19273013 problem in SERVICE/NOVA s11-update
authordavid.comay@oracle.com
Tue, 23 Sep 2014 11:18:31 -0700
branchs11-update
changeset 3324 a725bbd5dea1
parent 3323 b4b74d363c31
child 3330 bed1d2a86c86
19273013 problem in SERVICE/NOVA 19273067 default cinder.conf has some options under undefined config groups 19273093 Glance configuration files should reflect the default of Keystone
components/openstack/cinder/files/cinder.conf
components/openstack/glance/files/glance-cache.conf
components/openstack/glance/files/glance-scrubber.conf
components/openstack/glance/glance.p5m
components/openstack/nova/patches/07-CVE-2014-3517.patch
--- a/components/openstack/cinder/files/cinder.conf	Tue Sep 23 10:12:34 2014 -0700
+++ b/components/openstack/cinder/files/cinder.conf	Tue Sep 23 11:18:31 2014 -0700
@@ -493,75 +493,9 @@
 
 
 #
-# Options defined in cinder.keymgr
-#
-
-# The full class name of the key manager API class (string
-# value)
-#api_class=cinder.keymgr.conf_key_mgr.ConfKeyManager
-
-
-#
-# Options defined in cinder.keymgr.conf_key_mgr
-#
-
-# Fixed key returned by key manager, specified in hex (string
-# value)
-#fixed_key=<None>
-
-
-#
-# Options defined in cinder.openstack.common.db.api
-#
-
-# The backend to use for db (string value)
-#backend=sqlalchemy
-
-# Enable the experimental use of thread pooling for all DB API
-# calls (boolean value)
-#use_tpool=false
-
-
-#
 # Options defined in cinder.openstack.common.db.sqlalchemy.session
 #
 
-# The SQLAlchemy connection string used to connect to the
-# database (string value)
-connection=sqlite:///$state_path/$sqlite_db
-
-# timeout before idle sql connections are reaped (integer
-# value)
-#idle_timeout=3600
-
-# Minimum number of SQL connections to keep open in a pool
-# (integer value)
-#min_pool_size=1
-
-# Maximum number of SQL connections to keep open in a pool
-# (integer value)
-#max_pool_size=5
-
-# maximum db connection retries during startup. (setting -1
-# implies an infinite retry count) (integer value)
-#max_retries=10
-
-# interval between retries of opening a sql connection
-# (integer value)
-#retry_interval=10
-
-# If set, use this value for max_overflow with sqlalchemy
-# (integer value)
-#max_overflow=<None>
-
-# Verbosity of SQL debugging information. 0=None,
-# 100=Everything (integer value)
-#connection_debug=0
-
-# Add python stack traces to SQL as comment strings (boolean
-# value)
-#connection_trace=false
-
 # the filename to use with sqlite (string value)
 #sqlite_db=cinder.sqlite
 
@@ -908,20 +842,6 @@
 
 
 #
-# Options defined in cinder.openstack.common.rpc.matchmaker_redis
-#
-
-# Host to locate redis (string value)
-#host=127.0.0.1
-
-# Use this port to connect to redis host. (integer value)
-#port=6379
-
-# Password for Redis server. (optional) (string value)
-#password=<None>
-
-
-#
 # Options defined in cinder.scheduler.driver
 #
 
