yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1620629] Re: Octavia should filter an Amphora image from a specific tenant

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Michael Johnson <johnsomor@xxxxxxxxx>
Date: Tue, 13 Sep 2016 00:11:49 -0000
Reply-to: Bug 1620629 <1620629@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Information type changed from Private Security to Public Security

** Project changed: neutron => octavia

** Tags removed: lbaas

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1620629

Title:
  Octavia should filter an Amphora image from a specific tenant

Status in octavia:
  Triaged

Bug description:
  _extract_amp_image_id_by_tag[1] list all images with the 'amphora' tag (or any other tag pre-defined in octavia.conf),
  sort by creation date and uses the newest one.

  Side note: at the time of filing this bug, it does not sort properly
  due to bug 1618921 , but when the fix for bug 1618921 gets merged,
  this will be the case.

  For security reasons, _extract_amp_image_id_by_tag should also filter
  the images and use images owned by pre-defined tenant.

  Currently, any non-admin tenant can tag an image with the 'amphora' tag and set it to public=True.
  By doing that, Octavia will now use that newly added image starting from the next time a loadbalancer gets created for any tenant in that openstack setup.
  Now, if for example the newly created image contains some pre-defined credentials and/or ssh keys so it is accessible via ssh, and if we take into account that each amphora is also connected to the lb-mgmt network. That is exposing that mgmt network for unauthorized access. 

  [1]
  https://github.com/openstack/octavia/blob/08570831754d9671fbd1756d668f55f191e47ca4/octavia/compute/drivers/nova_driver.py#L35

To manage notifications about this bug go to:
https://bugs.launchpad.net/octavia/+bug/1620629/+subscriptions