbooks/roles/octavia-controller-config/tasks/octavia.yml @@ -27,3 +27,15 @@ template: dest: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf" src: "manager-post-deploy.conf.j2" + - name: gather facts about the service project + shell: | + openstack project show "{{ auth_project_name }}" -c id -f value + register: project_id_result + - name: setting [controller_worker]/amp_image_owner_id + become: true + become_user: root + ini_file: + path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common/post-deploy.conf" + section: controller_worker + option: amp_image_owner_id + value: "{{ project_id_result.stdout }}" diff --git a/playbooks/roles/octavia-undercloud/tasks/image_mgmt.yml b/playbooks/roles/octavia-undercloud/tasks/image_mgmt.yml index 769940618..a30d56992 100644 --- a/playbooks/roles/octavia-undercloud/tasks/image_mgmt.yml +++ b/playbooks/roles/octavia-undercloud/tasks/image_mgmt.yml @@ -19,13 +19,38 @@ amphora_image: "{{ (image_file_result.stat.path | basename | splitext)[0] }}" when: amphora_image is not defined and image_file_result.stat.exists and not symlnk_check.stat.islnk - - name: check there an image in glance already + - name: gather facts about the service project shell: | - openstack image show {{ amphora_image }} -c checksum -f value + openstack project show "{{ auth_project_name }}" -c id -f value + register: project_id_result + + - name: check there's an image in glance already + shell: | + openstack image list --property owner={{ project_id_result.stdout }} --private --name {{ amphora_image }} -c ID -f value + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" + register: glance_id_result + ignore_errors: true + + - name: set image id fact + set_fact: + image_id: "{{ glance_id_result.stdout }}" + when: glance_id_result.rc == 0 + + - name: get checksum if there's an image in glance already + shell: | + openstack image show {{ glance_id_result.stdout }} -c checksum -f value + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" + when: image_id is defined register: glance_results ignore_errors: true - - name: get md5 from glance if image already exists there + - name: set current_md5 fact from glance if image already exists there set_fact: current_md5: "{{ glance_results.stdout }}" when: glance_results.rc == 0 @@ -37,10 +62,14 @@ - name: move existing image if the names match and the md5s are not the same shell: | - ts=`openstack image show {{ amphora_image }} -f value -c created_at` + ts=`openstack image show {{ image_id }} -f value -c created_at` ts=${ts//:/} ts=${ts//-/} - openstack image set {{ amphora_image }} --name "{{ amphora_image }}_$ts" + openstack image set {{ image_id }} --name "{{ amphora_image }}_$ts" + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" when: replace_image is defined and replace_image - name: decide whether to upload new image @@ -73,7 +102,11 @@ --container-format bare --tag {{ amp_image_tag }} \ --file {{ raw_filename|default(image_filename) }} \ --property hw_architecture={{ amp_hw_arch }} \ - {{ amphora_image }} + --private {{ amphora_image }} + environment: + OS_USERNAME: "{{ auth_username }}" + OS_PASSWORD: "{{ auth_password }}" + OS_PROJECT_NAME: "{{ auth_project_name }}" register: image_result changed_when: "image_result.stdout != ''" when: image_file_result.stat.exists and upload_image is defined diff --git a/releasenotes/notes/octavia-set-image-owner-id-adb197d5daae54f1.yaml b/releasenotes/notes/octavia-set-image-owner-id-adb197d5daae54f1.yaml new file mode 100644 index 000000000..f8c82419d --- /dev/null +++ b/releasenotes/notes/octavia-set-image-owner-id-adb197d5daae54f1.yaml @@ -0,0 +1,10 @@ +--- +security: + - | + Fixed a vulnerability where an attacker may cause new Octavia amphorae to + run based on any arbitrary image (CVE-2019-3895). +fixes: + - | + Ensure [controller_worker]/amp_image_owner_id is set. This configuration + option restricts Glance image selection to a specific owner ID. This is a + recommended security setting.