You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2020/06/18 13:22:33 UTC

[GitHub] [cloudstack] VincentHermes opened a new issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

VincentHermes opened a new issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155


   #### ISSUE TYPE
    * Bug Report
   
   #### COMPONENT NAME
    * Domain/Account Limiting
   
   #### CLOUDSTACK VERSION
    * Tested on 4.11.3 and <b>4.14</b>
   
   #### CONFIGURATION
    * Quite irrelevant, new installation also affected
   
   #### OS / ENVIRONMENT
    * CentOS7 Nodes
    * KVM
    * Ceph
    * NFS Secondary
    * Hyperconverged
   
   #### SUMMARY
    * The VM Settings Tab allows Domain Admins to set CPU and RAM Values with <b>no restriction</b>
   
   #### STEPS TO REPRODUCE
   -- Create a custom offering, either with or without constraints.
   -- Create a Domain with a Domain Admin User
   -- Set any Domain Limit and/or Account Limit
   -- Login as the created Domain Admin of the Testing Domain
   -- Create an Instance with the settings of your choice but use the custom offering and set it to anything below your Limits. At this point, setting CPU and RAM too high is going to fail because the Limits are taken into account.
   -- Stop the Instance after creation and go to the Settings Tab of the VM
   -- You can edit the CPU and RAM of the VM as you would expect from the custom offering, however you can set the VM Parameters in this tab to anything you want and CS is going to accept it.
   -- If your hosts can handle the new VM size, CS is going to boot the VM as if nothing is strange
   
   #### EXPECTED RESULTS
    * When setting the VM Parameters via settings tab, the Domain and Account Limits should be taken into account and the action should fail
    * Maybe at least the launch should be prevented of Domain or Account Limits are reached
   
   #### ACTUAL RESULTS
    * If a Domain is set to 16 CPUs, Users (Domain Admins) can effectively create 16 VMs with 1 CPU each and set all of them to 32 CPUs afterwards. As long as the Cluster can handle the Usage, you can launch all of them and work with them like you had 512 CPUs as your Limit.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache commented on issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155#issuecomment-731426102


   @DaanHoogland it might be a bug. there is no any check when change vm settings.
   
   when change cpuNumber, Memory , resource limit should be checked and resource count should be updated when vm setting is saved to db.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache commented on issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155#issuecomment-729149006


   @VincentHermes is global setting `resource.count.running.vms.only` true or false ?
   
   this issue seems to because there is no resource limit check when change vm setting 'cpuNumber'.
   
   if `resource.count.running.vms.only` is `true`, resource limit will be checked when start the vm, so it is not a problem.
   if `resource.count.running.vms.only` is `false`, vm will be started without exception.
   
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rhtyd closed issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Posted by GitBox <gi...@apache.org>.
rhtyd closed issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] VincentHermes commented on issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Posted by GitBox <gi...@apache.org>.
VincentHermes commented on issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155#issuecomment-652326878


   I didn't add a new Setting in the Settings tab. If you set a custom compute offering for a VM you get the settings "cpuNumber" and "memory" in the VM Settings Tab. Changing any of these values will change the VM Properties even above the users or domains limits.
   
   ![grafik](https://user-images.githubusercontent.com/58519110/86231927-8c7fe500-bb93-11ea-9cd5-1eca062b0f3a.png)
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] DaanHoogland commented on issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155#issuecomment-731561440


   @weizhouapache ok, removing the label again, what I read in your reply that it works as designed. so the question is is it a bug or a missing feature or something tha should be done differently from the users perspective?
   Going over quota by a work around could be considered an operator responsibility.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] VincentHermes commented on issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Posted by GitBox <gi...@apache.org>.
VincentHermes commented on issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155#issuecomment-728768015


   Sorry for the long waiting time. I just stumbled over this problem again.
   
   So this is what I did:
   
   Logging in as this account (domain-admin) (limit 16 cpus):
   ![accountview](https://user-images.githubusercontent.com/58519110/99362722-1f57bc80-28b4-11eb-9c41-434abb96d208.png)
   
   Into this Domain (limit 16 cpus):
   ![domainview](https://user-images.githubusercontent.com/58519110/99362741-254d9d80-28b4-11eb-94bf-c4bfd850e581.png)
   
   
   Editing this VM (8 cpus):
   ![vminstance](https://user-images.githubusercontent.com/58519110/99362747-27aff780-28b4-11eb-9d66-a20523179c3b.png)
   
   Which has this Compute Offering (custom constrained):
   ![serviceoffering](https://user-images.githubusercontent.com/58519110/99362758-2aaae800-28b4-11eb-8a38-80b8e54dcf21.png)
   
   Inside this menu:
   ![Settings](https://user-images.githubusercontent.com/58519110/99363659-495dae80-28b5-11eb-9183-f1901dcc4f5d.png)
   
   To 20 CPUs:
   ![20CPUs](https://user-images.githubusercontent.com/58519110/99364054-cdb03180-28b5-11eb-9304-e6b04e83b520.png)
   
