yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #74151
[Bug 1785668] [NEW] nova-compute doesn't check image signature if imagecache exists
Public bug reported:
Description
===========
nova-compute doesn't verify image signature/certificate in barbican component if local imagecache exists for this image on compute node.
Steps to reproduce
==================
Preconditions:
Nova, Glance, Barbican components (Pike) are installed with default settings and policy.json. Environment has 1 compute node (to simplify the case).
* Create signed glance image. Please follow https://docs.openstack.org/glance/pike/user/signature.html
* Create separate project and user with "member" role in it.
* Login as member user and try to boot VM from your signed image.
Actual and expected result:
VM is not booted. Error:
Server <ID> failed to build and is in ERROR status
Details: {u'message': u'Build of instance <ID> aborted: Signature verification for the image failed: Unable to retrieve certificate with ID: <cert_ID>.', u'code': 500, u'created': u'2018-07-18T15:53:15Z'}
* Login as admin. Boot VM from the image.
Actual and expected result:
VM is Active.
* Login as member user again. Boot VM from the image.
Actual result:
VM is Active.
Expected result:
User doesn't have enough rights to boot VM, because image cannot be verified (cannot retrieve certificate from barbican). However, since compute node has imagecache of this image, nova-compute boots VM.
On compute node:
ls -la /var/lib/nova/instances/_base/
total 38424
drwxr-xr-x 2 nova nova 4096 Aug 5 17:12 .
drwxr-xr-x 7 nova nova 4096 Aug 6 16:34 ..
-rw-r--r-- 1 libvirt-qemu kvm 41126400 Aug 6 16:32 5dfc15a8b8ab3ac68ff5d442fed2564adbaa4149
Environment
===========
Openstack Pike,
nova 2:16.1.3-1~u16.04
python-novaclient 2:9.1.1-1~u16.04
qemu-kvm 1:2.11+dfsg-1.4~u16.04
libvirt 4.0.0-1.7~u16.04
python-libvirt 3.5.0-1.1~u16.04
** Affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1785668
Title:
nova-compute doesn't check image signature if imagecache exists
Status in OpenStack Compute (nova):
New
Bug description:
Description
===========
nova-compute doesn't verify image signature/certificate in barbican component if local imagecache exists for this image on compute node.
Steps to reproduce
==================
Preconditions:
Nova, Glance, Barbican components (Pike) are installed with default settings and policy.json. Environment has 1 compute node (to simplify the case).
* Create signed glance image. Please follow https://docs.openstack.org/glance/pike/user/signature.html
* Create separate project and user with "member" role in it.
* Login as member user and try to boot VM from your signed image.
Actual and expected result:
VM is not booted. Error:
Server <ID> failed to build and is in ERROR status
Details: {u'message': u'Build of instance <ID> aborted: Signature verification for the image failed: Unable to retrieve certificate with ID: <cert_ID>.', u'code': 500, u'created': u'2018-07-18T15:53:15Z'}
* Login as admin. Boot VM from the image.
Actual and expected result:
VM is Active.
* Login as member user again. Boot VM from the image.
Actual result:
VM is Active.
Expected result:
User doesn't have enough rights to boot VM, because image cannot be verified (cannot retrieve certificate from barbican). However, since compute node has imagecache of this image, nova-compute boots VM.
On compute node:
ls -la /var/lib/nova/instances/_base/
total 38424
drwxr-xr-x 2 nova nova 4096 Aug 5 17:12 .
drwxr-xr-x 7 nova nova 4096 Aug 6 16:34 ..
-rw-r--r-- 1 libvirt-qemu kvm 41126400 Aug 6 16:32 5dfc15a8b8ab3ac68ff5d442fed2564adbaa4149
Environment
===========
Openstack Pike,
nova 2:16.1.3-1~u16.04
python-novaclient 2:9.1.1-1~u16.04
qemu-kvm 1:2.11+dfsg-1.4~u16.04
libvirt 4.0.0-1.7~u16.04
python-libvirt 3.5.0-1.1~u16.04
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1785668/+subscriptions
