1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
---
security:
- |
Fixes OSSA-2025-001, where Ironic did not properly filter file:// paths
when used as image sources. This would permit any file accessible by the
conductor to be used as an image to attempt deployment.
Adds ``CONF.conductor.file_url_allowed_paths``, an allowlist configuration
defaulting to ``/var/lib/ironic``, ``/shared/html``,
``/opt/cache/files``, ``/vagrant``, and ``/templates``,
permits operators to further restrict where the conductor will fetch
images for when provided a file:// URL. This default value was chosen
based on known usage by projects downstream of Ironic, including Metal3,
Bifrost, and OpenShift. These defaults may change to be more restrictive
at a later date. Operators using file:// URLs are encouraged to explicitly
set this value even if the current default is sufficient. Operators wishing
to fully disable the ability to deploy with a file:// URL should set this
configuration to "" (empty).
Operators wishing to restore the original insecure behavior should set
``CONF.conductor.file_url_allowed_paths`` to ``/``. Take note that in the
2025.2 release and later, ``/dev``, ``/sys``, ``/proc``, ``/run``, and
``/etc`` will be unconditionally blocked as a security measure.
This issue only poses a significant security risk when Ironic's
automated cleaning process is disabled and the service is configured in
such a way that permits direct deployment by an untrusted API user, such as
standalone Ironic installations or environments granting ownership of nodes
to projects.
|
