#7702 RFR: Plume
Opened 5 months ago by sayanchowdhury. Modified a month ago

Describe what you would like us to do:

We plan to deprecate fedimg, and the integration has been done into plume. Going forward plume would be responsible for pushing Fedora Cloud & AH images. To deploy plume, I would need a production box and staging box.

When do you need this to be done by? (YYYY/MM/DD)

Quicker the better.

Security officer: The only one I know is @puiterwijk

Phase I

Software: Go
Advantage for Fedora: Plume will help pushing Fedora Cloud images to multiple cloud platforms.
Sponsor: need one

Phase II

Email list thread: Not yet sent.
Upstream source: https://github.com/coreos/mantle
Development contacts: sayanchowdhury
Maintainership contacts: sayanchowdhury
Load balanceable: No
Caching: No

Phase III

SOP link: Yet to be written
Audit request: Audit not yet done, but open to be done
Audit timeline: Not yet decided
Phase IV

Ansible playbooks: Not yet written

Fully rebuilt from ansible: yes
Production goal: April 2019


@sayan Can this be run on OpenShift ?

I would need to helping hand but surely can look into the possibility.

@sayan Can this be run on OpenShift ?

We'll need to consider memory usage and make sure the pod can be given enough memory to process the image files appropriately. @sayanchowdhury - can you take this into account?

Yes, agreed. I will look into that too.

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

5 months ago

I've written the playbooks and the roles for it to be deployed in stg. I would need a sponsor to move forward.

@kevin said on IRC that he can, but he is low on time so if someone else can help with sponsor. @smooge @codeblock can you help with this ticket?

Yes I can sponsor for this. please let me know what you need from me to do this

  • What data does this gather?
    The app does not gather user data. It uses fedora-messaging data to process the cloud images

  • Where does it gather it from?
    fedora-messaging

  • What data does it have access to?
    It does not have any access

  • Where does it have access?
    It does not have any access

  • Who (entity) are the parties who should have access to that data?
    It does not handle user data, or application data but if it does sysadmin-main and the application maintainer should have the access

  • How does it protect the data
    It does not handle user data, or application data

  • What data needs to be purged from it for GPDR and other things?
    It does not store any user data so nothing action needs to be taken during GDPR request

  • What access does it have to the user?
    It does not

  • What access does it have to the systems in Fedora Infra
    It will access the fedora-messaging systems endpoints to get the data.

  • What kind of overflows, key leakage could happen in it.

  • What are the re-mediation steps needed when a security problem happens?
    Quickly iterate through the source, find the issue in the source.

  • What are the consequences and likelihood of those security problems.

  • Where is the source code?
    https://pagure.io/joystick
    https://github.com/coreos/mantle

Metadata Update from @pingou:
- Issue tagged with: security

4 months ago

Note that you did not answer What are the consequences and likelihood of those security problems..

So, my answer would be:

An attacker would be able to get any random image that's anywhere on koji.fedoraproject.org uploaded and served as if it were a true Fedora image. Given that anyone can upload to koji.fedoraproject.org (to the "inbound" directory for uploading srpms at the very least), this is quite broad.

Also, given that attack vector, I disagree with your answer to What are the re-mediation steps needed when a security problem happens?.

Note that the security audit of Joystick has been started, but cannot proceed due to https://pagure.io/joystick/issue/10 .
There have also been various other problems that must be resolved before this can move on, those are tagged [secaudit,blocking].
The [secaudit,info] are purely informational, and while they would be great to get fixed, won't block approval.

Note that you did not answer What are the consequences and likelihood of those security problems..

I have tried to answer the question in the end.

So, my answer would be:

An attacker would be able to get any random image that's anywhere on koji.fedoraproject.org uploaded and served as if it were a true Fedora image. Given that anyone can upload to koji.fedoraproject.org (to the "inbound" directory for uploading srpms at the very least), this is quite broad.

Also, given that attack vector, I disagree with your answer to What are the re-mediation steps needed when a security problem happens?.
Note that the security audit of Joystick has been started, but cannot proceed due to https://pagure.io/joystick/issue/10 .

Oh! I pushed the updates to the fork to to mislabeled remotes. That should be fixed now so can you continue with the security audit.

What are the consequences and likelihood of those security problems?

The main purpose of joystick is to invoke plume and upload the cloud images into various cloud providers. The uploads via plume is usually treated as a official upload. The params are passed from the what is received from fedora-messaging and then the upload to cloud providers is started. If there is a security problem, it's possible that the images uploaded can be affected.

Also it is highly possible the people using those images would also be affected.

What are the re-mediation steps needed when a security problem happens?

The steps would be to identify the issue first, as soon it is identified we need to find the possible date from when the issue was introduced and start the process of removing the images after that. I don't think it is possible to get the list of users who are affected but we need to send a wide announcement about the loophole and let the users know that if they are using any of the affected AMIs they then need to purge them.

Metadata Update from @mizdebsk:
- Issue tagged with: request-for-resources

3 months ago

Okay, as of rev 638ccd537fc3de33767ea6116af3789957d9c98c, Joystick has PASSED security audit.
The latest answers to the security questions are also appropriate.

Metadata Update from @puiterwijk:
- Issue untagged with: security

3 months ago

@smooge can you help me with the access to staging?

@sayanchowdhury I got instructions on what needs to be done.

  1. Put the playbooks in ansible that are for this role. [I think this is playbooks/openshift-apps/joystick.yml but are there more?]
  2. I add those playbooks to rbac rules [ that seems to have been done]
  3. We run the playbooks

So I think we can do this if the joystick.yml is the one to run. If we need to do something else for plume.. that is it.

Ack @smooge. I'm running the playbooks and would be doing the needed changes.

Thanks sayan. Let me know how I need to transition this to the next person and we will work it from there.

I am working with @sayanchowdhury and @dustymabe on pushing this ticket forward for the Cloud SIG. What are the next steps needed from us to help get this running on the staging instance?

Also @smooge may I ask you for help on getting access to this instance?

The access is controlled by the FAS group and I guess that was sysadmin-fedimg.

looks like @pingou is the admin for the sysadmin-fedimg group. @pingou can you grant access to @jdoss?

@dustymabe I've upgraded you to sponsor and added @jdoss to both the sysadmin as well as the sysadmin-fedimg group (you may want to tweak your email filter as people in sysadmin do get a number of emails).

Login to comment on this ticket.

Metadata