Network Security: VM hosts can SSH to compute node
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Won't Fix
|
Medium
|
David Hill | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
High
|
Stanislaw Pitucha |
Bug Description
Hi guys,
We're still using nova-network and we'll be using it for a while and we noticed that the VM guests can contact the compute nodes on all ports ... The one we're the most preoccupied with is SSH. We've written the following patch in order to isolate the VM guests from the VM hosts.
--- linux_net.py.orig 2014-05-05 17:25:10.171746968 +0000
+++ linux_net.py 2014-05-05 18:42:54.569209220 +0000
@@ -805,6 +805,24 @@
@utils.
+def isolate_
+ if not network_ref:
+ return
+
+ iptables_
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_
+ iptables_
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_
+ iptables_
+ '-d %s '
+ '-j DROP' % network_
+ iptables_
+ '-d %s '
+ '-j DROP' % network_
+ iptables_
+
def initialize_
if not network_ref:
return
@@ -1046,6 +1064,7 @@
try:
+ isolate_
except Exception as exc: # pylint: disable=W0703
@@ -1098,6 +1117,7 @@
_add_
+ isolate_
@utils.
def update_ra(context, dev, network_ref):
information type: | Private Security → Public Security |
Changed in ossa: | |
status: | New → Incomplete |
tags: | added: ebtables |
Changed in ossa: | |
assignee: | nobody → Jeremy Stanley (fungi) |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
information type: | Public Security → Public |
Changed in ossn: | |
assignee: | nobody → Stanislaw Pitucha (stanislaw-pitucha) |
Changed in ossn: | |
importance: | Undecided → High |
status: | New → In Progress |
Changed in nova: | |
milestone: | none → kilo-1 |
importance: | Undecided → Medium |
Changed in nova: | |
milestone: | kilo-1 → kilo-2 |
We could add a default boolean that would be false by default before pushing this to trunk ... The effect of this patch would be the following:
Chain nova-network- FORWARD (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 x.x.x.x tcp dpt:8775
DROP all -- 0.0.0.0/0 x.x.x.x
Chain nova-network-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 x.x.x.x tcp dpt:8775
DROP all -- 0.0.0.0/0 x.x.x.x
Instead of: FORWARD (1 references)
Chain nova-network-
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 10.30.96.8 tcp dpt:8775
Chain nova-network-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53