[Yahoo-eng-team] [Bug 1316271] Re: Network Security: VM hosts can SSH to compute node
Agreed by core team that this is mostly a deployment topology issue, and
nova-network was never designed to address it. Will not fix it.
** Changed in: nova
Milestone: kilo-2 => None
** Changed in: nova
Status: In Progress => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1316271
Title:
Network Security: VM hosts can SSH to compute node
Status in OpenStack Compute (Nova):
Won't Fix
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
Hi guys,
We're still using nova-network and we'll be using it for a while
and we noticed that the VM guests can contact the compute nodes on all
ports ... The one we're the most preoccupied with is SSH. We've
written the following patch in order to isolate the VM guests from the
VM hosts.
--- linux_net.py.orig 2014-05-05 17:25:10.171746968 +
+++ linux_net.py2014-05-05 18:42:54.569209220 +
@@ -805,6 +805,24 @@
@utils.synchronized('lock_gateway', external=True)
+def isolate_compute_from_guest(network_ref):
+if not network_ref:
+return
+
+iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-d %s '
+ '-j DROP' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-d %s '
+ '-j DROP' %
network_ref['dhcp_server'])
+iptables_manager.apply()
+
def initialize_gateway_device(dev, network_ref):
if not network_ref:
return
@@ -1046,6 +1064,7 @@
try:
_execute('kill', '-HUP', pid, run_as_root=True)
_add_dnsmasq_accept_rules(dev)
+isolate_compute_from_guest(network_ref)
return
except Exception as exc: # pylint: disable=W0703
LOG.error(_('Hupping dnsmasq threw %s'), exc)
@@ -1098,6 +1117,7 @@
_add_dnsmasq_accept_rules(dev)
+isolate_compute_from_guest(network_ref)
@utils.synchronized('radvd_start')
def update_ra(context, dev, network_ref):
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1316271] Re: Network Security: VM hosts can SSH to compute node
** Also affects: ossn
Importance: Undecided
Status: New
** Changed in: ossa
Status: Incomplete => Won't Fix
** Information type changed from Public Security to Public
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1316271
Title:
Network Security: VM hosts can SSH to compute node
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
New
Bug description:
Hi guys,
We're still using nova-network and we'll be using it for a while
and we noticed that the VM guests can contact the compute nodes on all
ports ... The one we're the most preoccupied with is SSH. We've
written the following patch in order to isolate the VM guests from the
VM hosts.
--- linux_net.py.orig 2014-05-05 17:25:10.171746968 +
+++ linux_net.py2014-05-05 18:42:54.569209220 +
@@ -805,6 +805,24 @@
@utils.synchronized('lock_gateway', external=True)
+def isolate_compute_from_guest(network_ref):
+if not network_ref:
+return
+
+iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-d %s '
+ '-j DROP' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-d %s '
+ '-j DROP' %
network_ref['dhcp_server'])
+iptables_manager.apply()
+
def initialize_gateway_device(dev, network_ref):
if not network_ref:
return
@@ -1046,6 +1064,7 @@
try:
_execute('kill', '-HUP', pid, run_as_root=True)
_add_dnsmasq_accept_rules(dev)
+isolate_compute_from_guest(network_ref)
return
except Exception as exc: # pylint: disable=W0703
LOG.error(_('Hupping dnsmasq threw %s'), exc)
@@ -1098,6 +1117,7 @@
_add_dnsmasq_accept_rules(dev)
+isolate_compute_from_guest(network_ref)
@utils.synchronized('radvd_start')
def update_ra(context, dev, network_ref):
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1316271] Re: Network Security: VM hosts can SSH to compute node
OSSN Published, congratulations Stan!
https://wiki.openstack.org/wiki/OSSN/OSSN-0018
** Changed in: ossn
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1316271
Title:
Network Security: VM hosts can SSH to compute node
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
Hi guys,
We're still using nova-network and we'll be using it for a while
and we noticed that the VM guests can contact the compute nodes on all
ports ... The one we're the most preoccupied with is SSH. We've
written the following patch in order to isolate the VM guests from the
VM hosts.
--- linux_net.py.orig 2014-05-05 17:25:10.171746968 +
+++ linux_net.py2014-05-05 18:42:54.569209220 +
@@ -805,6 +805,24 @@
@utils.synchronized('lock_gateway', external=True)
+def isolate_compute_from_guest(network_ref):
+if not network_ref:
+return
+
+iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-d %s '
+ '-j DROP' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-d %s '
+ '-j DROP' %
network_ref['dhcp_server'])
+iptables_manager.apply()
+
def initialize_gateway_device(dev, network_ref):
if not network_ref:
return
@@ -1046,6 +1064,7 @@
try:
_execute('kill', '-HUP', pid, run_as_root=True)
_add_dnsmasq_accept_rules(dev)
+isolate_compute_from_guest(network_ref)
return
except Exception as exc: # pylint: disable=W0703
LOG.error(_('Hupping dnsmasq threw %s'), exc)
@@ -1098,6 +1117,7 @@
_add_dnsmasq_accept_rules(dev)
+isolate_compute_from_guest(network_ref)
@utils.synchronized('radvd_start')
def update_ra(context, dev, network_ref):
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1316271] Re: Network Security: VM hosts can SSH to compute node
** Also affects: ossa
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1316271
Title:
Network Security: VM hosts can SSH to compute node
Status in OpenStack Compute (Nova):
New
Status in OpenStack Security Advisories:
New
Bug description:
Hi guys,
We're still using nova-network and we'll be using it for a while
and we noticed that the VM guests can contact the compute nodes on all
ports ... The one we're the most preoccupied with is SSH. We've
written the following patch in order to isolate the VM guests from the
VM hosts.
--- linux_net.py.orig 2014-05-05 17:25:10.171746968 +
+++ linux_net.py2014-05-05 18:42:54.569209220 +
@@ -805,6 +805,24 @@
@utils.synchronized('lock_gateway', external=True)
+def isolate_compute_from_guest(network_ref):
+if not network_ref:
+return
+
+iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-d %s '
+ '-j DROP' %
network_ref['dhcp_server'])
+iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-d %s '
+ '-j DROP' %
network_ref['dhcp_server'])
+iptables_manager.apply()
+
def initialize_gateway_device(dev, network_ref):
if not network_ref:
return
@@ -1046,6 +1064,7 @@
try:
_execute('kill', '-HUP', pid, run_as_root=True)
_add_dnsmasq_accept_rules(dev)
+isolate_compute_from_guest(network_ref)
return
except Exception as exc: # pylint: disable=W0703
LOG.error(_('Hupping dnsmasq threw %s'), exc)
@@ -1098,6 +1117,7 @@
_add_dnsmasq_accept_rules(dev)
+isolate_compute_from_guest(network_ref)
@utils.synchronized('radvd_start')
def update_ra(context, dev, network_ref):
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
