On 11/14/2016 4:16 AM, Daniel P. Berrange wrote:
On Fri, Nov 11, 2016 at 07:11:51PM -0600, Matt Riedemann wrote:
Chris Friesen reported a bug [1] where injected files on a server aren't in
the guest after it's evacuated to another compute host. This is because the
injected files aren't persisted in the nova database at all. Evacuate and
rebuild use similar code paths, but rebuild is a user operation and the
command line is similar to boot, but evacuate is an admin operation and the
admin doesn't have the original injected files.
We've talked about issues with file injection before [2] - in that case not
being able to tell if it can be honored and it just silently doesn't inject
the files but the server build doesn't fail. We could eventually resolve
that with capabilities discovery in the API.
There are other issues with file injection, like potential security issues,
and we've talked about getting rid of it for years because you can use the
config drive.
The metadata service is not a replacement, as noted in the code [3], because
the files aren't persisted in nova so they can't be served up later.
I'm sure we've talked about this before, but if we were to seriously
consider deprecating file injection, what does that look like? Thoughts off
the top of my head are:
1. Add a microversion to the server create and rebuild REST APIs such that
the personality files aren't accepted unless:
a) you're also building the server with a config drive
b) or CONF.force_config_drive is True
c) or the image has the 'img_config_drive=mandatory' property
2. Deprecate VFSLocalFS in Ocata for removal in Pike. That means libguestfs
is required. We'd do this because I think VFSLocalFS is the one with
potential security issues.
Yes, VFSLocalFS is the dangerous one if used with untrustworthy disk images
(essentially all public cloud images are untrustworth) because malicious
images could be used to exploit bugs in the host kernels' filesystem drivers.
This isn't theoretical - we've seen bugs in popular linux filesystems (ie
ext3) lie mistakenly unfixed for years https://lwn.net/Articles/538898/
Regards,
Daniel
To circle back on this, we discussed it a bit in today's nova meeting
[1] and agreed that we'd deprecate the VFSLocalFS backend for file
injection in Ocata and remove it in Pike.
We also agreed to start working on a spec for the REST API changes
outlined above to deprecate file injection (personality files) as a
separate feature in the API. People using it today will need to rely on
config drive after it's deprecated in the API.
[1]
http://eavesdrop.openstack.org/meetings/nova/2016/nova.2016-11-17-14.00.log.html
--
Thanks,
Matt Riedemann
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
