Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

[Tim Bell]

Looking at the number of options for image properties, it would seem that a 
blacklist would be in order. I would be in favour for ‘standard’ images which 
support fsfreeze to support guest agent and that some of the NUMA properties 
not be available for end user images, but still for system ones.

How about a list of delegated properties for images which could override the 
default flavor settings ?

Tim

On 20/07/16 00:40, "Daniel Russell"  wrote:

Hi Daniel,

Fair enough.  I don't personally understand your stance against having a 
configuration option to specifically disable guest agent but imagine there 
would be advantages to having a more generic implementation that can handle 
more use-cases (any property instead of just a specific property).  I imagine 
there will need to be a nova scheduler component to it as well (Or we might 
schedule an instance on a hypervisor that is configured not to allow it).

Is there a blueprint or spec for this kind of thing yet?  I can help put one 
together if there is interest but the implementation is probably for more 
seasoned developers.

Regards,
Dan.

-Original Message-
From: Daniel P. Berrange [mailto:berra...@redhat.com] 
Sent: Tuesday, 19 July 2016 6:39 PM
To: OpenStack Development Mailing List (not for usage questions) 

Subject: Re: [openstack-dev] [glance][nova] Globally disabling 
hw_qemu_guest_agent support

On Tue, Jul 19, 2016 at 12:51:07AM +, Daniel Russell wrote:
> Hi Erno,
> 
> For the size of team I am in I think it would work well but it feels 
> like I am putting the security of Nova in the hands of Glance.

Yep, from an architectural pov it is not very good. Particularly in a 
multi-hypervisor compute deployment you can have the situation where yoyu want 
to allow a property for one type of hypervisor but forbid it for another.

What we really need is the exact same image property security restrictions 
implemented by nova-compute, so we can setup compute nodes to blacklist certain 
properties.

> 
> What I was more after was a setting in Nova that says 'this hypervisor 
> does not allow guest sockets and will ignore any attempt to create 
> them', 'this hypervisor always creates guest sockets regardless of 
> your choice', 'this hypervisor will respect whatever you throw in 
> hw_qemu_guest_agent with a default of no', or 'this hypervisor will 
> respect whatever you throw in hw_qemu_guest_agent with a default of 
> yes'.  It feels like a more appropriate place to control and manage that kind 
> of configuration.

Nope, there's no such facility right now - glance property protection is the 
only real option. I'd be very much against adding a lockdown which was specific 
to the guest agent too - if we did anything it would be to have a generic 
property protection model in nova that mirrors what glance supports.

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

[Daniel Russell]

Hi Daniel,

Fair enough.  I don't personally understand your stance against having a 
configuration option to specifically disable guest agent but imagine there 
would be advantages to having a more generic implementation that can handle 
more use-cases (any property instead of just a specific property).  I imagine 
there will need to be a nova scheduler component to it as well (Or we might 
schedule an instance on a hypervisor that is configured not to allow it).

Is there a blueprint or spec for this kind of thing yet?  I can help put one 
together if there is interest but the implementation is probably for more 
seasoned developers.

Regards,
Dan.

-Original Message-
From: Daniel P. Berrange [mailto:berra...@redhat.com] 
Sent: Tuesday, 19 July 2016 6:39 PM
To: OpenStack Development Mailing List (not for usage questions) 

Subject: Re: [openstack-dev] [glance][nova] Globally disabling 
hw_qemu_guest_agent support

On Tue, Jul 19, 2016 at 12:51:07AM +, Daniel Russell wrote:
> Hi Erno,
> 
> For the size of team I am in I think it would work well but it feels 
> like I am putting the security of Nova in the hands of Glance.

Yep, from an architectural pov it is not very good. Particularly in a 
multi-hypervisor compute deployment you can have the situation where yoyu want 
to allow a property for one type of hypervisor but forbid it for another.

What we really need is the exact same image property security restrictions 
implemented by nova-compute, so we can setup compute nodes to blacklist certain 
properties.

> 
> What I was more after was a setting in Nova that says 'this hypervisor 
> does not allow guest sockets and will ignore any attempt to create 
> them', 'this hypervisor always creates guest sockets regardless of 
> your choice', 'this hypervisor will respect whatever you throw in 
> hw_qemu_guest_agent with a default of no', or 'this hypervisor will 
> respect whatever you throw in hw_qemu_guest_agent with a default of 
> yes'.  It feels like a more appropriate place to control and manage that kind 
> of configuration.

Nope, there's no such facility right now - glance property protection is the 
only real option. I'd be very much against adding a lockdown which was specific 
to the guest agent too - if we did anything it would be to have a generic 
property protection model in nova that mirrors what glance supports.

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

[Daniel P. Berrange]

On Tue, Jul 19, 2016 at 12:51:07AM +, Daniel Russell wrote:
> Hi Erno,
> 
> For the size of team I am in I think it would work well but it feels like
> I am putting the security of Nova in the hands of Glance.

Yep, from an architectural pov it is not very good. Particularly in a
multi-hypervisor compute deployment you can have the situation where yoyu
want to allow a property for one type of hypervisor but forbid it for another.

What we really need is the exact same image property security restrictions
implemented by nova-compute, so we can setup compute nodes to blacklist
certain properties.

> 
> What I was more after was a setting in Nova that says 'this hypervisor
> does not allow guest sockets and will ignore any attempt to create them',
> 'this hypervisor always creates guest sockets regardless of your choice',
> 'this hypervisor will respect whatever you throw in hw_qemu_guest_agent
> with a default of no', or 'this hypervisor will respect whatever you throw
> in hw_qemu_guest_agent with a default of yes'.  It feels like a more
> appropriate place to control and manage that kind of configuration.