@@ -1863,4 +1783,95 @@
 #volume_dd_blocksize=1M
 
 
+[keymgr]
+
+#
+# Options defined in cinder.keymgr
+#
+
+# The full class name of the key manager API class (string
+# value)
+#api_class=cinder.keymgr.conf_key_mgr.ConfKeyManager
+
+
+#
+# Options defined in cinder.keymgr.conf_key_mgr
+#
+
+# Fixed key returned by key manager, specified in hex (string
+# value)
+#fixed_key=<None>
+
+
+[database]
+
+#
+# Options defined in cinder.openstack.common.db.api
+#
+
+# The backend to use for db (string value)
+#backend=sqlalchemy
+
+# Enable the experimental use of thread pooling for all DB API
+# calls (boolean value)
+#use_tpool=false
+
+
+#
+# Options defined in cinder.openstack.common.db.sqlalchemy.session
+#
+
+# The SQLAlchemy connection string used to connect to the
+# database (string value)
+connection=sqlite:///$state_path/$sqlite_db
+
+# timeout before idle sql connections are reaped (integer
+# value)
+#idle_timeout=3600
+
+# Minimum number of SQL connections to keep open in a pool
+# (integer value)
+#min_pool_size=1
+
+# Maximum number of SQL connections to keep open in a pool
+# (integer value)
+#max_pool_size=5
+
+# maximum db connection retries during startup. (setting -1
+# implies an infinite retry count) (integer value)
+#max_retries=10
+
+# interval between retries of opening a sql connection
+# (integer value)
+#retry_interval=10
+
+# If set, use this value for max_overflow with sqlalchemy
+# (integer value)
+#max_overflow=<None>
+
+# Verbosity of SQL debugging information. 0=None,
+# 100=Everything (integer value)
+#connection_debug=0
+
+# Add python stack traces to SQL as comment strings (boolean
+# value)
+#connection_trace=false
+
+
+[matchmaker_redis]
+
+#
+# Options defined in cinder.openstack.common.rpc.matchmaker_redis
+#
+
+# Host to locate redis (string value)
+#host=127.0.0.1
+
+# Use this port to connect to redis host. (integer value)
+#port=6379
+
+# Password for Redis server. (optional) (string value)
+#password=<None>
+
+
 # Total option count: 401
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/glance/files/glance-cache.conf	Tue Sep 23 11:18:31 2014 -0700
@@ -0,0 +1,168 @@
+[DEFAULT]
+# Show more verbose log output (sets INFO log level output)
+#verbose = False
+
+# Show debugging output in logs (sets DEBUG log level output)
+#debug = False
+
+log_file = /var/log/glance/image-cache.log
+
+# Send logs to syslog (/dev/log) instead of to file specified by `log_file`
+#use_syslog = False
+
+# Directory that the Image Cache writes data to
+image_cache_dir = /var/lib/glance/image-cache/
+
+# Number of seconds after which we should consider an incomplete image to be
+# stalled and eligible for reaping
+image_cache_stall_time = 86400
+
+# image_cache_invalid_entry_grace_period - seconds
+#
+# If an exception is raised as we're writing to the cache, the cache-entry is
+# deemed invalid and moved to <image_cache_datadir>/invalid so that it can be
+# inspected for debugging purposes.
+#
+# This is number of seconds to leave these invalid images around before they
+# are elibible to be reaped.
+image_cache_invalid_entry_grace_period = 3600
+
+# Max cache size in bytes
+image_cache_max_size = 10737418240
+
+# Address to find the registry server
+registry_host = 0.0.0.0
+
+# Port the registry server is listening on
+registry_port = 9191
+
+# Auth settings if using Keystone
+auth_url = http://127.0.0.1:5000/v2.0/
+admin_tenant_name = %SERVICE_TENANT_NAME%
+admin_user = %SERVICE_USER%
+admin_password = %SERVICE_PASSWORD%
+
+# List of which store classes and store class locations are
+# currently known to glance at startup.
+# known_stores = glance.store.filesystem.Store,
+#                glance.store.http.Store,
+#                glance.store.rbd.Store,
+#                glance.store.s3.Store,
+#                glance.store.swift.Store,
+#                glance.store.sheepdog.Store,
+#                glance.store.cinder.Store,
+
+# ============ Filesystem Store Options ========================
+
+# Directory that the Filesystem backend store
+# writes image data to
+filesystem_store_datadir = /var/lib/glance/images/
+
+# ============ Swift Store Options =============================
+
+# Version of the authentication service to use
+# Valid versions are '2' for keystone and '1' for swauth and rackspace
+swift_store_auth_version = 2
+
