Nova networking IPtables rules not reinstated with soft reboot
Change-Id: Ib6158b24fbb4b1bbff328df664091f51a8013b95 Closes-Bug: 1316822
This commit is contained in:
Doug Chivers
parent
abb944a64d
commit
39c8043bdf
|
|
@ -0,0 +1,60 @@
|
||||||
|
Nova Networking does not enforce security group rules following a soft
|
||||||
|
reboot of an instance
|
||||||
|
---
|
||||||
|
|
||||||
|
### Summary ###
|
||||||
|
In deployments using Nova Networking, security group rules associated
|
||||||
|
with an instance may not be enforced after a soft reboot. Nova is
|
||||||
|
designed to apply the configured security group rules to an instance
|
||||||
|
when certain operations are performed, such as a normal boot operation.
|
||||||
|
If an operation has been performed that results in the clearing of
|
||||||
|
security group rules, such as restarting the nova compute service, then
|
||||||
|
performing a soft reboot of that instance will cause it to be
|
||||||
|
started without security group rules being applied.
|
||||||
|
|
||||||
|
Deployments using Neutron are not impacted.
|
||||||
|
|
||||||
|
### Affected Services / Software ###
|
||||||
|
Nova, Havana, Grizzly
|
||||||
|
|
||||||
|
### Discussion ###
|
||||||
|
In Nova deployments using Nova Networking, security groups are
|
||||||
|
implemented using iptables, which is used to configure and control
|
||||||
|
network traffic into Nova instances. When an instance is first booted
|
||||||
|
using the normal boot method (nova boot <instance_id>), the security
|
||||||
|
group rules are applied to that instance.
|
||||||
|
|
||||||
|
When an instance is rebooted using the soft reboot method (nova reboot
|
||||||
|
<instance_id>), the security group rules are not reapplied since they
|
||||||
|
should have been already applied when the instance was initially
|
||||||
|
booted. If the security group rules have not been applied following an
|
||||||
|
event that resulted in their clearing, such as restarting the compute
|
||||||
|
service, the instance will be brought up without security group
|
||||||
|
enforcement. This situation is most likely to arise in cases where the
|
||||||
|
Nova compute service has been terminated or restarted, which removes
|
||||||
|
all iptables rules. If a stopped instance is then started by using a
|
||||||
|
soft reboot, it will not have any security group rules applied. A hard
|
||||||
|
reboot (nova reboot --hard <instance_id>) reapplies the security group
|
||||||
|
rules, so it is not susceptible to this issue.
|
||||||
|
|
||||||
|
Depending on the deployment architecture, this could breach security
|
||||||
|
assumptions and leave an instance vulnerable to network based attacks.
|
||||||
|
|
||||||
|
This issue only affects the Havana and Grizzly releases. The Icehouse
|
||||||
|
release does not allow a stopped instance to be started using a soft
|
||||||
|
reboot, therefore this issue does not affect the Icehouse release.
|
||||||
|
|
||||||
|
### Recommended Actions ###
|
||||||
|
Do not to use the soft reboot method to start instances from the
|
||||||
|
stopped state. If instances are in the stopped state, boot using "nova
|
||||||
|
boot <instance_id>" or reboot using "nova reboot --hard <instance_id>"
|
||||||
|
to force the security group rules to be applied.
|
||||||
|
|
||||||
|
### Contacts / References ###
|
||||||
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0022
|
||||||
|
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1316822
|
||||||
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
||||||
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Loading…
Reference in New Issue