Motivation

In fallout from CVE: OSSA-2024-001: "Arbitrary file access through custom QCOW2 external data" [1], weaknesses have been uncovered in the image backend code that are significant enough to:

• Leave it vulnerable to regressions and corner cases related to the CVE exploit [2][3]
• Hinder development of security hardening such as disk image format tracking in the image cache
• Hinder development of storage related features such as local disk encryption, to be built on top of its current state

Problems

• Layers of indirection which obscure what code paths are taken and when (and so general fixes quickly become whack-a-mole)
• Disk image retrieval and creation code is disjointed across libvirt driver and image backend
• Code so templated that it resulted in a pattern of base class methods with arbitrary arguments (i.e. *args, **kwargs) and subclass methods with intricate if-then-else in them

Goals

• Remove unnecessary layers of indirection to make the code easier to inspect
• Consolidate as much code as possible around disk image retrieval and creation into the image backend rather than the driver
• Replace heavily templated (*args, **kwargs) methods with prescriptive methods

Future

• Add tracking of disk image format of base images in the image cache to use with deep format inspection
• Implement multiple disk image backends per compute host and per instance disk
• Implement local disk encryption

[1] https://security.openstack.org/ossa/OSSA-2024-001.html
[2] https://review.opendev.org/c/openstack/nova/+/923533
[3] https://bugs.launchpad.net/nova/+bug/2079850