Page MenuHomeVyOS Platform

Add a build option to disallow live CD boot
Open, Requires assessmentPublic

Description

Some build combinations make completely useless images. For example, an "AWS ISO" is, by itself, a completely useless thing because a) you cannot deploy an EC2 instance from an ISO image b) using such an image on any other platform makes no sense, and worse, it comes with a cloud-init setup that essentially becomes a backdoor in a non-isolated network because it blindly trusts config data coming from a certain link-local address.

We should likely disallow booting such flavours from a live CD. We already have live CD detection code in our save script. We can add a --allow-cd-boot build option that would add that check to boot or install script and make the image refuse to work and show a prominent warning to the user.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible

Event Timeline

I am a little confused. What is the specific function of the --allow-cd-boot compilation parameter that this task hopes to add? Forgive me for not seeming to understand!

I think the intention here is by default build with no liveCD support, and use the flag to explicitly build liveCD images when needed. The justification is if an image is cloud type image, there are certain security assumptions about the live network the image is connected to (because many cloud providers provision an image via information over specific link local addresses). If you boot a physical PC with a cloud ISO, you run the risk of exposing cloud-init to the local network, which would allow trivial takeover.

There seems to be several assumptions here.

  1. A physical PC booted with a liveCD in production, not using local storage, is basically the same as an ephemeral VM. While there might be such use cases (using a read only filesystem), doesn't that also imply either getting settings from somewhere else somehow (similar to cloud-init), or this is a very custom ISO with a configuration already preloaded, which is a very deliberate action which would be the responsibility of the image builder themselves.
    1. That a liveCD image will normally not have cloud-init enabled. That might not be true for some cloud providers, if they have a system using ISO provisioning?

LiveCD is usually only used for temporary testing and installation, isn't it? Will using this restriction cause the normal use of livecd to become troublesome?

Does this mean to to disallow installing the syslinux bootloader to the iso by default? The reason for asking is the arm builds we try to make, as syslinux is incompatible with arm, and a iso cant be generated for such a system as it tries to install syslinux when building the image.

I am suggesting switching to https://github.com/vyos/vyos-vm-images for everything, except ISO images. This will solve the problem automatically. It is already able to create images for QEMU, VMware, Hyper-V, GCE, AWS, OpenStack, Oracle, Packet, and more not mentioned in the https://github.com/vyos/vyos-build. The only what I have not tried yet is Azure.