   And thats perfectly fine:
   ![uebernommen](https://user-images.githubusercontent.com/58519110/99364081-d6086c80-28b5-11eb-83e7-8d45fa43d685.png)
   
   And the VM starts without a problem:
   ![gestartet](https://user-images.githubusercontent.com/58519110/99364225-03551a80-28b6-11eb-83ad-47276daea894.png)
   
   Even though the Domain and Account Limits look like that:
   ![Limits](https://user-images.githubusercontent.com/58519110/99364280-14059080-28b6-11eb-8f90-f16d7d46ab5a.png)
   
   Of course I cant create another VM because my Limit is reached:
   ![erstellen-fehler](https://user-images.githubusercontent.com/58519110/99364421-3d262100-28b6-11eb-9fee-5e8dbaa39e59.png)
   
   But if I had 20 VMs I could set all of them to 20CPUs or more without a problem and start all of them.
   
   The same thing happens on the old UI.
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache commented on issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Posted by GitBox <gi...@apache.org>.
weizhouapache commented on issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155#issuecomment-731563999


     
   
   > @weizhouapache ok, removing the label again, what I read in your reply that it works as designed. so the question is is it a bug or a missing feature or something tha should be done differently from the users perspective?
   > Going over quota by a work around could be considered an operator responsibility.
   
   @DaanHoogland since we provide this feature to users, we should add some checks. Otherwise, it will bring trouble not only to users, but also to admins, if users pass some unexpected value.
   
   similar as global settings,  first,  there should be a check for the type of the value (for example, Integer/Boolean/Float, etc), second, a check for possible value (an invalid value should NOT be accepted). first, check some other restrictions, for example, cpuspeed should not be changed if vm use constraint service offering. The last, check resource count/update resouce limit when update cpu cores,memory.
   
   There might be more checks needed.
   
   As an admin, I would suggest not to provide this feature to users, before these checks are added. To be clear, I suggest to add some settings to user.vm.blacklisted.details or user.vm.readonly.ui.details
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] weizhouapache edited a comment on issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Posted by GitBox <gi...@apache.org>.
weizhouapache edited a comment on issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155#issuecomment-731563999


     
   
   > @weizhouapache ok, removing the label again, what I read in your reply that it works as designed. so the question is is it a bug or a missing feature or something tha should be done differently from the users perspective?
   > Going over quota by a work around could be considered an operator responsibility.
   
   @DaanHoogland since we provide this feature to users, we should add some checks. Otherwise, it will bring trouble not only to users, but also to admins, if users pass some unexpected value.
   
   similar as global settings,  first,  there should be a check for the type of the value (for example, Integer/Boolean/Float, etc), second, a check for possible value (an invalid value should NOT be accepted). then check some other restrictions, for example, cpuspeed should not be changed if vm use constraint service offering, cpunumber/speed/memory should not be accepted if vm uses fixed offering. The last, check resource count/update resouce limit when update cpu cores,memory.
   
   There might be more checks needed.
   
   As an admin, I would suggest not to provide this feature to users, before these checks are added. To be clear, I suggest to add some settings to user.vm.blacklisted.details or user.vm.readonly.ui.details
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] ravening commented on issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Posted by GitBox <gi...@apache.org>.
ravening commented on issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155#issuecomment-650988604


   ![Screenshot 2020-06-29 at 09 38 46](https://user-images.githubusercontent.com/10645273/85986323-56543100-b9ec-11ea-99ce-5a0d7b779e1c.png)
   
   Can you let me know what values you filled in the above settings so that I can reproduce them?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] ravening commented on issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Posted by GitBox <gi...@apache.org>.
ravening commented on issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155#issuecomment-652875658


   I was not able to reproduce the issue
   
   1. I created a domain admin with an initial resource count of 2 cpu and 1GB ram for the entire domain as shown below
   
   ![Screenshot 2020-07-02 at 10 43 10](https://user-images.githubusercontent.com/10645273/86337008-d549a380-bc50-11ea-91c9-5d77a1ab03ca.png)
   
   2. Then a created a VM with 1 core and 512mb ram
   3. Stopped the vm and the changed the settings to below value
   ![Screenshot 2020-07-02 at 10 45 30](https://user-images.githubusercontent.com/10645273/86337262-278ac480-bc51-11ea-8b71-9c12fc388d67.png)
   
   4. When I try to start the vm, I get the below error message.
   
   ![Screenshot 2020-07-02 at 10 42 41](https://user-images.githubusercontent.com/10645273/86336949-c4009700-bc50-11ea-93ee-8332780414d4.png)
   
   
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [cloudstack] rhtyd commented on issue #4155: Domain Limit Exploit for Unlimited Domain Ressources

Posted by GitBox <gi...@apache.org>.
rhtyd commented on issue #4155:
URL: https://github.com/apache/cloudstack/issues/4155#issuecomment-927675294


   Looks like the PR has been merged https://github.com/apache/cloudstack/pull/5428, closing this.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org