OpenStack Compute (nova)

  1. Bug #1316271
  2. Comment #22

Comment 22 for bug 1316271

Revision history for this message
Brian Schott (bfschott) wrote : Re: [Openstack-security] [Bug 1316271] Re: Network Security: VM hosts can SSH to compute node

Are there any downsides to enforcing that the interface can only be used for the dhcp service?—
Sent from Mailbox

On Fri, May 30, 2014 at 12:42 PM, Bryan D. Payne <email address hidden> wrote:

> It seems to me that people should be deploying nodes such that this
> interface isn't used for anything other than the instance's dhcp
> service. I suspect that many people are already doing this, but perhaps
> it isn't obvious that it is a necessary step for security reasons?
> --
> You received this bug notification because you are a member of OpenStack
> Security Group, which is subscribed to OpenStack.
> https://bugs.launchpad.net/bugs/1316271
> Title:
> Network Security: VM hosts can SSH to compute node
> Status in OpenStack Compute (Nova):
> New
> Status in OpenStack Security Advisories:
> Incomplete
> Bug description:
> Hi guys,
> We're still using nova-network and we'll be using it for a while
> and we noticed that the VM guests can contact the compute nodes on all
> ports ... The one we're the most preoccupied with is SSH. We've
> written the following patch in order to isolate the VM guests from the
> VM hosts.
> --- linux_net.py.orig 2014-05-05 17:25:10.171746968 +0000
> +++ linux_net.py 2014-05-05 18:42:54.569209220 +0000
> @@ -805,6 +805,24 @@
>
> @utils.synchronized('lock_gateway', external=True)
> +def isolate_compute_from_guest(network_ref):
> + if not network_ref:
> + return
> +
> + iptables_manager.ipv4['filter'].add_rule('INPUT',
> + '-p tcp -d %s --dport 8775 '
> + '-j ACCEPT' % network_ref['dhcp_server'])
> + iptables_manager.ipv4['filter'].add_rule('FORWARD',
> + '-p tcp -d %s --dport 8775 '
> + '-j ACCEPT' % network_ref['dhcp_server'])
> + iptables_manager.ipv4['filter'].add_rule('INPUT',
> + '-d %s '
> + '-j DROP' % network_ref['dhcp_server'])
> + iptables_manager.ipv4['filter'].add_rule('FORWARD',
> + '-d %s '
> + '-j DROP' % network_ref['dhcp_server'])
> + iptables_manager.apply()
> +
> def initialize_gateway_device(dev, network_ref):
> if not network_ref:
> return
> @@ -1046,6 +1064,7 @@
> try:
> _execute('kill', '-HUP', pid, run_as_root=True)
> _add_dnsmasq_accept_rules(dev)
> + isolate_compute_from_guest(network_ref)
> return
> except Exception as exc: # pylint: disable=W0703
> LOG.error(_('Hupping dnsmasq threw %s'), exc)
> @@ -1098,6 +1117,7 @@
> _add_dnsmasq_accept_rules(dev)
> + isolate_compute_from_guest(network_ref)
> @utils.synchronized('radvd_start')
> def update_ra(context, dev, network_ref):
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions
> _______________________________________________
> Openstack-security mailing list
> <email address hidden>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security