+# Address where the Swift authentication service lives
+# Valid schemes are 'http://' and 'https://'
+# If no scheme specified,  default to 'https://'
+# For swauth, use something like '127.0.0.1:8080/v1.0/'
+swift_store_auth_address = 127.0.0.1:5000/v2.0/
+
+# User to authenticate against the Swift authentication service
+# If you use Swift authentication service, set it to 'account':'user'
+# where 'account' is a Swift storage account and 'user'
+# is a user in that account
+swift_store_user = jdoe:jdoe
+
+# Auth key for the user authenticating against the
+# Swift authentication service
+swift_store_key = a86850deb2742ec3cb41518e26aa2d89
+
+# Container within the account that the account should use
+# for storing images in Swift
+swift_store_container = glance
+
+# Do we create the container if it does not exist?
+swift_store_create_container_on_put = False
+
+# What size, in MB, should Glance start chunking image files
+# and do a large object manifest in Swift? By default, this is
+# the maximum object size in Swift, which is 5GB
+swift_store_large_object_size = 5120
+
+# When doing a large object manifest, what size, in MB, should
+# Glance write chunks to Swift? This amount of data is written
+# to a temporary disk buffer during the process of chunking
+# the image file, and the default is 200MB
+swift_store_large_object_chunk_size = 200
+
+# Whether to use ServiceNET to communicate with the Swift storage servers.
+# (If you aren't RACKSPACE, leave this False!)
+#
+# To use ServiceNET for authentication, prefix hostname of
+# `swift_store_auth_address` with 'snet-'.
+# Ex. https://example.com/v1.0/ -> https://snet-example.com/v1.0/
+swift_enable_snet = False
+
+# ============ S3 Store Options =============================
+
+# Address where the S3 authentication service lives
+# Valid schemes are 'http://' and 'https://'
+# If no scheme specified,  default to 'http://'
+s3_store_host = 127.0.0.1:8080/v1.0/
+
+# User to authenticate against the S3 authentication service
+s3_store_access_key = <20-char AWS access key>
+
+# Auth key for the user authenticating against the
+# S3 authentication service
+s3_store_secret_key = <40-char AWS secret key>
+
+# Container within the account that the account should use
+# for storing images in S3. Note that S3 has a flat namespace,
+# so you need a unique bucket name for your glance images. An
+# easy way to do this is append your AWS access key to "glance".
+# S3 buckets in AWS *must* be lowercased, so remember to lowercase
+# your AWS access key if you use it in your bucket name below!
+s3_store_bucket = <lowercased 20-char aws access key>glance
+
+# Do we create the bucket if it does not exist?
+s3_store_create_bucket_on_put = False
+
+# When sending images to S3, the data will first be written to a
+# temporary buffer on disk. By default the platform's temporary directory
+# will be used. If required, an alternative directory can be specified here.
+# s3_store_object_buffer_dir = /path/to/dir
+
+# ============ Cinder Store Options ===========================
+
+# Info to match when looking for cinder in the service catalog
+# Format is : separated values of the form:
+# <service_type>:<service_name>:<endpoint_type> (string value)
+#cinder_catalog_info = volume:cinder:publicURL
+
+# Override service catalog lookup with template for cinder endpoint
+# e.g. http://localhost:8776/v1/%(project_id)s (string value)
+#cinder_endpoint_template = <None>
+
+# Region name of this node (string value)
+#os_region_name = <None>
+
+# Location of ca certicates file to use for cinder client requests
+# (string value)
+#cinder_ca_certificates_file = <None>
+
+# Number of cinderclient retries on failed http calls (integer value)
+#cinder_http_retries = 3
+
+# Allow to perform insecure SSL requests to cinder (boolean value)
+#cinder_api_insecure = False
+
+# ================= Security Options ==========================
+
+# AES key for encrypting store 'location' metadata, including
+# -- if used -- Swift or S3 credentials
+# Should be set to a random string of length 16, 24 or 32 bytes
+# metadata_encryption_key = <16, 24 or 32 char registry metadata key>
--- a/components/openstack/glance/files/glance-scrubber.conf	Tue Sep 23 10:12:34 2014 -0700
+++ b/components/openstack/glance/files/glance-scrubber.conf	Tue Sep 23 11:18:31 2014 -0700
@@ -35,10 +35,10 @@
 registry_port = 9191
 
