[Openstack-security] [Bug 1316822] Re: soft reboot of instance does not ensure iptables rules are present
Robert Clark
1316822 at bugs.launchpad.net
Thu Jul 17 17:34:53 UTC 2014
** Changed in: ossn
Importance: Undecided => High
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1316822
Title:
soft reboot of instance does not ensure iptables rules are present
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Notes:
In Progress
Bug description:
The iptables rules needed to implement instance security group rules
get inserted by the "_create_domain_and_network" function in
nova/virt/libvirt/driver.py
This function is called by the following functions: _hard_reboot,
resume and spawn (also in a couple of migration related functions).
Doing "nova reboot <instance_id>" only does a soft reboot
(_soft_reboot) and assumes that the rules are already present and
therefore does not check or try to add them.
If the instances is stopped (nova stop <instance_id>) and nova-compute
is restarted (for example for a maintenance or problem), the iptables
rules are removed as observed via output displayed in iptables -S.
If the instance is started via nova reboot <instance_id> the rule is
NOT reapplied until a service nova-compute restart is issued. I have
reports that this may affect "nova start <instance_id>" as well.
Depending on if the Cloud is public facing, this opens up a
potentially huge security vulnerability as an instance can be powered
on without being protected by any security group rules (not even the
sg-fallback rule). This is unbeknownst to the instance owner or Cloud
operators unless they specifically monitor for this situation.
The code should not do a soft reboot/start and error out or fallback
to a resume (start)or hard reboot if it detects that the domain is not
running.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316822/+subscriptions
More information about the Openstack-security
mailing list