Thursday, 2024-07-04

« Wednesday, 2024-07-03 Index Friday, 2024-07-05 »
opendevreviewRajat Dhasmana proposed openstack/glance master: Increase timeout for tempest-integrated-storage-import job  https://review.opendev.org/c/openstack/glance/+/92343105:53
fricklerhttps://review.opendev.org/923433 is failing once again on grenade this time. I'm going to force-merge it once zuul has reported the failures in gerrit06:50
fricklerhmm, doing the force-merge now before the cve patches get into gate again. the failures can be seen at https://zuul.opendev.org/t/openstack/buildset/94df5d39c05943db9903df87c0bb9ea4 in case someone wants to take a closer look07:13
opendevreviewMerged openstack/glance master: Make import jobs non-voting  https://review.opendev.org/c/openstack/glance/+/92343307:16
fricklerdoing the same for 923431 now which as the above pretty obviously has no negative impact that could be discovered by the other tests07:17
opendevreviewMerged openstack/glance master: Increase timeout for tempest-integrated-storage-import job  https://review.opendev.org/c/openstack/glance/+/92343107:17
fricklerok, enqueued and promoted the stack at 923431 once again. cc fungi07:22
fricklerbtw. keeping non-voting jobs in the gate pipeline is usually being frowned upon, but I think it is o.k. to gather some additional results in the current situation07:30
opendevreviewAbhishek Kekane proposed openstack/glance stable/2024.1: [stable only] Make import jobs non-voting  https://review.opendev.org/c/openstack/glance/+/92346807:48
opendevreviewAbhishek Kekane proposed openstack/glance stable/2023.2: [stable only] Make import jobs non-voting  https://review.opendev.org/c/openstack/glance/+/92347007:52
opendevreviewAbhishek Kekane proposed openstack/glance stable/2023.2: [stable only] Make import jobs non-voting  https://review.opendev.org/c/openstack/glance/+/92347007:55
fricklerabhishekk: gate failure on the last cve patch, maybe you want to have a look https://zuul.opendev.org/t/openstack/build/01bc21c5f614487aa6e941d4c23da63507:56
abhishekklooking07:57
fricklerhmm, weird, that is the change that I merged earlier, not sure why that was running in gate again07:58
abhishekknot related07:58
abhishekkoops07:58
frickleryes, certainly not related. but fixing unstable func tests should be the next priority after the cve07:59
abhishekkcan it be removed from the queue07:59
abhishekk++07:59
fricklersince the gate queue has already been reset, it shouldn't matter much anymore07:59
abhishekkack08:00
opendevreviewAbhishek Kekane proposed openstack/glance stable/2023.1: [stable only] Make import jobs non-voting  https://review.opendev.org/c/openstack/glance/+/92347108:05
gaudenz_The change to the image conversion plugin in https://review.opendev.org/c/openstack/glance/+/923251 changes the import API behavior if you previously dependend on the fact that the source format was autodetected. Are there plans to fix this by reintroducing autodetection without calling qemu-img (which would be unsafe)?08:48
gaudenz_We have code which relies on the old behavior, so this caused some breakage for us.08:49
gaudenz_Or do you consider the old behavior just a bug and we should have never relied on it?08:49
*** gaudenz_ is now known as gaudenz08:54
fricklerintegrated-storage run-test: commands[2] | tempest run --combine --serial --regex '(?!.*\[.*\bslow\b.*\])(^tempest\.scenario)|(^tempest\.serial_tests)' --exclude-list ./tools/tempest-integrated-gate-storage-exclude-list.txt --concurrency=309:12
fricklerdoesn't seem useful to combine "--serial" and "--concurrency"09:12
opendevreviewMerged openstack/glance master: Reject qcow files with data-file attributes  https://review.opendev.org/c/openstack/glance/+/92324809:21
frickler#1 is done, yay. and the other ones all only waiting on n-v jobs09:38
opendevreviewMerged openstack/glance master: Extend format_inspector for QCOW safety  https://review.opendev.org/c/openstack/glance/+/92324909:39
opendevreviewMerged openstack/glance master: Add VMDK safety check  https://review.opendev.org/c/openstack/glance/+/92325009:46
opendevreviewMerged openstack/glance master: Reject unsafe qcow and vmdk files  https://review.opendev.org/c/openstack/glance/+/92325109:46
opendevreviewMerged openstack/glance master: Add QED format detection to format_inspector  https://review.opendev.org/c/openstack/glance/+/92325209:46
opendevreviewMerged openstack/glance master: Add file format detection to format_inspector  https://review.opendev.org/c/openstack/glance/+/92325309:46
fricklerabhishekk: there was a merge failure and a gate reset for https://review.opendev.org/c/openstack/glance/+/923254 , it also seems weird to merge a change where the commit message starts with "WIP", please have another look09:50
frickleralso let me know when we're ready to promote the stable branch patches09:50
abhishekkOhh, It has a new patch after approval09:51
frickleroh, I see you just approved some of the stable things, will boost them09:51
abhishekkI think we can it's good it is not merged09:52
abhishekkno I was talking about  https://review.opendev.org/c/openstack/glance/+/923254 09:52
abhishekkfrickler: stable branch will still have timeouts so we need to backport that timeout increment patch first09:52
abhishekkfrickler: I will let you know about stable branch promotion09:56
abhishekkthank you so far for your quick support!!09:57
opendevreviewRajat Dhasmana proposed openstack/glance stable/2024.1: Increase timeout for tempest-integrated-storage-import job  https://review.opendev.org/c/openstack/glance/+/92348310:09
opendevreviewPranali Deore proposed openstack/glance master: Add releasenote for CVE-2024-32498 fix  https://review.opendev.org/c/openstack/glance/+/92348510:11
opendevreviewRajat Dhasmana proposed openstack/glance stable/2023.2: Increase timeout for tempest-integrated-storage-import job  https://review.opendev.org/c/openstack/glance/+/92348410:11
opendevreviewRajat Dhasmana proposed openstack/glance stable/2023.1: Increase timeout for tempest-integrated-storage-import job  https://review.opendev.org/c/openstack/glance/+/92348610:12
opendevreviewPranali Deore proposed openstack/glance master: Add releasenote for CVE-2024-32498 fix  https://review.opendev.org/c/openstack/glance/+/92348510:15
opendevreviewPranali Deore proposed openstack/glance master: Add releasenote for CVE-2024-32498 fix  https://review.opendev.org/c/openstack/glance/+/92348512:19
fungigaudenz: it seems like the general sentiment from the qemu maintainers is that they don't support using any of it on untrusted images, but as there aren't a lot of great alternatives to qemu we have to work with what we've got, and that means trying to filter out potential risks before they ever make it to any qemu tools and being as strict as possible about treating images as the12:39
fungiexact types our services are able to safely support12:39
fungii don't know of any way to safely recreate qemu's autodetection routines other than to rewrite them from scratch (without side effects) inside openstack12:40
gaudenzfungi: I was more thinking about using the detect_format method from the format_inspector module in Glance. This should be pretty safe as it just tries all inspectors. If one of them is vulnerable with some input this can be triggered by setting the disk_format to this type anyway.13:31
gaudenzOr using python-magic to detect the type would be another option. Should also be pretty safe as it just reads file headers.13:31
fungiyeah, magic number inspection shouldn't have side effects13:33
fungithe main risk is in using qemu-img info because the process loads qemu's drivers to process the file13:34
fungiso anything that a nefarious custom image can be made to do on load is potentially also possible when passing it to qemu-img subcommands like info and convert13:35
gaudenzYes I totally agree that this is not an option. Was quite surprised what sort of shenanigans one can do with QCOW2 images.13:36
*** pdeore_ is now known as pdeore13:40
opendevreviewMerged openstack/glance stable/2024.1: Reject qcow files with data-file attributes  https://review.opendev.org/c/openstack/glance/+/92325913:41
Luzifungi ? we (and nova) also want to use qemu-img convert in case of encrypted qcow2 images...13:42
abhishekkfrickler, these 3 patches needs to be prioritised for stable branches to mitigate timeout, https://review.opendev.org/c/openstack/glance/+/923483, https://review.opendev.org/c/openstack/glance/+/923486, https://review.opendev.org/c/openstack/glance/+/923484?usp=cherry-pick 13:44
fungiLuzi: if the dangerous aspects of the image file are outside the encrypted blob we can safely inspect those, i think? i haven't looked closely at the encryption implementation in the qcow2 format specification13:45
Luziwe mainly did encrypted raw images, but nova will need encrypted qcow213:45
fungiotherwise we'd have to decrypt before inspecting, if qcow2 encryption covers more than just the block data13:46
abhishekkbefore encryption can't you inspect the file for malicious contents?13:50
Luziencryption happens on client side13:50
Luziglance will only get the already encrypted image13:51
pdeoreabhishekk, rosmaita, dansmith, croelandt, mrjoshi glance weekly meeting in 10 minutes at #openstack-meeting13:51
abhishekkyep at client side, won't it be a good idea to introspect?13:51
Luziwhat about a malicious client?13:52
abhishekkack, I was thinking about openstackclient where you are planning to add this mechanism13:53
fungiclient-side security measures can only protect users, not the servers13:54
abhishekkotherwise you also can add one config option at glance like introspect_encrypted_image and if that is true glance also perform it before storing (but it will have performance impact) anyway nova or cinder has to do that13:55
Luziwhat fungi said13:55
fungibut anyway, like i said, if it's only the block data that's encrypted and not the other image metadata then glance doesn't need the decryption key to check whether options like remote backing files and alternate data locations are set13:55
fungiif the image file is just an encrypted blob though, we'd need to use some other tool without side effects at the decryption stage (wherever that happens) and then inspect the decrypted image prior to passing to qemu tools13:56
abhishekkhmmm, 13:57
abhishekkLuzi may be good to bring it in glance meeting as well13:57
fungii think it will require a read of the encryption format docs for qcow2 to determine what our options are, if nobody's done that yet13:58
