We plan to deprecate fedimg, and the integration has been done into plume. Going forward plume would be responsible for pushing Fedora Cloud & AH images. To deploy plume, I would need a production box and staging box.
Quicker the better.
Security officer: The only one I know is @puiterwijk
Phase I
Software: Go Advantage for Fedora: Plume will help pushing Fedora Cloud images to multiple cloud platforms. Sponsor: need one
Phase II
Email list thread: Not yet sent. Upstream source: https://github.com/coreos/mantle Development contacts: sayanchowdhury Maintainership contacts: sayanchowdhury Load balanceable: No Caching: No
Phase III
SOP link: Yet to be written Audit request: Audit not yet done, but open to be done Audit timeline: Not yet decided Phase IV
Ansible playbooks: Not yet written
Fully rebuilt from ansible: yes Production goal: April 2019
@sayan Can this be run on OpenShift ?
I would need to helping hand but surely can look into the possibility.
We'll need to consider memory usage and make sure the pod can be given enough memory to process the image files appropriately. @sayanchowdhury - can you take this into account?
Yes, agreed. I will look into that too.
Metadata Update from @kevin: - Issue priority set to: Waiting on Assignee (was: Needs Review)
I've written the playbooks and the roles for it to be deployed in stg. I would need a sponsor to move forward.
@kevin said on IRC that he can, but he is low on time so if someone else can help with sponsor. @smooge @codeblock can you help with this ticket?
Yes I can sponsor for this. please let me know what you need from me to do this
What data does this gather? The app does not gather user data. It uses fedora-messaging data to process the cloud images
Where does it gather it from? fedora-messaging
What data does it have access to? It does not have any access
Where does it have access? It does not have any access
Who (entity) are the parties who should have access to that data? It does not handle user data, or application data but if it does sysadmin-main and the application maintainer should have the access
How does it protect the data It does not handle user data, or application data
What data needs to be purged from it for GPDR and other things? It does not store any user data so nothing action needs to be taken during GDPR request
What access does it have to the user? It does not
What access does it have to the systems in Fedora Infra It will access the fedora-messaging systems endpoints to get the data.
What kind of overflows, key leakage could happen in it.
What are the re-mediation steps needed when a security problem happens? Quickly iterate through the source, find the issue in the source.
What are the consequences and likelihood of those security problems.
Where is the source code? https://pagure.io/joystick https://github.com/coreos/mantle
Metadata Update from @pingou: - Issue tagged with: security
Note that you did not answer What are the consequences and likelihood of those security problems..
So, my answer would be:
An attacker would be able to get any random image that's anywhere on koji.fedoraproject.org uploaded and served as if it were a true Fedora image. Given that anyone can upload to koji.fedoraproject.org (to the "inbound" directory for uploading srpms at the very least), this is quite broad.
Also, given that attack vector, I disagree with your answer to What are the re-mediation steps needed when a security problem happens?.
What are the re-mediation steps needed when a security problem happens?
Note that the security audit of Joystick has been started, but cannot proceed due to https://pagure.io/joystick/issue/10 . There have also been various other problems that must be resolved before this can move on, those are tagged [secaudit,blocking]. The [secaudit,info] are purely informational, and while they would be great to get fixed, won't block approval.
[secaudit,blocking]
[secaudit,info]
I have tried to answer the question in the end.
So, my answer would be: An attacker would be able to get any random image that's anywhere on koji.fedoraproject.org uploaded and served as if it were a true Fedora image. Given that anyone can upload to koji.fedoraproject.org (to the "inbound" directory for uploading srpms at the very least), this is quite broad. Also, given that attack vector, I disagree with your answer to What are the re-mediation steps needed when a security problem happens?. Note that the security audit of Joystick has been started, but cannot proceed due to https://pagure.io/joystick/issue/10 .
Also, given that attack vector, I disagree with your answer to What are the re-mediation steps needed when a security problem happens?. Note that the security audit of Joystick has been started, but cannot proceed due to https://pagure.io/joystick/issue/10 .
Oh! I pushed the updates to the fork to to mislabeled remotes. That should be fixed now so can you continue with the security audit.
What are the consequences and likelihood of those security problems?
The main purpose of joystick is to invoke plume and upload the cloud images into various cloud providers. The uploads via plume is usually treated as a official upload. The params are passed from the what is received from fedora-messaging and then the upload to cloud providers is started. If there is a security problem, it's possible that the images uploaded can be affected.
Also it is highly possible the people using those images would also be affected.
The steps would be to identify the issue first, as soon it is identified we need to find the possible date from when the issue was introduced and start the process of removing the images after that. I don't think it is possible to get the list of users who are affected but we need to send a wide announcement about the loophole and let the users know that if they are using any of the affected AMIs they then need to purge them.
Metadata Update from @mizdebsk: - Issue tagged with: request-for-resources
Okay, as of rev 638ccd537fc3de33767ea6116af3789957d9c98c, Joystick has PASSED security audit. The latest answers to the security questions are also appropriate.
Metadata Update from @puiterwijk: - Issue untagged with: security
@smooge can you help me with the access to staging?
@sayanchowdhury I got instructions on what needs to be done.
So I think we can do this if the joystick.yml is the one to run. If we need to do something else for plume.. that is it.
Ack @smooge. I'm running the playbooks and would be doing the needed changes.
Thanks sayan. Let me know how I need to transition this to the next person and we will work it from there.
I am working with @sayanchowdhury and @dustymabe on pushing this ticket forward for the Cloud SIG. What are the next steps needed from us to help get this running on the staging instance?
Also @smooge may I ask you for help on getting access to this instance?
The access is controlled by the FAS group and I guess that was sysadmin-fedimg.
looks like @pingou is the admin for the sysadmin-fedimg group. @pingou can you grant access to @jdoss?
sysadmin-fedimg
@dustymabe I've upgraded you to sponsor and added @jdoss to both the sysadmin as well as the sysadmin-fedimg group (you may want to tweak your email filter as people in sysadmin do get a number of emails).
sysadmin
thanks @pingou
Thank you @pingou :)
Whats the status here? Are we still planning on moving forward here or there's no need now?
We would like to start using plume for releasing fedora cloud base images but not sure of the exact plan of attack right now. If @sayanchowdhury could give a summary of the current state maybe @jdoss can pick it up
@dustymabe is this still on the roadmap?
I'm going to close this. we'll track efforts here over in https://pagure.io/cloud-sig/issue/301
Metadata Update from @dustymabe: - Issue close_status updated to: Insufficient data - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.