On 27/01/16 08:20 -0430, Flavio Percoco wrote:
On 26/01/16 09:11 +0000, Daniel P. Berrange wrote:On Sun, Jan 24, 2016 at 12:00:16AM +0200, Duncan Thomas wrote:I guess my wisdom would be 'why'? What does this enable you to do that you couldn't do with similar ease with the formats we have and are people trying to do that frequently.We've seen in cinder that image formats have a definite security surface to them, and with glance adding arbitrary conversion pipelines, that surface is going to increase with every format we add. This should mean we tend towards being increasingly conservative I think.Safely extracting tar file contents to create a disk image to run the VM from is particularly non-trivial. There have been many security flaws in the past with apps doing tar file unpacking in this kind of scenario. For example, Docker has had not one, but *three* vulnerabilities in this area CVE-2014-6407, CVE-2014-9356, and CVE-2014-9357. So unless there is a pretty compelling reason, I'd suggest we stay away from supporting tar as an image format, and require traditional image formats where we we can treat the file payload as an opaque blob and thus avoid all these file processing risks.++ From a Glance perspective, there wouldn't be much to do and most of the security issues would live in the Ironic side. However, as a community, I think we should send a clear message and protect our users and, in this case, the best way is to avoid adding this format as supported. In future works (image conversions and whatnot) this could impact Glance as well.
It was brought to my attention (thanks Erno) that we support OVA already. This means we're basically exposed to the above already as the OVA container is a tarball anyway. Glance protects itself from this by either not doing anything to the image or isolating operations on the image to specific workers (of course, this goes in addition to other security measures). The difference, though, is that OVA files are a known container format for images, whereas tar.gz isn't. Flavio
Cheers, FlavioRegards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev-- @flaper87 Flavio Percoco
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-- @flaper87 Flavio Percoco
signature.asc
Description: PGP signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev