[SRU] public key injection should be configurable

Bug #971640 reported by Peng Yong
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Peng Yong
Essex
Fix Released
Undecided
Unassigned
nova (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Chuck Short
Quantal
Fix Released
Undecided
Unassigned

Bug Description

there is no FLAG to disable injecting key if we have some script to pull public key from metadata.

Related branches

CVE References

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/6092

Changed in nova:
assignee: nobody → Peng Yong (ppyy)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/6092
Committed: http://github.com/openstack/nova/commit/dc131983bac9d01355d7337241871b615866f6e6
Submitter: Jenkins
Branch: master

commit dc131983bac9d01355d7337241871b615866f6e6
Author: Peng Yong <email address hidden>
Date: Mon Apr 2 23:36:20 2012 +0800

    add libvirt_inject_key flag
    fix bug #971640

    Change-Id: I48efc5babdd9b233342a33c87c461aabf5f5915b

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
Vish Ishaya (vishvananda) wrote : Re: public key injection should be configurable

marking this for potential backport. It might be considered a feature, but I think a lot of deployments will want key injection disabled.

Changed in nova:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/essex)

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/6830

Revision history for this message
justinsb (justin-fathomdb) wrote : Re: public key injection should be configurable

OK, it's early in the morning, but can someone explain when I would want to set this flag to false?

I can see the case for disabling injection into the image entirely; you'd do that if you're pulling from the metadata server.

But why would I want to inject some information, but pull other information from the metadata server?

Revision history for this message
Vish Ishaya (vishvananda) wrote : Re: [Bug 971640] public key injection should be configurable

Justin: key injection is the only thing that is still done automatically without a specific user request. Some clouds won't want to support this. Admittedly it might make sense to have a shared flag for all injection, but we don't have an alternate path for injected files yet like we do for network (dhcp) and keys (cloud-init).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/essex)

Reviewed: https://review.openstack.org/6830
Committed: http://github.com/openstack/nova/commit/5ab505191c3600fc4f4b7b128a04f5c9c8f74bc1
Submitter: Jenkins
Branch: stable/essex

commit 5ab505191c3600fc4f4b7b128a04f5c9c8f74bc1
Author: Peng Yong <email address hidden>
Date: Mon Apr 2 23:36:20 2012 +0800

    add libvirt_inject_key flag
    fix bug #971640

    Change-Id: I48efc5babdd9b233342a33c87c461aabf5f5915b

tags: added: in-stable-essex
Devin Carlen (devcamcar)
Changed in nova:
milestone: none → folsom-1
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Chuck Short (zulcss)
Changed in nova (Ubuntu Quantal):
status: New → Fix Released
Chuck Short (zulcss)
summary: - public key injection should be configurable
+ [SRU] public key injection should be configurable
Revision history for this message
Chuck Short (zulcss) wrote :

** Impact **

Nova is unable to disable key ssh key injection when launching images. This does not allow the uesrs to pull their own keys from a metadata service or from a script. This option is disabled by default.

** Development Fix **

This issue was resolved in the latest development release in: https://review.openstack.org/6092

** Stable Fix **

This issue was resolve in the stable release in: https://review.openstack.org/6830

*** Test Case **

1. Launch instance
2. Check to see if there is ssh keys in /root/.ssh
3. Set "libvirt_inject_key=False" in /etc/nova/nova.conf
4. Restart /etc/nova/nova.conf
5. Launch instance
6. Check to see if there is ssh keys in /root/.ssh

** Regression Potential **

Disabling ssh keys inject is turned off by default, so there is minimal regression potential.

Chuck Short (zulcss)
Changed in nova (Ubuntu Precise):
assignee: nobody → Chuck Short (zulcss)
milestone: none → ubuntu-12.04.1
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Peng, or anyone else affected,

Accepted nova into precise-proposed. The package will build now and be available in a few hours. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in nova (Ubuntu Precise):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Adam Gandelman (gandelman-a) wrote :

Please find the attached Jenkins job results from the Ubuntu Server Team's CI
infrastructure. As part of the verification process for this bug, Nova has
been deployed and configured across multiple nodes using precise-proposed as
an installation source. After successful bring-up and configuration of the
cluster, a number of exercises and smoke tests have be invoked to ensure the
updated package did not introduce any regressions. A number of test iterations
were carried out to catch any possible transient errors.

Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the
Jenkins links in the comments of the relevant upstream code-review:

https://review.openstack.org/6830

As per the provisional Micro Release Exception granted to this package by
the Technical Board, we hope this contributes toward verification of this
update.

Dave Walker (davewalker)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2012.1+stable~20120612-3ee026e-0ubuntu1

---------------
nova (2012.1+stable~20120612-3ee026e-0ubuntu1) precise-proposed; urgency=low

  * New upstream snapshot. (LP: #1010473)
  * Dropped, superseeded by new snapshot:
    - debian/patches/upstream/0001-fix-bug-where-nova-ignores-glance-host-in-imageref.patch
    - debian/patches/upstream/0002-Stop-libvirt-test-from-deleting-instances-dir.patch
    - debian/patches/upstream/0003-Allow-unprivileged-RADOS-users-to-access-rbd-volumes.patch
    - debian/patches/upstream/0004-Fixed-bug-962840-added-a-test-case.patch
    - debian/patches/upstream/0005-Populate-image-properties-with-project_id-again.patch
    - debian/patches/upstream/0006-Use-project_id-in-ec2.cloud._format_image.patc
    - debian/patches/CVE-2012-2101.patch
    - debian/patches/CVE-2012-2654.patch
  * Resynchronize with stable/essex:
    - 3ee026e Only invoke .lower() on non-None protocols. (LP: #1010514)
    - f0a9f47 Create a utf8 version of the dns_domains table. (LP: #993663)
    - 84a43e1 Report memory correctly on Xen. (LP: #997014)
    - 8c72924 Add libvirt get_console_output tests: pty and file. (LP: #990237)
    - 4e423cd Fix Multi_Scheduler to process host capabilities. (LP: #1000403)
    - 4aea7f1 Nail pep8 dependencies to 1.0.1
    - 2b3bbc4 handle updated qemu-img info output. (LP: #1000261)
    - 2d7d51c Fix type of snapshot_id column to match db. (LP: #962615)
    - ec70c69 Generate a Changelog for Nova
    - e5e890f Fix nova.tests.test_nova_rootwrap on Fedora 17. (LP: #992916)
    - 9e9a554 Ec2 handle strings with "0x" (LP: #983206)
    - 26dc6b7 QuantumManager will start dnsmasq during startup. Fixes (LP: #977759)
    - 7028d66 Introduced flag base_dir_name. (LP: #973194)
    - 76b525a Get unit tests functional in OS X.
    - facb936 Update KillFilter to handle 'deleted' exe's. (LP: #967931)
    - 1209af4 Checks if value is string or not before decode. (LP: #952176)
    - 1209af4 Fix timeout in EC2 CloudController.create_image(). (LP: #989764)
    - 108e74b Re-add console_log from console_console_output(). (LP: #987335)
    - 48a0768 Don't leak RPC connections on timeouts or other exceptions. (LP: #968843)
    - 7c64de9 Cloudpipe tap vpn not always working. (LP: #975043)
    - 5ab5051 add libvirt_inject_key flag fix (LP: #971640)
    - 6c68ef5 Xen: Pass session to destroy_vdi. (LP: #988615)
    - 015744e Delete fixed_ips when network is deleted. (LP: #754900)
  * Add debian/scripts/changelog.sh to help generate the changelog.
  * Add debian/nova-common.docs:
    - Include changelog and README.rst
  * debian/rules: Generate a tarball from git snapshot.
  * debian/patches/fix-pep8-errors.patch: Fix pep8 errors due to pep8 upstream
    migration.
 -- Chuck Short <email address hidden> Tue, 05 Jun 2012 09:50:59 -0400

Changed in nova (Ubuntu Precise):
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: folsom-1 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.