[Openstack-security] [Bug 1316271] Re: Network Security: VM hosts can SSH to compute node
David Hill
1316271 at bugs.launchpad.net
Thu May 15 02:15:36 UTC 2014
Well, sorry to spam, but I don't know where this could be injected in
the code... The easiest place is where it is put in iptables and it
also protects the compute node from being access from all the other
guests from all the other computes nodes. If it's a ebtable INPUT
rule, it must be global and not on a by instance basis. All my
previous patches wont work (execpt the first one) as they are on a by
instance basis or if share_dhcp_adress is set to true which is not the
case in our case.
This patch should be addressing it:
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -1447,6 +1447,9 @@ class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver):
if CONF.share_dhcp_address:
remove_isolate_dhcp_address(iface, network['dhcp_server'])
+ else
+ remove_isolate_compute_node(iface, network['dhcp_server'])
+
iptables_manager.apply()
return self.get_dev(network)
@@ -1627,6 +1630,13 @@ def remove_ebtables_rules(rules, table='filter'):
cmd = ['ebtables', '-t', table, '-D'] + rule.split()
_execute(*cmd, check_exit_code=False, run_as_root=True)
+def isolate_compute_node(interface, address):
+ rules = []
+ rules.append('INPUT -p TCP -i %s --dst %s --ip-destination-port 8776 -j ALLOW'
+ % (interface, address))
+ rules.append('INPUT -i %s --dst %s -j DROP'
+ % (interface, address))
+ ensure_ebtables_rules(rules)
def isolate_dhcp_address(interface, address):
# block arp traffic to address across the interface
--- a/nova/network/linux_net.py
+++ b/nova/network/linux_net.py
@@ -1430,6 +1430,9 @@ class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver):
if CONF.share_dhcp_address:
isolate_dhcp_address(iface, network['dhcp_server'])
+ else
+ isolate_compute_node(iface, network['dhcp_server'])
+
# NOTE(vish): applying here so we don't get a lock conflict
iptables_manager.apply()
return network['bridge']
@@ -1447,6 +1450,9 @@ class LinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver):
if CONF.share_dhcp_address:
remove_isolate_dhcp_address(iface, network['dhcp_server'])
+ else
+ remove_isolate_compute_node(iface, network['dhcp_server'])
+
iptables_manager.apply()
return self.get_dev(network)
@@ -1627,6 +1633,13 @@ def remove_ebtables_rules(rules, table='filter'):
cmd = ['ebtables', '-t', table, '-D'] + rule.split()
_execute(*cmd, check_exit_code=False, run_as_root=True)
+def isolate_compute_node(interface, address):
+ rules = []
+ rules.append('INPUT -p TCP -i %s --dst %s --ip-destination-port 8776 -j ALLOW'
+ % (interface, address))
+ rules.append('INPUT -i %s --dst %s -j DROP'
+ % (interface, address))
+ ensure_ebtables_rules(rules)
def isolate_dhcp_address(interface, address):
# block arp traffic to address across the interface
@@ -1659,6 +1672,13 @@ def isolate_dhcp_address(interface, address):
% (interface, address, CONF.iptables_drop_action)),
top=True)
+def remove_isolate_compute_node(interface, address):
+ rules = []
+ rules.append('INPUT -p TCP -i %s --dst %s --ip-destination-port 8776 -j ALLOW'
+ % (interface, address))
+ rules.append('INPUT -i %s --dst %s -j DROP'
+ % (interface, address))
+ remove_ebtables_rules(rules)
def remove_isolate_dhcp_address(interface, address):
# block arp traffic to address across the interface
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1316271
Title:
Network Security: VM hosts can SSH to compute node
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Incomplete
Bug description:
Hi guys,
We're still using nova-network and we'll be using it for a while
and we noticed that the VM guests can contact the compute nodes on all
ports ... The one we're the most preoccupied with is SSH. We've
written the following patch in order to isolate the VM guests from the
VM hosts.
--- linux_net.py.orig 2014-05-05 17:25:10.171746968 +0000
+++ linux_net.py 2014-05-05 18:42:54.569209220 +0000
@@ -805,6 +805,24 @@
@utils.synchronized('lock_gateway', external=True)
+def isolate_compute_from_guest(network_ref):
+ if not network_ref:
+ return
+
+ iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-d %s '
+ '-j DROP' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-d %s '
+ '-j DROP' % network_ref['dhcp_server'])
+ iptables_manager.apply()
+
def initialize_gateway_device(dev, network_ref):
if not network_ref:
return
@@ -1046,6 +1064,7 @@
try:
_execute('kill', '-HUP', pid, run_as_root=True)
_add_dnsmasq_accept_rules(dev)
+ isolate_compute_from_guest(network_ref)
return
except Exception as exc: # pylint: disable=W0703
LOG.error(_('Hupping dnsmasq threw %s'), exc)
@@ -1098,6 +1117,7 @@
_add_dnsmasq_accept_rules(dev)
+ isolate_compute_from_guest(network_ref)
@utils.synchronized('radvd_start')
def update_ra(context, dev, network_ref):
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions
More information about the Openstack-security
mailing list