Re: [coreos-status] Ignition config accessible to unprivileged software on VMware
by Aleksandar Kostadinov
Hi, thank you for this update!
I tried to understand how this works on bare metal. After installation with
ignition file provided on a local file system, is the file still accessible
unencrypted anywhere after the installation completes?
For machines that are remote and no human interaction is possible, I don't
see how credentials in ignition can be avoided. Even if hashicorp is used,
then some credentials for hashicorp should be present. Or am I mistaken?
Thank you!
On Fri, May 20, 2022 at 12:38 AM Benjamin Gilbert <bgilbert(a)redhat.com>
wrote:
> Hi all,
>
> Unprivileged software in VMware VMs, including software running in
> unprivileged containers, can retrieve an Ignition config stored in a
> hypervisor guestinfo variable or OVF environment. If the Ignition config
> contains secrets, this can result in the compromise of sensitive
> information.
>
> Starting with next week's Fedora CoreOS `testing` and `next` releases,
> Ignition will delete the Ignition config from supported hypervisors
> (currently VMware and VirtualBox) during the first boot. This ensures that
> unprivileged software cannot retrieve the Ignition config from the
> hypervisor. Existing machines will likewise delete the config when first
> upgraded to a new release. This change will be promoted to Fedora CoreOS
> `stable` after two weeks, as usual.
>
> Note that in general, we do not recommend storing secrets in Ignition
> configs [1]. In addition to VMware, many cloud platforms allow
> unprivileged
> software in a VM to retrieve the Ignition config from a networked cloud
> metadata service. While platform-specific mitigation is possible, such as
> firewall rules that prevent access to the metadata service, it's better to
> store secrets in a dedicated platform such as Hashicorp Vault [2].
>
> If you have external tooling that requires the Ignition config to remain
> accessible in VM metadata after provisioning, and your Ignition config does
> not include sensitive information, you can prevent deletion by masking
> ignition-delete-config.service. For newly-launched machines:
>
> variant: fcos
> version: 1.0.0
> systemd:
> units:
> - name: ignition-delete-config.service
> mask: true
>
> To prevent upgrades from affecting existing machines:
>
> $ sudo systemctl mask ignition-delete-config.service
>
> If you have any questions or concerns, contact us in #fedora-coreos on
> Libera.Chat or open an issue in the Fedora CoreOS tracker [3].
>
> --Benjamin Gilbert, for the Fedora CoreOS team
>
> [1]: https://coreos.github.io/ignition/operator-notes/#secrets
> [2]: https://www.vaultproject.io/
> [3]: https://github.com/coreos/fedora-coreos-tracker/issues/new/choose
> _______________________________________________
> coreos-status mailing list -- coreos-status(a)lists.fedoraproject.org
> To unsubscribe send an email to
> coreos-status-leave(a)lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/coreos-status@lists.fedorap...
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
1 year
Fedora CoreOS Meeting Minutes 2022-05-18
by Dusty Mabe
Minutes: https://meetbot.fedoraproject.org/fedora-meeting-1/2022-05-18/fedora_core...
Minutes (text): https://meetbot.fedoraproject.org/fedora-meeting-1/2022-05-18/fedora_core...
Log: https://meetbot.fedoraproject.org/fedora-meeting-1/2022-05-18/fedora_core...
========================================
#fedora-meeting-1: fedora_coreos_meeting
========================================
Meeting started by dustymabe at 16:30:01 UTC. The full logs are
available at
https://meetbot.fedoraproject.org/fedora-meeting-1/2022-05-18/fedora_core...
.
Meeting summary
---------------
* roll call (dustymabe, 16:30:04)
* Action items from last meeting (dustymabe, 16:36:29)
* May Edition of "This Month in FCOS" (dustymabe, 16:37:35)
* LINK: https://github.com/coreos/fedora-coreos-tracker/issues/1188
(dustymabe, 16:37:42)
* LINK: https://github.com/coreos/rpm-ostree/releases/tag/v2022.9
(lucab, 16:45:54)
* LINK: https://github.com/ostreedev/ostree/releases/tag/v2022.3
(lucab, 16:47:27)
* develop strategy around organization and naming for our containers in
quay.io (dustymabe, 16:49:39)
* LINK: https://github.com/coreos/fedora-coreos-tracker/issues/1171
(dustymabe, 16:49:44)
* ACTION: dustymabe jaimelm to reach out to fedora infra about creds
for pushing to `quay.io/fedora/fedora-coreos` and
`quay.io/fedora/fedora-coreos-kubevirt`. (dustymabe, 16:50:32)
* open floor (dustymabe, 16:51:50)
* LINK:
https://github.com/coreos/fedora-coreos-cincinnati/pull/65#issuecomment-1...
