On Wed, Jan 27, 2016 at 08:32:58AM -0430, Flavio Percoco wrote: > On 27/01/16 08:20 -0430, Flavio Percoco wrote: > >On 26/01/16 09:11 +0000, Daniel P. Berrange wrote: > >>On Sun, Jan 24, 2016 at 12:00:16AM +0200, Duncan Thomas wrote: > >>>I guess my wisdom would be 'why'? What does this enable you to do that you > >>>couldn't do with similar ease with the formats we have and are people > >>>trying to do that frequently. > >>> > >>>We've seen in cinder that image formats have a definite security surface to > >>>them, and with glance adding arbitrary conversion pipelines, that surface > >>>is going to increase with every format we add. This should mean we tend > >>>towards being increasingly conservative I think. > >> > >>Safely extracting tar file contents to create a disk image to run the VM > >>from is particularly non-trivial. There have been many security flaws in > >>the past with apps doing tar file unpacking in this kind of scenario. For > >>example, Docker has had not one, but *three* vulnerabilities in this area > >>CVE-2014-6407, CVE-2014-9356, and CVE-2014-9357. So unless there is a > >>pretty compelling reason, I'd suggest we stay away from supporting tar > >>as an image format, and require traditional image formats where we we can > >>treat the file payload as an opaque blob and thus avoid all these file > >>processing risks. > > > >++ > > > >From a Glance perspective, there wouldn't be much to do and most of the > >security > >issues would live in the Ironic side. However, as a community, I think we > >should > >send a clear message and protect our users and, in this case, the best way > >is to > >avoid adding this format as supported. > > > >In future works (image conversions and whatnot) this could impact Glance as > >well. > > It was brought to my attention (thanks Erno) that we support OVA already. This > means we're basically exposed to the above already as the OVA container is a > tarball anyway. > > Glance protects itself from this by either not doing anything to the image or > isolating operations on the image to specific workers (of course, this goes in > addition to other security measures). > > The difference, though, is that OVA files are a known container format for > images, whereas tar.gz isn't.
NB nova doesn't do anything with OVA files either. IIRC, the only virt driver that supports them is VMWare, and Nova just passes the file through as-is to VMWare for processing. For libvirt / KVM we don't support OVS files at all, partly because we don't want to be in the business of unpacking them and turning them into disk images ourselves. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev