yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1793159] [NEW] no signature check for cached images

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Josephine Seifert <1793159@xxxxxxxxxxxxxxxxxx>
Date: Tue, 18 Sep 2018 14:18:17 -0000
Reply-to: Bug 1793159 <1793159@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Currently Nova only checks an image's signature directly after
downloading it from Glance. The image is then cached on the
corresponding compute node.

When Nova is reading the image file from cache and actually transfers it
into the desired target storage when creating a server resource, the
signature should be checked once again, since the image might have been
tampered with in the cache. This has to be done somewhere in
nova/virt/libvirt/imagebackend.py .

** Affects: nova
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1793159

Title:
  no signature check for cached images

Status in OpenStack Compute (nova):
  New

Bug description:
  Currently Nova only checks an image's signature directly after
  downloading it from Glance. The image is then cached on the
  corresponding compute node.

  When Nova is reading the image file from cache and actually transfers
  it into the desired target storage when creating a server resource,
  the signature should be checked once again, since the image might have
  been tampered with in the cache. This has to be done somewhere in
  nova/virt/libvirt/imagebackend.py .

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1793159/+subscriptions