yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1852106] Re: Possible data loss from createImage action

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1852106@xxxxxxxxxxxxxxxxxx>
Date: Wed, 19 Feb 2020 13:58:37 -0000
Reply-to: Bug 1852106 <1852106@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Reviewed:  https://review.opendev.org/708126
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=bc290840127c3179227a662584404f9c0178d588
Submitter: Zuul
Branch:    master

commit bc290840127c3179227a662584404f9c0178d588
Author: Brian Rosmaita <rosmaita.fossdev@xxxxxxxxx>
Date:   Thu Feb 13 11:09:08 2020 -0500

    Absolutely-non-inheritable image properties
    
    Inheritance of image properties from the image an instance was booted
    from to an image created from that instance is governed by the
    non_inheritable_image_properties configuration option.  However, there
    are some image properties (for example, those used for image signature
    validation or to reference a cinder encryption key id) which it makes
    no sense to inherit under any circumstances.  Additionally,
    misconfiguration of the non-inheritable properties can lead to data
    loss under the circumstances described in Bug #1852106.  So it would
    be better if these properties were not subject to configuration.
    
    The initial set of absolutely non-inheritable image properties
    consists of those associated with cinder encryption keys and image
    signature validation.
    
    Change-Id: I4332b9c343b6c2b50226baa8f78396c2012dabd1
    Closes-bug: #1852106


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1852106

Title:
  Possible data loss from createImage action

Status in Glance:
  New
Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  Description
  ===========

  When an instance is booted from a image created from an encrypted
  Cinder volume and several images are created from that instance,
  deleting any one of these images will render the remaining images
  unusable.

  
  The scenario
  ============

  1. User creates a volume V-1 of an encrypted type in Cinder; Cinder
  automatically stores the encryption key in Barbican with key_id c-1.

  2. User uploads this volume as an image to Glance as I-1.  Cinder stores the encryption key in Barbican with key_id c-2 and puts the metadata
    cinder_encryption_key_id: c-2
  on the image.

  The idea is to preserve a 1-1 relation between key_ids and resources so that when a resource is deleted, its key in Barbican can also be deleted with no potential for data loss.  This prevents cruft from accumulating in the user's Barbican account.  In Train, this deletion-from-Barbican process has been automated; if the metadata
    cinder_encryption_key_deletion_policy: on_image_deletion
  is present on the image, Glance will delete the key from Barbican when the image is deleted.  Beginning with Train, Cinder puts the deletion_policy metadata on all volumes uploaded as images to Glance.

  3. User boots an instance from image I-1.  Nova will store all the
  image metadata from the image.

  4. User does the createImage action on the instance.  Nova creates an image I-2 and copies over the image metadata, putting
    cinder_encryption_key_id: c-2
    cinder_encryption_key_deletion_policy: on_image_deletion
  on the image.

  5. If the user deletes I-2, key c-2 will be deleted from Barbican,
  thereby rendering image I-1 unusable.  Similarly, if the user has
  created a bunch of images from the instance, deleting one of them will
  render all the remainder useless.

  NOTE: if the user creates a volume from image I-1, Cinder will create
  a new Barbican secret for the resulting volume.  So deleting I-1 (and
  hence key c-2) won't affect the usability of any volumes created from
  it.

  This bug has been around for a while, but it required the user to
  manually delete the Barbican secret that multiple images depend on.
  The Cinder/Glance change in Train to automate the process makes this
  scenario much more likely to happen.

  The immediate workaround is to add
  'cinder_encryption_key_deletion_policy' to the
  non_inheritable_image_properties list in nova.conf.

  The long term solution is for Nova to clone the encryption key in
  Barbican so that Nova always puts a unique key_id on the created
  image.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1852106/+subscriptions
References

[Bug 1852106] [NEW] Possible data loss from createImage action
From: Brian Rosmaita, 2019-11-11