Nova networking IPtables rules not reinstated with soft reboot
Change-Id: Ib6158b24fbb4b1bbff328df664091f51a8013b95 Closes-Bug: 1316822
This commit is contained in:
Doug Chivers
parent
abb944a64d
commit
39c8043bdf
60
notes/OSSN-0022
Normal file
60
notes/OSSN-0022
Normal file
@ -0,0 +1,60 @@
|
||||
Nova Networking does not enforce security group rules following a soft
|
||||
reboot of an instance
|
||||
---
|
||||
|
||||
### Summary ###
|
||||
In deployments using Nova Networking, security group rules associated
|
||||
with an instance may not be enforced after a soft reboot. Nova is
|
||||
designed to apply the configured security group rules to an instance
|
||||
when certain operations are performed, such as a normal boot operation.
|
||||
If an operation has been performed that results in the clearing of
|
||||
security group rules, such as restarting the nova compute service, then
|
||||
performing a soft reboot of that instance will cause it to be
|
||||
started without security group rules being applied.
|
||||
|
||||
Deployments using Neutron are not impacted.
|
||||
|
||||
### Affected Services / Software ###
|
||||
Nova, Havana, Grizzly
|
||||
|
||||
### Discussion ###
|
||||
In Nova deployments using Nova Networking, security groups are
|
||||
implemented using iptables, which is used to configure and control
|
||||
network traffic into Nova instances. When an instance is first booted
|
||||
using the normal boot method (nova boot <instance_id>), the security
|
||||
group rules are applied to that instance.
|
||||
|
||||
When an instance is rebooted using the soft reboot method (nova reboot
|
||||
<instance_id>), the security group rules are not reapplied since they
|
||||
should have been already applied when the instance was initially
|
||||
booted. If the security group rules have not been applied following an
|
||||
event that resulted in their clearing, such as restarting the compute
|
||||
service, the instance will be brought up without security group
|
||||
enforcement. This situation is most likely to arise in cases where the
|
||||
Nova compute service has been terminated or restarted, which removes
|
||||
all iptables rules. If a stopped instance is then started by using a
|
||||
soft reboot, it will not have any security group rules applied. A hard
|
||||
reboot (nova reboot --hard <instance_id>) reapplies the security group
|
||||
rules, so it is not susceptible to this issue.
|
||||
|
||||
Depending on the deployment architecture, this could breach security
|
||||
assumptions and leave an instance vulnerable to network based attacks.
|
||||
|
||||
This issue only affects the Havana and Grizzly releases. The Icehouse
|
||||
release does not allow a stopped instance to be started using a soft
|
||||
reboot, therefore this issue does not affect the Icehouse release.
|
||||
|
||||
### Recommended Actions ###
|
||||
Do not to use the soft reboot method to start instances from the
|
||||
stopped state. If instances are in the stopped state, boot using "nova
|
||||
boot <instance_id>" or reboot using "nova reboot --hard <instance_id>"
|
||||
to force the security group rules to be applied.
|
||||
|
||||
### Contacts / References ###
|
||||
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0022
|
||||
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1316822
|
||||
OpenStack Security ML : openstack-security@lists.openstack.org
|
||||
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user