Nope, there's no such facility right now - glance property protection
is the only real option. I'd be very much against adding a lockdown
which was specific to the guest agent too - if we did anything it would
be to have a generic property protection model in nova that mirrors what
glance supports.

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

[Daniel Russell]

Hi Erno,

For the size of team I am in I think it would work well but it feels like I am 
putting the security of Nova in the hands of Glance.

What I was more after was a setting in Nova that says 'this hypervisor does not 
allow guest sockets and will ignore any attempt to create them', 'this 
hypervisor always creates guest sockets regardless of your choice', 'this 
hypervisor will respect whatever you throw in hw_qemu_guest_agent with a 
default of no', or 'this hypervisor will respect whatever you throw in 
hw_qemu_guest_agent with a default of yes'.  It feels like a more appropriate 
place to control and manage that kind of configuration.

Thanks for the pointer, and I will implement it in our environment, but I guess 
it opens up a larger question of '*should* I manage that kind of config in that 
manner?'

Regards,
Daniel.

-Original Message-
From: Erno Kuvaja [mailto:ekuv...@redhat.com] 
Sent: Tuesday, 19 July 2016 10:09 AM
To: OpenStack Development Mailing List (not for usage questions) 

Subject: Re: [openstack-dev] [glance][nova] Globally disabling 
hw_qemu_guest_agent support

Hi Daniel,

You might want to have look on the Glance Property Protections [0].
I'd assume that would do it for you?

[0] http://docs.openstack.org/developer/glance/property-protections.html

Best,
Erno

On Tue, Jul 19, 2016 at 12:43 AM, Daniel Russell  
wrote:
> Hi,
>
>
>
> We are running a public cloud and allow customers to upload their own 
> images.  A concern we have is that a customer could set 
> hw_qemu_guest_agent=yes in the image metadata and then get a socket to 
> the hypervisor created when running.  For us, this is a bit of a 
> security concern and I’m not aware of any way to globally disable this 
> feature at the moment.
>
>
>
> Is there any work going on to add the ability to enable/disable the 
> feature globally?  Would it be of interest to the project(s) to add that?
>
>
>
> I am happy to look into it and am keen to start contributing if it’s 
> deemed low enough hanging fruit for a new guy!
>
>
>
> Regards,
>
> DANIEL RUSSELL
> Solution Architect
>
>
>
>
> __
>  OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

[Erno Kuvaja]

Hi Daniel,

You might want to have look on the Glance Property Protections [0].
I'd assume that would do it for you?

[0] http://docs.openstack.org/developer/glance/property-protections.html

Best,
Erno

On Tue, Jul 19, 2016 at 12:43 AM, Daniel Russell
 wrote:
> Hi,
>
>
>
> We are running a public cloud and allow customers to upload their own
> images.  A concern we have is that a customer could set
> hw_qemu_guest_agent=yes in the image metadata and then get a socket to the
> hypervisor created when running.  For us, this is a bit of a security
> concern and I’m not aware of any way to globally disable this feature at the
> moment.
>
>
>
> Is there any work going on to add the ability to enable/disable the feature
> globally?  Would it be of interest to the project(s) to add that?
>
>
>
> I am happy to look into it and am keen to start contributing if it’s deemed
> low enough hanging fruit for a new guy!
>
>
>
> Regards,
>
> DANIEL RUSSELL
> Solution Architect
> 340 Findon Road, KIDMAN PARK, SA 5025
> T: +61 8 8461 4841 F: +61 8 8461 4899
> E: dani...@hostworks.com.au
> W: www.hostworks.com.au
>
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

[Kris G. Lindgren]

I also happened to be looking at this today and was wondering about this as 
well.  From the multi-places that talk about how to enable the qemu guest agent 
for quiescing drives during snapshots, they all have a warning that this should 
be enabled on trusted guests only. [1] [2] [3]  So, I am wondering has anyone 
actually solved any of the security issues called out in the tail end of [3]? 
It seems interesting that we would would make it so where the only flag that’s 
needed to enabled/disable this is done on the image metadata – which any users 
that is given permission to upload images can set.  Since this opens up a 
communication channel directly between the Untrusted (for most people running a 
cloud) vm and libvirt running on the HV.

[1] - 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Deployment_and_Administration_Guide/chap-QEMU_Guest_Agent.html#idp9487712
 (see the warning directly the title)
[2] - http://wiki.libvirt.org/page/Qemu_guest_agent (see the last sentence)
[3] - http://wiki.qemu.org/Features/QAPI/GuestAgent (See the Security section)
___
Kris Lindgren
Senior Linux Systems Engineer
GoDaddy
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [glance][nova] Globally disabling hw_qemu_guest_agent support

[Daniel Russell]

Hi,

We are running a public cloud and allow customers to upload their own images.  
A concern we have is that a customer could set hw_qemu_guest_agent=yes in the 
image metadata and then get a socket to the hypervisor created when running.  
For us, this is a bit of a security concern and I'm not aware of any way to 
globally disable this feature at the moment.

Is there any work going on to add the ability to enable/disable the feature 
globally?  Would it be of interest to the project(s) to add that?

I am happy to look into it and am keen to start contributing if it's deemed low 
enough hanging fruit for a new guy!

Regards,
DANIEL RUSSELL
Solution Architect
340 Findon Road, KIDMAN PARK, SA 5025
T: +61 8 8461 4841 F: +61 8 8461 4899
E: dani...@hostworks.com.au
W: www.hostworks.com.au

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev