[CVE-2019-3895] Set image owner id

This patch ensures [controller_worker]/amp_image_owner_id is set. This configuration option restricts Glance image selection to a specific owner ID. This is a recommended security setting. Closes-Bug: #1830607 Change-Id: I14b69b9fb5234cf79a4d7e85de5f16df5ef7f7a2 (cherry picked from commit e7c5eab712) (cherry picked from commit 728e59ed5e) (cherry picked from commit 375192b136)
2019-05-13 13:37:12 +02:00 · 2019-05-13 13:37:12 +02:00 · a80f1b0320
parent 6aa7648e6a
commit a80f1b0320
4 changed files with 62 additions and 6 deletions
--- a/playbooks/octavia-files.yaml
+++ b/playbooks/octavia-files.yaml
@ -67,6 +67,7 @@
    ca_private_key_path: "{{ ca_private_key_path }}"
    ca_passphrase: "{{ ca_passphrase }}"
    client_cert_path: "{{ client_cert_path }}"
+    auth_project_name: "{{ auth_project_name }}"
  environment:
    OS_USERNAME: "{{ os_username }}"
    OS_USER_DOMAIN_NAME: "Default"
--- a/playbooks/roles/octavia-controller-config/tasks/octavia.yml
+++ b/playbooks/roles/octavia-controller-config/tasks/octavia.yml
@ -27,3 +27,15 @@
    template:
      dest: "{{octavia_confd_prefix}}/etc/octavia/conf.d/octavia-health-manager/manager-post-deploy.conf"
      src: "manager-post-deploy.conf.j2"
+  - name: gather facts about the service project
+    shell: |
+      openstack project show "{{ auth_project_name }}" -c id -f value
+    register: project_id_result
+  - name: setting [controller_worker]/amp_image_owner_id
+    become: true
+    become_user: root
+    ini_file:
+      path: "{{ octavia_confd_prefix }}/etc/octavia/conf.d/common/post-deploy.conf"
+      section: controller_worker
+      option: amp_image_owner_id
+      value: "{{ project_id_result.stdout }}"
--- a/playbooks/roles/octavia-undercloud/tasks/image_mgmt.yml
+++ b/playbooks/roles/octavia-undercloud/tasks/image_mgmt.yml
@ -19,13 +19,38 @@
      amphora_image: "{{ (image_file_result.stat.path | basename | splitext)[0] }}"
    when: amphora_image is not defined and image_file_result.stat.exists and not symlnk_check.stat.islnk

-  - name: check there an image in glance already
+  - name: gather facts about the service project
    shell: |
-      openstack image show {{ amphora_image }} -c checksum -f value
+      openstack project show "{{ auth_project_name }}" -c id -f value
+    register: project_id_result
+
+  - name: check there's an image in glance already
+    shell: |
+      openstack image list --property owner={{ project_id_result.stdout }} --private --name {{ amphora_image }} -c ID -f value
+    environment:
+      OS_USERNAME: "{{ auth_username }}"
+      OS_PASSWORD: "{{ auth_password }}"
+      OS_PROJECT_NAME: "{{ auth_project_name }}"
+    register: glance_id_result
+    ignore_errors: true
+
+  - name: set image id fact
+    set_fact:
+      image_id: "{{ glance_id_result.stdout }}"
+    when: glance_id_result.rc == 0
+
+  - name: get checksum if there's an image in glance already
+    shell: |
+      openstack image show {{ glance_id_result.stdout }} -c checksum -f value
+    environment:
+      OS_USERNAME: "{{ auth_username }}"
+      OS_PASSWORD: "{{ auth_password }}"
+      OS_PROJECT_NAME: "{{ auth_project_name }}"
+    when: image_id is defined
    register: glance_results
    ignore_errors: true

-  - name: get md5 from glance if image already exists there
+  - name: set current_md5 fact from glance if image already exists there
    set_fact:
      current_md5: "{{ glance_results.stdout }}"
    when: glance_results.rc == 0
@ -37,10 +62,14 @@

  - name: move existing image if the names match and the md5s are not the same
    shell: |
-      ts=`openstack image show {{ amphora_image }} -f value -c created_at`
+      ts=`openstack image show {{ image_id }} -f value -c created_at`
      ts=${ts//:/}
      ts=${ts//-/}
-      openstack image set {{ amphora_image }} --name "{{ amphora_image }}_$ts"
+      openstack image set {{ image_id }} --name "{{ amphora_image }}_$ts"
+    environment:
+      OS_USERNAME: "{{ auth_username }}"
+      OS_PASSWORD: "{{ auth_password }}"
+      OS_PROJECT_NAME: "{{ auth_project_name }}"
    when: replace_image is defined and replace_image

  - name: decide whether to upload new image
@ -73,7 +102,11 @@
        --container-format bare --tag {{ amp_image_tag }} \
        --file {{ raw_filename|default(image_filename) }} \
        --property hw_architecture={{ amp_hw_arch }} \
-        {{ amphora_image }}
+        --private {{ amphora_image }}
+    environment:
+      OS_USERNAME: "{{ auth_username }}"
+      OS_PASSWORD: "{{ auth_password }}"
+      OS_PROJECT_NAME: "{{ auth_project_name }}"
    register: image_result
    changed_when: "image_result.stdout != ''"
    when: image_file_result.stat.exists and upload_image is defined
--- a/releasenotes/notes/octavia-set-image-owner-id-adb197d5daae54f1.yaml
+++ b/releasenotes/notes/octavia-set-image-owner-id-adb197d5daae54f1.yaml
@ -0,0 +1,10 @@
+---
+security:
+  - |
+    Fixed a vulnerability where an attacker may cause new Octavia amphorae to
+    run based on any arbitrary image (CVE-2019-3895).
+fixes:
+  - |
+    Ensure [controller_worker]/amp_image_owner_id is set. This configuration
+    option restricts Glance image selection to a specific owner ID. This is a
+    recommended security setting.