[Openstack-security] [Bug 1316822] Re: soft reboot of instance does not ensure iptables rules are present

Bryan D. Payne bdpayne at acm.org
Thu Jul 24 17:57:44 UTC 2014 

Sorry that I'm a little late to the party here.  I was just made aware
of this issue today.

Bottom line is that I strongly believe that this should be an OSSA.
Security controls are expected to be in place and they are not.  That is
pretty clear cut to me.  The fact that this takes an uncommon path to
happen shouldn't mitigate that.  I see that the discussion went back and
forth above.  And perhaps it's too late to do anything.  But, if not, I
would encourage reopening an OSSA on this issue.  Thanks!

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1316822

Title:
  soft reboot of instance does not ensure iptables rules are present

Status in OpenStack Compute (Nova):
  New
Status in OpenStack Security Notes:
  In Progress

Bug description:
  The iptables rules needed to implement instance security group rules
  get inserted by the "_create_domain_and_network" function in
  nova/virt/libvirt/driver.py

  This function is called by the following functions: _hard_reboot,
  resume and spawn (also in a couple of migration related functions).

  Doing "nova reboot <instance_id>" only does a soft reboot
  (_soft_reboot) and assumes that the rules are already present and
  therefore does not check or try to add them.

  If the instances is stopped (nova stop <instance_id>) and nova-compute
  is restarted (for example for a maintenance or problem), the iptables
  rules are removed as observed via output displayed in iptables -S.

  If the instance is started via  nova reboot <instance_id> the rule is
  NOT reapplied until a service nova-compute restart is issued. I have
  reports that this may affect "nova start <instance_id>" as well.

  Depending on if the Cloud is public facing, this opens up a
  potentially huge security vulnerability as an instance can be powered
  on without being protected by any security group rules (not even the
  sg-fallback rule). This is unbeknownst to the instance owner or Cloud
  operators unless they specifically monitor for this situation.

  The code should not do a soft reboot/start and error out or fallback
  to a resume (start)or hard reboot if it detects that the domain is not
  running.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316822/+subscriptions

More information about the Openstack-security mailing list