[Openstack-security] [Bug 1316271] [NEW] Network Security: VM hosts can SSH to compute node
David Hill
1316271 at bugs.launchpad.net
Mon May 5 19:02:22 UTC 2014
*** This bug is a security vulnerability ***
Public security bug reported:
Hi guys,
We're still using nova-network and we'll be using it for a while and
we noticed that the VM guests can contact the compute nodes on all ports
... The one we're the most preoccupied with is SSH. We've written the
following patch in order to isolate the VM guests from the VM hosts.
--- linux_net.py.orig 2014-05-05 17:25:10.171746968 +0000
+++ linux_net.py 2014-05-05 18:42:54.569209220 +0000
@@ -805,6 +805,24 @@
@utils.synchronized('lock_gateway', external=True)
+def isolate_compute_from_guest(network_ref):
+ if not network_ref:
+ return
+
+ iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-d %s '
+ '-j DROP' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-d %s '
+ '-j DROP' % network_ref['dhcp_server'])
+ iptables_manager.apply()
+
def initialize_gateway_device(dev, network_ref):
if not network_ref:
return
@@ -1046,6 +1064,7 @@
try:
_execute('kill', '-HUP', pid, run_as_root=True)
_add_dnsmasq_accept_rules(dev)
+ isolate_compute_from_guest(network_ref)
return
except Exception as exc: # pylint: disable=W0703
LOG.error(_('Hupping dnsmasq threw %s'), exc)
@@ -1098,6 +1117,7 @@
_add_dnsmasq_accept_rules(dev)
+ isolate_compute_from_guest(network_ref)
@utils.synchronized('radvd_start')
def update_ra(context, dev, network_ref):
** Affects: nova
Importance: Undecided
Status: New
** Tags: iptables nova nova-network security
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1316271
Title:
Network Security: VM hosts can SSH to compute node
Status in OpenStack Compute (Nova):
New
Bug description:
Hi guys,
We're still using nova-network and we'll be using it for a while
and we noticed that the VM guests can contact the compute nodes on all
ports ... The one we're the most preoccupied with is SSH. We've
written the following patch in order to isolate the VM guests from the
VM hosts.
--- linux_net.py.orig 2014-05-05 17:25:10.171746968 +0000
+++ linux_net.py 2014-05-05 18:42:54.569209220 +0000
@@ -805,6 +805,24 @@
@utils.synchronized('lock_gateway', external=True)
+def isolate_compute_from_guest(network_ref):
+ if not network_ref:
+ return
+
+ iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-d %s '
+ '-j DROP' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-d %s '
+ '-j DROP' % network_ref['dhcp_server'])
+ iptables_manager.apply()
+
def initialize_gateway_device(dev, network_ref):
if not network_ref:
return
@@ -1046,6 +1064,7 @@
try:
_execute('kill', '-HUP', pid, run_as_root=True)
_add_dnsmasq_accept_rules(dev)
+ isolate_compute_from_guest(network_ref)
return
except Exception as exc: # pylint: disable=W0703
LOG.error(_('Hupping dnsmasq threw %s'), exc)
@@ -1098,6 +1117,7 @@
_add_dnsmasq_accept_rules(dev)
+ isolate_compute_from_guest(network_ref)
@utils.synchronized('radvd_start')
def update_ra(context, dev, network_ref):
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions
More information about the Openstack-security
mailing list