Circumference: OpenStack Progress with Network Booting

Circumference is a miniaturised datacentre-in-a-box, complete with programmable power distribution and sequencing, instrumentation, cooling, networking, and a switchable remote console — all packaged in custom-designed desktop enclosures which eliminate cable clutter and give you complete control over the hardware inside.

Chris Dent has a blog post about netbooting the Circumference.

https://www.crowdsupply.com/ground-electronics/circumference
https://groundelectronics.com/products/circumference/

In my previous posting on the Circumference I said that I wanted to get the eight Raspberry Pi nodes to netboot from the front end processor so I could more easily manage the nodes on which I wanted to install nova-compute. This post provides a very quick update on those explorations. Newer Pi 3 B have firmware that can allow them to netboot without any SD card in place, but it requires a fair bit of set up. I was struggling to make headway, never seeing bootpc packets from the nodes. Turns out a newer firmware is needed. Andrew Back, from Ground Electronics the company building the Circumference, pointed to a useful cookbook blog post, Network Booting a Raspberry Pi 3 from an Ubuntu Server, that includes pointers to the new firmware. That got me a bit further. I’m now able to see some nodes, sometimes choosing to send bootpc packets and otherwise talking to the network.[…]

https://anticdent.org/circumference-25-netbooting.html
https://anticdent.org/circumference-25-beta.html
https://www.crowdsupply.com/ground-electronics/circumference/updates/openstack-progress-with-network-booting

 

OpenStack iLO Secure Boot

I just noticed that the OpenStack project has an alternative to UEFI Secure Boot, for iLO drivers:

Some of the Ironic deploy drivers support UEFI boot. It would be useful to security sensitive users to deploy more securely using Secure Boot feature of the UEFI. This spec proposes alternatives to support Secure Boot in baremetal provisioning for iLO drivers. […]

https://specs.openstack.org/openstack/ironic-specs/specs/kilo-implemented/uefi-secure-boot.html

https://blueprints.launchpad.net/ironic/+spec/uefi-secure-boot

Openstack vulnerability with QCOW2 images

Today Tristan Cacqueray of Red Hat — and of the OpenStack Vulnerability Management Team — reported a CVE-backed issue with Glance, and it’s use of QCOW2 (“QEMU Copy On Write”, a QEMU-based image format). Glance is the OpenStack Image Service, which provides discovery, registration, and delivery services for disk and server images, as well as a REST-based API.

Glance v2 API host file disclosure through qcow2 backing file
OSSA 2015-014, CVE-2015-5163

“Eric Harney from Red Hat reported a vulnerability in Glance. By importing a qcow2 image with a malicious backing file, an authenticated user may mislead Glance import task action, resulting in the disclosure of any file on the Glance server for which the Glance process user has access to. Only setups using the Glance V2 API are affected by this flaw. This fix will be included in the future 2015.1.2 (kilo) release.”

For the full announcement, including more URLs to patches, see the openstack-announce or oss-security mailing lists. Look to the CVE link in the future, there’s nothing there yet.
http://lists.openstack.org/pipermail/openstack-announce/2015-August/000527.html
https://launchpad.net/bugs/1471912
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5163
http://docs.openstack.org/developer/glance/
https://wiki.openstack.org/wiki/Glance

(Openstack aside, I wonder if codebases are vulnerable to an “importing a qcow2 image with a malicious backing file” attack?)

OpenStack’s hardware introspection service 2.0 released

Dmigtry Tantsur of Red Hat announced version 2.0 of OpenStack’s hardware introspection service was released today on the openstack-announce list.

“This is an auxiliary service for discovering hardware properties for a node managed by OpenStack Ironic. Hardware introspection or hardware properties discovery is a process of getting hardware parameters required for scheduling from a bare metal node, given it’s power management credentials (e.g. IPMI address, user name and password). A special ramdisk is required to collect the information on a node. The default one can be built using diskimage-builder and ironic-discoverd-ramdisk element. Highlights of this release:

* Main Python module was renamed to ironic_inspector
* Client library was split away to a separate project
* edeploy plugin was removed in favor of more generic one called ‘extra_hardware’
* Processing hooks interface was changed
* The way we return API errors was changed to better match Ironic one
* Removed deprecated /v1/discover endpoint
* All options (except for ‘database’) were moved to sections instead of  using ‘discoverd’ for everything
* oslo.db configuration should be used instead of ‘discoverd.database’  option
* keystonemiddleware options should be used instead of reusing ‘ironic’  credentials for checking authentication
* Deprecated ‘authenticate’ opt in favor of ‘auth_strategy’
* Explicit green thread pool is used instead of just launching new threads
* NodeInfo class became more helpful for hooks
* Now it’s possible to hook into processing chain when node is not found
* Inspector no longer checks for Ironic presence on start up as it was  causing problems in real life
* SSL/TLS Support”

More Information:

https://github.com/openstack/ironic-inspector
https://pypi.python.org/pypi/ironic-inspector/2.0.0
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce