yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1314741] Re: Instance Lock should protect Snapshot

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: melanie witt <1314741@xxxxxxxxxxxxxxxxxx>
Date: Thu, 19 Jun 2014 20:54:12 -0000
Reply-to: Bug 1314741 <1314741@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova
   Importance: Medium => Undecided

** Changed in: nova
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1314741

Title:
  Instance Lock should protect Snapshot

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  The use of instance lock should be to prevent unwanted modification of
  the underlying VM. In the case of Trove, we are using it to help lock
  down instances to ensure integrity and protect secrets which are
  needed by the resident Trove Agent.  Even though we lock a machine,
  the end-user can still take a snapshot of the instance to create an
  image, then restore the image in an unrestricted manner.  Once they
  have access to this restored image, it can up the Trove Control Plane
  for compromise.  Simply adding a check_instance_lock around
  live_instance_snapshot and snapshot would be sufficient.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1314741/+subscriptions

References

[Bug 1314741] [NEW] Instance Lock should protect Snapshot
From: Justin Hopper, 2014-04-30