(lucab, 17:01:42)
* LINK:
https://github.com/coreos/fedora-coreos-cincinnati/pull/66#issuecomment-1...
(lucab, 17:04:55)
* LINK: https://github.com/coreos/fedora-coreos-tracker/issues/1203
(miabbott, 17:05:25)
* LINK: https://github.com/coreos/fedora-coreos-tracker/issues/1201
(lucab, 17:09:25)
Meeting ended at 17:32:17 UTC.
Action Items
------------
* dustymabe jaimelm to reach out to fedora infra about creds for pushing
to `quay.io/fedora/fedora-coreos` and
`quay.io/fedora/fedora-coreos-kubevirt`.
Action Items, by person
-----------------------
* dustymabe
* dustymabe jaimelm to reach out to fedora infra about creds for
pushing to `quay.io/fedora/fedora-coreos` and
`quay.io/fedora/fedora-coreos-kubevirt`.
* **UNASSIGNED**
* (none)
People Present (lines said)
---------------------------
* dustymabe (114)
* lucab (62)
* zodbot (34)
* travier (25)
* jlebon (20)
* miabbott (8)
* mnguyen_ (3)
* aaradhak (2)
* travier_ (1)
* jmarrero (1)
* ravanelli (1)
* gursewak (1)
Generated by `MeetBot`_ 0.4
.. _`MeetBot`: https://fedoraproject.org/wiki/Zodbot#Meeting_Functions
1 year
Fedora CoreOS Meeting Minutes 2022-05-11
by Timothée Ravier
Minutes: https://meetbot.fedoraproject.org/fedora-meeting-1/2022-05-11/fedora_core...
Minutes (text): https://meetbot.fedoraproject.org/fedora-meeting-1/2022-05-11/fedora_core...
Log: https://meetbot.fedoraproject.org/fedora-meeting-1/2022-05-11/fedora_core...
========================================
#fedora-meeting-1: fedora_coreos_meeting
========================================
Meeting started by travier at 16:32:37 UTC. The full logs are available
at
https://meetbot.fedoraproject.org/fedora-meeting-1/2022-05-11/fedora_core...
.
Meeting summary
---------------
* roll call (travier, 16:32:41)
* Action items from last meeting (travier, 16:36:24)
* coreos autoinstall creates huge number of xfs allocation groups #1183
(travier, 16:38:22)
* LINK: https://github.com/coreos/fedora-coreos-tracker/issues/1183
(travier, 16:38:29)
* AGREED: Given that we have a valid and recommended workaround for
this issue, we will investigate option A (adding auto-detection and
auto re-provisioning). We will reach out to XFS folks to get a
better understanding of our options and to see if F is also doable.
(travier, 17:08:22)
* New Package Request: nmstate-libs and nmstate #1175 (travier,
17:11:12)
* LINK: https://github.com/coreos/fedora-coreos-tracker/issues/1175
(travier, 17:11:18)
* use internal qcow2 compression for nutanix image #1191 (travier,
17:12:02)
* LINK: https://github.com/coreos/fedora-coreos-tracker/issues/1191
(travier, 17:12:09)
* LINK: https://github.com/coreos/coreos-assembler/pull/2848 (Sid__,
17:14:17)
* AGREED: We will switch the Nutanix artifacts to an internally
compressed qcow2 image for the next cycle for testing & next and the
following one for stable. This breaking change will be announced
ASAP. (travier, 17:33:45)
* Open Floor (travier, 17:33:56)
* Fedora 36 has been release to our `testing` stream! (dustymabe,
17:35:10)
* LINK:
https://hopin.com/events/fedora-linux-36-release-party/registration
(dustymabe, 17:37:28)
Meeting ended at 17:41:33 UTC.
Action Items
------------
Action Items, by person
-----------------------
* **UNASSIGNED**
* (none)
People Present (lines said)
---------------------------
* dustymabe (76)
* travier (67)
* bgilbert (62)
* jlebon (34)
* zodbot (23)
* cmurf (21)
* lucab (19)
* Sid__ (14)
* miabbott (8)
* ravanell_ (4)
* saqali (1)
* miabbott_ (1)
* aaradhak (1)
* walters (1)
* aaradhak[m] (1)
* mikelo_ (0)
* +cmurf (0)
Generated by `MeetBot`_ 0.4
.. _`MeetBot`: https://fedoraproject.org/wiki/Zodbot#Meeting_Functions
1 year