[Openstack-security] [Bug 1316822] Re: soft reboot of instance does not ensure iptables rules are present
Jeremy Stanley
fungi at yuggoth.org
Sat Jul 26 00:28:24 UTC 2014
I think the counterargument is that you shouldn't be able to "reboot" an
instance which is in a down state, and safety checks were added in
Icehouse to prevent exactly that. The issue arises if you're running
Havana or earlier and don't realize you shouldn't reboot a down
instance, in which case it gets brought up with no filtering (because
reboot assumes it was already running and doesn't reapply them). So
essentially if you do something you're not supposed to do, you can leave
instances vulnerable--this requires a mistake on the part of an
inexperienced operator, or a fairly significant amount of social
engineering on the part of an attacker to convince the operator to make
such an error, and has since been hardened in subsequent Nova releases
anyway.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1316822
Title:
soft reboot of instance does not ensure iptables rules are present
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Notes:
In Progress
Bug description:
The iptables rules needed to implement instance security group rules
get inserted by the "_create_domain_and_network" function in
nova/virt/libvirt/driver.py
This function is called by the following functions: _hard_reboot,
resume and spawn (also in a couple of migration related functions).
Doing "nova reboot <instance_id>" only does a soft reboot
(_soft_reboot) and assumes that the rules are already present and
therefore does not check or try to add them.
If the instances is stopped (nova stop <instance_id>) and nova-compute
is restarted (for example for a maintenance or problem), the iptables
rules are removed as observed via output displayed in iptables -S.
If the instance is started via nova reboot <instance_id> the rule is
NOT reapplied until a service nova-compute restart is issued. I have
reports that this may affect "nova start <instance_id>" as well.
Depending on if the Cloud is public facing, this opens up a
potentially huge security vulnerability as an instance can be powered
on without being protected by any security group rules (not even the
sg-fallback rule). This is unbeknownst to the instance owner or Cloud
operators unless they specifically monitor for this situation.
The code should not do a soft reboot/start and error out or fallback
to a resume (start)or hard reboot if it detects that the domain is not
running.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316822/+subscriptions
More information about the Openstack-security
mailing list