Feature #969
Remove all-host based processing of (potentially user-provided) Images
Status: | Closed | Start date: | 07/29/2011 | |
---|---|---|---|---|
Priority: | Medium | Due date: | ||
Assignee: | Nikos Skalkotos | % Done: | 0% |
|
Category: | Cyclades Images | Spent time: | - | |
Target version: | v0.7 |
Description
Currently, the Image deployment process does host-based processing of Images.
In the future, these Images will be custom, user-provided files. This will have major security implications.
More specifically:
- The host mounts the target filesystem.
- The host traverses directories in the target filesystem using its kernel-based filesystem implementation
- The host runs image-provided binaries in chroot, essentially trusting the potentially user-provided image completely.
- All accesses to the image should be done programmatically, e.g. using library-based filesystem implementations,
from unprivileged processes, with direct access to the underlying block device. - The host should never run any user-provided binaries in its own context, they can be run completely isolated, e.g. in a container (LXC) or VM context (libguestfs).
Related issues
History
#1 Updated by Vangelis Koukis over 12 years ago
- Status changed from Assigned to Closed
This has been implemented in the snf-image OS provider, https://code.grnet.gr/projects/snf-image.
After the initial host-based deployment of an Image, all customization happens inside a helper VM.
This ticket may close.