From 39c8043bdfbcf428810284cd3c37f948d613e62e Mon Sep 17 00:00:00 2001 From: Doug Chivers Date: Mon, 21 Jul 2014 12:43:01 +0100 Subject: [PATCH] Nova networking IPtables rules not reinstated with soft reboot Change-Id: Ib6158b24fbb4b1bbff328df664091f51a8013b95 Closes-Bug: 1316822 --- notes/OSSN-0022 | 60 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 notes/OSSN-0022 diff --git a/notes/OSSN-0022 b/notes/OSSN-0022 new file mode 100644 index 0000000..c654f7a --- /dev/null +++ b/notes/OSSN-0022 @@ -0,0 +1,60 @@ +Nova Networking does not enforce security group rules following a soft +reboot of an instance +--- + +### Summary ### +In deployments using Nova Networking, security group rules associated +with an instance may not be enforced after a soft reboot. Nova is +designed to apply the configured security group rules to an instance +when certain operations are performed, such as a normal boot operation. +If an operation has been performed that results in the clearing of +security group rules, such as restarting the nova compute service, then +performing a soft reboot of that instance will cause it to be +started without security group rules being applied. + +Deployments using Neutron are not impacted. + +### Affected Services / Software ### +Nova, Havana, Grizzly + +### Discussion ### +In Nova deployments using Nova Networking, security groups are +implemented using iptables, which is used to configure and control +network traffic into Nova instances. When an instance is first booted +using the normal boot method (nova boot ), the security +group rules are applied to that instance. + +When an instance is rebooted using the soft reboot method (nova reboot +), the security group rules are not reapplied since they +should have been already applied when the instance was initially +booted. If the security group rules have not been applied following an +event that resulted in their clearing, such as restarting the compute +service, the instance will be brought up without security group +enforcement. This situation is most likely to arise in cases where the +Nova compute service has been terminated or restarted, which removes +all iptables rules. If a stopped instance is then started by using a +soft reboot, it will not have any security group rules applied. A hard +reboot (nova reboot --hard ) reapplies the security group +rules, so it is not susceptible to this issue. + +Depending on the deployment architecture, this could breach security +assumptions and leave an instance vulnerable to network based attacks. + +This issue only affects the Havana and Grizzly releases. The Icehouse +release does not allow a stopped instance to be started using a soft +reboot, therefore this issue does not affect the Icehouse release. + +### Recommended Actions ### +Do not to use the soft reboot method to start instances from the +stopped state. If instances are in the stopped state, boot using "nova +boot " or reboot using "nova reboot --hard " +to force the security group rules to be applied. + +### Contacts / References ### +This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0022 +Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1316822 +OpenStack Security ML : openstack-security@lists.openstack.org +OpenStack Security Group : https://launchpad.net/~openstack-ossg + + +