[Openstack-security] [Bug 1316271] Re: Network Security: VM hosts can SSH to compute node

Jeremy Stanley fungi at yuggoth.org
Tue May 27 14:10:22 UTC 2014 

For some reason I was thinking there was an OSSN covering this, but the
closest I found was the one on poor configuration instructions for live
migration exposing libvirt's control interface to tenant instances. I
also don't see anything in the security guide specifically addressing
network hardening for compute nodes (recommended filter rules for local
interfaces, isolating running services onto separate VLANs from instance
virtual interfaces, et cetera) though it's possible I've overlooked it.

** Changed in: ossa
     Assignee: Jeremy Stanley (fungi) => (unassigned)

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1316271

Title:
  Network Security: VM hosts can SSH to compute node

Status in OpenStack Compute (Nova):
  New
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  Hi guys,

      We're still using nova-network and we'll be using it for a while
  and we noticed that the VM guests can contact the compute nodes on all
  ports ... The one we're the most preoccupied with is SSH.   We've
  written the following patch in order to isolate the VM guests from the
  VM hosts.

  --- linux_net.py.orig   2014-05-05 17:25:10.171746968 +0000
  +++ linux_net.py        2014-05-05 18:42:54.569209220 +0000
  @@ -805,6 +805,24 @@

  
   @utils.synchronized('lock_gateway', external=True)
  +def isolate_compute_from_guest(network_ref):
  +    if not network_ref:
  +        return
  +
  +    iptables_manager.ipv4['filter'].add_rule('INPUT',
  +                                             '-p tcp -d %s --dport 8775 '
  +                                             '-j ACCEPT' % network_ref['dhcp_server'])
  +    iptables_manager.ipv4['filter'].add_rule('FORWARD',
  +                                             '-p tcp -d %s --dport 8775 '
  +                                             '-j ACCEPT' % network_ref['dhcp_server'])
  +    iptables_manager.ipv4['filter'].add_rule('INPUT',
  +                                             '-d %s '
  +                                             '-j DROP' % network_ref['dhcp_server'])
  +    iptables_manager.ipv4['filter'].add_rule('FORWARD',
  +                                             '-d %s '
  +                                             '-j DROP' % network_ref['dhcp_server'])
  +    iptables_manager.apply()
  +
   def initialize_gateway_device(dev, network_ref):
       if not network_ref:
           return
  @@ -1046,6 +1064,7 @@
               try:
                   _execute('kill', '-HUP', pid, run_as_root=True)
                   _add_dnsmasq_accept_rules(dev)
  +                isolate_compute_from_guest(network_ref)
                   return
               except Exception as exc:  # pylint: disable=W0703
                   LOG.error(_('Hupping dnsmasq threw %s'), exc)
  @@ -1098,6 +1117,7 @@

       _add_dnsmasq_accept_rules(dev)

  +    isolate_compute_from_guest(network_ref)

   @utils.synchronized('radvd_start')
   def update_ra(context, dev, network_ref):

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions

More information about the Openstack-security mailing list