[Openstack-security] [Bug 1316271] Re: Network Security: VM hosts can SSH to compute node
Brian Schott
1316271 at bugs.launchpad.net
Fri May 30 17:14:29 UTC 2014
Are there any downsides to enforcing that the interface can only be used for the dhcp service?—
Sent from Mailbox
On Fri, May 30, 2014 at 12:42 PM, Bryan D. Payne <bdpayne at acm.org>
wrote:
> It seems to me that people should be deploying nodes such that this
> interface isn't used for anything other than the instance's dhcp
> service. I suspect that many people are already doing this, but perhaps
> it isn't obvious that it is a necessary step for security reasons?
> --
> You received this bug notification because you are a member of OpenStack
> Security Group, which is subscribed to OpenStack.
> https://bugs.launchpad.net/bugs/1316271
> Title:
> Network Security: VM hosts can SSH to compute node
> Status in OpenStack Compute (Nova):
> New
> Status in OpenStack Security Advisories:
> Incomplete
> Bug description:
> Hi guys,
> We're still using nova-network and we'll be using it for a while
> and we noticed that the VM guests can contact the compute nodes on all
> ports ... The one we're the most preoccupied with is SSH. We've
> written the following patch in order to isolate the VM guests from the
> VM hosts.
> --- linux_net.py.orig 2014-05-05 17:25:10.171746968 +0000
> +++ linux_net.py 2014-05-05 18:42:54.569209220 +0000
> @@ -805,6 +805,24 @@
>
> @utils.synchronized('lock_gateway', external=True)
> +def isolate_compute_from_guest(network_ref):
> + if not network_ref:
> + return
> +
> + iptables_manager.ipv4['filter'].add_rule('INPUT',
> + '-p tcp -d %s --dport 8775 '
> + '-j ACCEPT' % network_ref['dhcp_server'])
> + iptables_manager.ipv4['filter'].add_rule('FORWARD',
> + '-p tcp -d %s --dport 8775 '
> + '-j ACCEPT' % network_ref['dhcp_server'])
> + iptables_manager.ipv4['filter'].add_rule('INPUT',
> + '-d %s '
> + '-j DROP' % network_ref['dhcp_server'])
> + iptables_manager.ipv4['filter'].add_rule('FORWARD',
> + '-d %s '
> + '-j DROP' % network_ref['dhcp_server'])
> + iptables_manager.apply()
> +
> def initialize_gateway_device(dev, network_ref):
> if not network_ref:
> return
> @@ -1046,6 +1064,7 @@
> try:
> _execute('kill', '-HUP', pid, run_as_root=True)
> _add_dnsmasq_accept_rules(dev)
> + isolate_compute_from_guest(network_ref)
> return
> except Exception as exc: # pylint: disable=W0703
> LOG.error(_('Hupping dnsmasq threw %s'), exc)
> @@ -1098,6 +1117,7 @@
> _add_dnsmasq_accept_rules(dev)
> + isolate_compute_from_guest(network_ref)
> @utils.synchronized('radvd_start')
> def update_ra(context, dev, network_ref):
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1316271
Title:
Network Security: VM hosts can SSH to compute node
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Incomplete
Bug description:
Hi guys,
We're still using nova-network and we'll be using it for a while
and we noticed that the VM guests can contact the compute nodes on all
ports ... The one we're the most preoccupied with is SSH. We've
written the following patch in order to isolate the VM guests from the
VM hosts.
--- linux_net.py.orig 2014-05-05 17:25:10.171746968 +0000
+++ linux_net.py 2014-05-05 18:42:54.569209220 +0000
@@ -805,6 +805,24 @@
@utils.synchronized('lock_gateway', external=True)
+def isolate_compute_from_guest(network_ref):
+ if not network_ref:
+ return
+
+ iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-d %s '
+ '-j DROP' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-d %s '
+ '-j DROP' % network_ref['dhcp_server'])
+ iptables_manager.apply()
+
def initialize_gateway_device(dev, network_ref):
if not network_ref:
return
@@ -1046,6 +1064,7 @@
try:
_execute('kill', '-HUP', pid, run_as_root=True)
_add_dnsmasq_accept_rules(dev)
+ isolate_compute_from_guest(network_ref)
return
except Exception as exc: # pylint: disable=W0703
LOG.error(_('Hupping dnsmasq threw %s'), exc)
@@ -1098,6 +1117,7 @@
_add_dnsmasq_accept_rules(dev)
+ isolate_compute_from_guest(network_ref)
@utils.synchronized('radvd_start')
def update_ra(context, dev, network_ref):
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions
More information about the Openstack-security
mailing list