Luziyeah abhishekk 13:58
abhishekk++13:58
Luziwell there seems to be unencrypted metadata in encrypted qcow2 images13:59
Luzihow do you inspect them in detail?13:59
abhishekkpdeore: no agenda on the meeting etherpad, do we have anything to discuss14:00
fungiLuzi: that's a good sign. check the image inspector code that went into (or is in the process of merging to) glance as part of the ossa-2024-001 fixes14:00
pdeoreabhishekk, agenda is there :)14:00
abhishekkLuzi: I think that should be done in nova and glacinder only14:00
abhishekkloding... I still see last week only14:01
abhishekkbecause we are inspecting it during conversion at the moment14:01
abhishekkand encrypted image is not allowed for conversion as per spec14:01
fungithe image inspector code in glance was a14:03
fungialso copied into cinder and nova, the glance copy was treated as the reference i think14:04
fungilonger-term goal is to split it out into an oslo lib and have cinder/glance/nova all use that14:04
fungibut we couldn't really create a new separate project within the scope of backportable security fixes14:05
abhishekkyes, that's the plan to move it to oslo  (utils may be) 14:06
pdeorerosmaita, croelandt could you please have a look at this, https://review.opendev.org/c/openstack/glance/+/92348514:09
Luzimy collegue tested it with an encrypted qcow2 image and the inspect code is able to inspect the metadata14:11
Luziso that means, before the image is converted in nova or cinder, the inspection will take place and alert, when something is wrong, right?14:17
abhishekkyes14:17
Luzithat is good14:19
abhishekkyou can also test it by copying format-inspector from glance and write a little python program14:20
opendevreviewAbhishek Kekane proposed openstack/glance master: Revert "Make import jobs non-voting"  https://review.opendev.org/c/openstack/glance/+/92352314:24
fricklerabhishekk: done now, let's hope stable branches work better after these merge14:41
abhishekkfingres crossed 14:41
fricklerabhishekk: https://review.opendev.org/c/openstack/glance/+/923263/1 hasn't been approved yet, is that intentional or an oversight? I'm reenqueuing the patches below it now15:59
abhishekkI haven't because gate was failing16:05
abhishekkwill do it now16:05
abhishekkapproved, last patch workflow -1 as it is WIP in master16:06
abhishekkI was waiting for timeout patch to get in16:07
abhishekkI approve stable/2023.2 once 2024.1 merges16:07
opendevreviewMerged openstack/glance stable/2024.1: [stable only] Make import jobs non-voting  https://review.opendev.org/c/openstack/glance/+/92346817:02
opendevreviewMerged openstack/glance stable/2023.2: [stable only] Make import jobs non-voting  https://review.opendev.org/c/openstack/glance/+/92347017:02
abhishek_Just FYI, glance CVE patches status17:19
abhishek_Master all merged except last one which is WIP17:19
abhishek_stable/2024.1 is in check and gate now17:19
abhishek_once those merged I will approve 2023.2 and then 2023.117:19
abhishek_Not sure what will be needed to get merged unmaintained zed patches17:20
opendevreviewMerged openstack/glance stable/2023.1: [stable only] Make import jobs non-voting  https://review.opendev.org/c/openstack/glance/+/92347117:31
opendevreviewRajat Dhasmana proposed openstack/glance master: Fix: optimized upload volume in Cinder store  https://review.opendev.org/c/openstack/glance/+/92231617:39
opendevreviewMerged openstack/glance stable/2024.1: Increase timeout for tempest-integrated-storage-import job  https://review.opendev.org/c/openstack/glance/+/92348319:16
opendevreviewMerged openstack/glance stable/2023.1: Increase timeout for tempest-integrated-storage-import job  https://review.opendev.org/c/openstack/glance/+/92348619:16
opendevreviewMerged openstack/glance stable/2023.2: Increase timeout for tempest-integrated-storage-import job  https://review.opendev.org/c/openstack/glance/+/92348420:43
opendevreviewMerged openstack/glance stable/2024.1: Extend format_inspector for QCOW safety  https://review.opendev.org/c/openstack/glance/+/92326020:43
opendevreviewMerged openstack/glance stable/2024.1: Add VMDK safety check  https://review.opendev.org/c/openstack/glance/+/92326120:43
opendevreviewMerged openstack/glance stable/2024.1: Reject unsafe qcow and vmdk files  https://review.opendev.org/c/openstack/glance/+/92326220:51
opendevreviewMerged openstack/glance stable/2024.1: Add QED format detection to format_inspector  https://review.opendev.org/c/openstack/glance/+/92326321:19
opendevreviewMerged openstack/glance master: Revert "Make import jobs non-voting"  https://review.opendev.org/c/openstack/glance/+/92352321:35
fungilooks like all the ossa-2024-001 cinder patches for master and stable/2024.1 have merged, changes for older maintained branches are still lacking approvals22:10
fungier, glance patches i mean, not cinder22:10
fungi(cinder's are all merged now, but they had a lot fewer)22:11
fungioh, actually no, https://review.opendev.org/c/openstack/glance/+/923264 for stable/2024.1 had to be put back into the gate, looks like it failed out but will hopefully merge shortly22:12
« Wednesday, 2024-07-03 Index Friday, 2024-07-05 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!