Bug 2020216 - installer: Azure storage container blob where is stored bootstrap.ign file shouldn't be public
Summary: installer: Azure storage container blob where is stored bootstrap.ign file sh...
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.9
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.10.0
Assignee: aos-install
QA Contact: MayXu
Latha S
Depends On:
TreeView+ depends on / blocked
Reported: 2021-11-04 11:35 UTC by Przemyslaw Roguski
Modified: 2022-03-10 16:25 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Documention update
Clone Of:
Last Closed: 2022-03-10 16:25:33 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift installer pull 5457 0 None open Bug 2020216: Bug 1964380 remove privateDNSZoneName and --public-acces… 2021-12-07 18:59:44 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:25:52 UTC

Description Przemyslaw Roguski 2021-11-04 11:35:30 UTC
OCP Version at Install Time: All OCP releases
RHCOS Version at Install Time:
OCP Version after Upgrade (if applicable):
RHCOS Version after Upgrade (if applicable):
Platform: Azure

What are you trying to do? What is your use case?

There is an issue with OCP installation steps on user-provisioned Azure infrastructure. The the storage container blob where is stored bootstrap.ign file shouldn't be public like it is suggested in the documentation:

In the Ignition bootstrap.ign file there might be some data that should be considered private. This file shouldn't be publicly accessible (stored in the public blob). 

This should be corrected.

Comment 1 Micah Abbott 2021-11-04 12:49:16 UTC
This would ultimately be a docs change, but I want to send it to the Installer folks as this change might be an implementation detail they would have to consider.

Comment 2 Matthew Staebler 2021-11-08 19:47:22 UTC
My understanding is that the default for the storage container is to have public access off. What changes would you expect in the documentation?

$ az storage container create --help | grep Command -A 5
Please let us know how we are doing: https://aka.ms/azureclihats
    az storage container create : Create a container in a storage account.
        By default, container data is private ("off") to the account owner. Use "blob" to allow
        public read access for blobs. Use "container" to allow public read and list access to the
        entire container. You can configure the --public-access using `az storage container set-
        permission -n CONTAINER_NAME --public-access blob/container/off`.

Comment 3 Przemyslaw Roguski 2021-11-09 10:37:24 UTC
In the documentation which I mentioned in the description there is guidance like below:
Create a blob storage container and upload the generated bootstrap.ign file:

$ az storage container create --name files --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} --public-access blob

$ az storage blob upload --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -c "files" -f "<installation_directory>/bootstrap.ign" -n "bootstrap.ign"

So the storage container blob with the bootstrap.ign file is with public read access. 
I'm not sure if only change in the documentation is needed. Maybe the installation procedure should be corrected as well to address this issue.
It's Installer team decision how to address this problem. Definitely from the Product Security Team perspective it must be corrected.

Comment 4 Matthew Staebler 2021-11-09 15:17:54 UTC
Oh, I missed the use of the `--public-access blob` flag. I swear that I looked at that command a number of times.

I agree that it should be fixed. That is strictly a docs bug then. As far as I can tell, that command is not sourced from the installer repo.

Comment 6 Cody Hoag 2021-11-30 16:02:52 UTC
@Matthew This command is pulled from the installer dev doc for Azure UPI [1]. Can we simply drop the `--public-access blob` flag from our documentation to fix this security issue? Not sure what the original requirement was for that.

[1] https://github.com/openshift/installer/blob/master/docs/user/azure/install_upi.md#upload-the-bootstrap-ignition

Comment 7 Matthew Staebler 2021-11-30 16:56:07 UTC
Ah, OK. I'll put this BZ back on the installer team. I think if we remove the public access to the blob, then the URL in the bootstrap ignition stub needs to be changed to include a SAS token as well.

Comment 8 MayXu 2021-12-03 18:00:15 UTC
based on my test 
"az storage container create --name files --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} --public-access blob"
"--public-access blob" can not be removed 

without the "--public-access blob", bootstrap.json fail to deployed.

az deployment group create -g $RESOURCE_GROUP   --template-file "04_bootstrap.json" --parameters bootstrapIgnition="$BOOTSTRAP_IGNITION" --parameters baseName="$INFRA_ID"

 {\r\n        \"code\": \"OSProvisioningTimedOut\",\r\n        \"message\": \"OS Provisioning for VM 'maxu2020216-g92js-bootstrap' did not finish in the allotted time.

Comment 9 MayXu 2021-12-07 09:03:29 UTC
updated docs/user/azure/install_upi.md in https://github.com/openshift/installer/pull/5457

Comment 16 errata-xmlrpc 2022-03-10 16:25:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.