1539703 – By rebuilding twice with the same "forbidden" image one can circumvent scheduler rebuild restrictions

Bug 1539703 - By rebuilding twice with the same "forbidden" image one can circumvent scheduler rebuild restrictions

Summary: By rebuilding twice with the same "forbidden" image one can circumvent schedu...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	12.0 (Pike)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z3
Target Release:	12.0 (Pike)
Assignee:	Artom Lifshitz
QA Contact:	Joe H. Rahme
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1540368 1540369
TreeView+	depends on / blocked

Reported:	2018-01-29 13:39 UTC by Artom Lifshitz
Modified:	2022-07-09 11:41 UTC (History)
CC List:	15 users (show)
Fixed In Version:	openstack-nova-16.1.4-2.el7ost
Doc Type:	Bug Fix
Doc Text:	This update prevents an unintended bypass of the schedule filters that could occur after the scheduler refused a rebuild request sent by nova. If a user rebuilds an instance with a new image, the change from old image to new image causes nova to send the rebuild request to the scheduler to make sure it is allowed according to the scheduler filters. Prior to this update, if the scheduler refused the request, the instance's image reference was not rolled back to the original image. This caused an inconsistency between the original image actually in use by the instance, and the new image reference saved in the database. As a result, a second rebuild request with the same new image would bypass the scheduler and be allowed, because the image in the rebuild request was the same as the instance's image in the database, even though the real image in use by the instance was the old original image. This bypass of scheduler filters was considered a security flaw. As of this update, when a rebuild request is refused by the scheduler,the image reference is rolled back to the original. If another rebuild request is made with the same new image, it is correctly identified as being different from the instance's current image and the request is send to the scheduler.
Clone Of:
Clones:	1540368 (view as bug list)
Environment:
Last Closed:	2018-08-20 12:55:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1746032	None	None	None	2018-01-29 16:25:27 UTC
OpenStack gerrit	539003	None	MERGED	Rollback instance.image_ref on failed rebuild	2020-03-04 15:39:42 UTC
Red Hat Issue Tracker	OSP-17234	None	None	None	2022-07-09 11:41:53 UTC
Red Hat Product Errata	RHSA-2018:2332	None	None	None	2018-08-20 12:57:40 UTC

Description Artom Lifshitz 2018-01-29 13:39:39 UTC

Description of problem:

Since bz 1508689 (CVE-2017-16239), we call to the scheduler when doing a rebuild with a new image. If the scheduler refuses a rebuild because a filter forbids the new image on the instance's host (for example, IsolatedHostsFilter), at first there was no indication of this in the API (bz 1536150). Currently, with the fix for bz 1536150 merged, the instance goes to ERROR to indicate the refused rebuild. However, by rebuilding again with the same "forbidden" image it is possible to circumvent scheduler restrictions.

Version-Release number of selected component (if applicable):

OSP 10 through 12

How reproducible
================

Always.

Steps to Reproduce
==================

1. Configure IsolatedHostsFilter:

   [filter_scheduler]
   enabled_filters = [...],IsolatedHostsFilter
   isolated_images = 41d3e5ca-14cf-436c-9413-4826b5c8bdb1
   isolated_hosts = ubuntu
   restrict_isolated_hosts_to_isolated_images = true

2. Have two images, one isolated and one not:

   $ openstack image list

     8d0581a5-ed9d-4b98-a766-a41efbc99929 | centos | active
     41d3e5ca-14cf-436c-9413-4826b5c8bdb1 | cirros-0.3.5-x86_64-disk | active

     cirros is the isolated one

3. Have only one hypervisor (the isolated one):

   $ openstack hypervisor list

     ubuntu | QEMU | 192.168.100.194 | up

4. To confirm, boot a centos (non-isolated) image,
   expecting it to be refused by the scheduler:

   $ openstack server create \
     --image 8d0581a5-ed9d-4b98-a766-a41efbc99929 \
     --flavor \
     m1.nano centos-test-expect-fail

   $ openstack server list

     centos-test-expect-fail | ERROR | | centos | m1.nano

5. Boot a cirros (isolated) image:

   $ openstack server create \
     --image 41d3e5ca-14cf-436c-9413-4826b5c8bdb1 \
     --flavor m1.nano \
     cirros-test-expect-success

   $ openstack server list

     cirros-test-expect-success | ACTIVE | [...] | cirros-0.3.5-x86_64-disk | m1.nano

6. Rebuild the cirros instance with centos:

   $ nova --debug rebuild cirros-test-expect-success centos

     DEBUG (session:722) POST call to compute for
     http://192.168.100.194/compute/v2.1/servers/d9d98bf7-623e-4587-b82c-06f36abf59cb/action
     used request id req-c234346a-6e05-47cf-a0cd-45f89d11e15d

7. Observe the rebuild being refused in the conductor:

   WARNING nova.conductor.manager
   [None req-c234346a-6e05-47cf-a0cd-45f89d11e15d demo admin]
   [instance: d9d98bf7-623e-4587-b82c-06f36abf59cb]
   No valid host found for rebuild: NoValidHost_Remote:
   No valid host was found. There are not enough hosts available.

8. Observe the instance going to ERROR,
   but still showing the new centos image :

   $ nova show cirros-test-expect-success

     [...]
     status | ERROR
     image  | centos (8d0581a5-ed9d-4b98-a766-a41efbc99929)
     [...]

9. Rebuild again with the same centos image:

   $ nova rebuild cirros-test-expect-success centos

10. The rebuild goes through.

Expected results
================

The rebuild keeps being refused.

Additional info
===============

We only set the scheduler hint if the new imageref is different from the old imageref [1], this is a legit bug.

[1] https://github.com/openstack/nova/blob/master/nova/compute/api.py#L3055-L3073

Comment 1 Matt Riedemann 2018-01-29 16:10:41 UTC

Here is the fix:

https://review.openstack.org/#/c/538961/

There is a patch with a recreate functional test underneath that in the series.

Comment 2 Matthew Booth 2018-05-15 13:49:19 UTC

Looks like the stable backport merged.

Comment 11 errata-xmlrpc 2018-08-20 12:55:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2332

Note You need to log in before you can comment on or make changes to this bug.