 # Auth settings if using Keystone
-# auth_url = http://127.0.0.1:5000/v2.0/
-# admin_tenant_name = %SERVICE_TENANT_NAME%
-# admin_user = %SERVICE_USER%
-# admin_password = %SERVICE_PASSWORD%
+auth_url = http://127.0.0.1:5000/v2.0/
+admin_tenant_name = %SERVICE_TENANT_NAME%
+admin_user = %SERVICE_USER%
+admin_password = %SERVICE_PASSWORD%
 
 # Directory to use for lock files. Default to a temp directory
 # (string value). This setting needs to be the same for both
--- a/components/openstack/glance/glance.p5m	Tue Sep 23 10:12:34 2014 -0700
+++ b/components/openstack/glance/glance.p5m	Tue Sep 23 11:18:31 2014 -0700
@@ -47,7 +47,7 @@
     owner=glance group=glance mode=0644 overlay=allow preserve=renamenew
 file files/glance-api.conf path=etc/glance/glance-api.conf owner=glance \
     group=glance mode=0644 overlay=allow preserve=renamenew
-file etc/glance-cache.conf path=etc/glance/glance-cache.conf owner=glance \
+file files/glance-cache.conf path=etc/glance/glance-cache.conf owner=glance \
     group=glance mode=0644 overlay=allow preserve=renamenew
 file etc/glance-registry-paste.ini path=etc/glance/glance-registry-paste.ini \
     owner=glance group=glance mode=0644 overlay=allow preserve=renamenew
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openstack/nova/patches/07-CVE-2014-3517.patch	Tue Sep 23 11:18:31 2014 -0700
@@ -0,0 +1,91 @@
+This upstream patch addresses CVE-2014-3517 and is tracked under
+Launchpad bug 1325128. It is addressed in the Juno trunk, Icehouse
+2014.1.2, and Havana 2013.2.4. It has been modified to apply cleanly
+into our current Havana implementation
+
+commit 1dd97d1335f6ec028d0e4440250f80802a2f1d18
+Author: Grant Murphy <[email protected]>
+Date:   Tue Jul 8 03:35:40 2014 +0000
+
+    Avoid possible timing attack in metadata api
+    
+    Introduce a constant time comparison function to
+    nova utils for comparing authentication tokens.
+    
+    Conflicts:
+    	nova/tests/test_utils.py
+    	nova/utils.py
+    
+    Closes-bug: #1325128
+    Change-Id: I7374f2edc6f03c7da59cf73ae91a87147e53d0de
+    (cherry picked from commit 9f59ca751f1a392ef24d8ab73a7bf5ce9655017e)
+
+diff --git a/nova/api/metadata/handler.py b/nova/api/metadata/handler.py
+index 50387ab..74bb4f7 100644
+--- a/nova/api/metadata/handler.py
++++ b/nova/api/metadata/handler.py
[email protected]@ -31,6 +31,7 @@ from nova import exception
+ from nova.openstack.common.gettextutils import _
+ from nova.openstack.common import log as logging
+ from nova.openstack.common import memorycache
++from nova import utils
+ from nova import wsgi
+ 
+ CACHE_EXPIRATION = 15  # in seconds
[email protected]@ -172,7 +173,7 @@ class MetadataRequestHandler(wsgi.Application):
+             instance_id,
+             hashlib.sha256).hexdigest()
+ 
+-        if expected_signature != signature:
++        if not utils.constant_time_compare(expected_signature, signature):
+             if instance_id:
+                 LOG.warn(_('X-Instance-ID-Signature: %(signature)s does not '
+                            'match the expected value: %(expected_signature)s '
+diff --git a/nova/tests/test_utils.py b/nova/tests/test_utils.py
+index b38ea50..820fe09 100644
+--- a/nova/tests/test_utils.py
++++ b/nova/tests/test_utils.py
[email protected]@ -1083,3 +1083,10 @@ class GetImageFromSystemMetadataTestCase(test.NoDBTestCase):
+ 
+         # Verify that the foo1 key has not been inherited
+         self.assertTrue("foo1" not in image)
++
++
++class ConstantTimeCompareTestCase(test.NoDBTestCase):
++    def test_constant_time_compare(self):
++        self.assertTrue(utils.constant_time_compare("abcd1234", "abcd1234"))
++        self.assertFalse(utils.constant_time_compare("abcd1234", "a"))
++        self.assertFalse(utils.constant_time_compare("abcd1234", "ABCD234"))
+diff --git a/nova/utils.py b/nova/utils.py
+index 4757f3a..5f10a8a 100755
+--- nova-2013.2.3/nova/utils.py.~2~	2014-09-02 13:57:46.030039835 -0700
++++ nova-2013.2.3/nova/utils.py	2014-09-02 13:57:49.391998275 -0700
[email protected]@ -23,6 +23,7 @@ import contextlib
+ import datetime
+ import functools
+ import hashlib
++import hmac
+ import inspect
+ import os
+ import pyclbr
[email protected]@ -1288,3 +1289,20 @@ def get_boolean(value):
+         return value
+     else:
+         return strutils.bool_from_string(value)
++
++if hasattr(hmac, 'compare_digest'):
++    constant_time_compare = hmac.compare_digest
++else:
++    def constant_time_compare(first, second):
++        """Returns True if both string inputs are equal, otherwise False.
++
++        This function should take a constant amount of time regardless of
++        how many characters in the strings match.
++
++        """
++        if len(first) != len(second):
++            return False
++        result = 0
++        for x, y in zip(first, second):
++            result |= ord(x) ^ ord(y)
++        return result == 0