| noonedeadpunk | oh, yes, that's for sure | 06:13 |
|---|---|---|
| noonedeadpunk | though it kinda also felt, that it was not bad idea back at vmdk case I guess, though I'd guess everyone assumed that was the only case or so... | 06:14 |
| noonedeadpunk | and there was at least some time in between for master | 06:16 |
| fungi | noonedeadpunk: basically, this was the first time that we actually found out the qemu maintainers don't support passing untrusted images to it, or even to commands like qemu-img info, and told us that if we want to use qemu at all then we really need our own separate tool to check images for safety before hand | 12:48 |
| fungi | even sandboxing would need to be more than just filesystem/process isolation since some kinds of images can cause qemu (and qemu-img) to make arbitrary network connections too | 12:48 |
| fungi | developing anything like that in secret without the aid of public code review and ci systems would be a significant challenge, especially considering all the different services that try to use qemu tools to get image information, convert between image types, and so on | 12:50 |
| fungi | the current plan, once all the dust settles, is to move the reference version of the image inspector from glance into oslo.utils and then rip out copies from cinder/glance/nova in master | 12:52 |
| fungi | since backporting to stable branches that way would have been a lot tougher | 12:53 |
| noonedeadpunk | yeah, for sure, that's all clear. I indeed was thinking about some kind of step2 to close the vector once and for all possible future cases... | 13:08 |
| noonedeadpunk | networking is a good argument actually... | 13:08 |
| fungi | right, i think a prerequisite step before we could sensibly sandbox anything will be to centralize those calls. right now it's done independently in a bunch of places in multiple services | 13:18 |
| fungi | but also, call sandboxing of any kind needs a lot of thought to cross-platform deployment, because as we learned in zuul even something as simple as bubblewrap can create issues for people who are trying to e.g. do things inside containers | 13:19 |
| fungi | nesting isolation layers are frequently problematic | 13:20 |
| fungi | alternatively you could go about it with apparmor or selinux, but again those are going to be deployment-specific options and usually sites have one or the other so you either need to do it for both or half of the community is left out to dry | 13:21 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!