openstack/nova
Code Issues Proposed changes
a2984b647a
nova/doc/source/admin/security.rst
Kashyap Chamarthy f394703f7e Document mitigation for Intel MDS security flaws 
In May 2019, four new microprocessor security flaws, known as "MDS"
(Microarchitectural Data Sampling) have been discovered.  These flaws
affect unpatched Nova Compute nodes and instances running on Intel
x86_64 CPUs.  The said security flaws are also referred to as "RIDL"
(Rogue In-Flight Data Load) and "Fallout".

Refer to the following pages for further details:

 - https://access.redhat.com/security/vulnerabilities/mds
 - https://mdsattacks.com/
 - https://zombieloadattack.com/

            * * *

If we're adding the guide for "MDS" flaws, then it begs the
question: "What about mitigation guides for previous vulnerabilities?"

Two points:

(a) Write the mitigation document for rest of the previous
    vulnerabilities too, for completeness' sake. (In April 2018 I wrote
    this doc[1] for Meltdown — polish it and submit it. Parts of that
    document's content is already incorporated into the help text for
    the config attribute `cpu_model_extra_flags`.)

(b) For now, we can live with the cliché, "something is better than
    nothing"; we'll add the other docs "when we get to it".  Meanwhile,
    operators get mitigation details from various other places —
    processor vendors, Linux distributions, etc.

[1] https://kashyapc.fedorapeople.org/Reducing-OpenStack-Guest-Perf-Impact-from-Meltdown.txt

Change-Id: I1bb472c3438cc9a91945999d2350b2c59fa6a1f3
Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
2019-06-05 15:55:24 +00:00

1.8 KiB
Raw Blame History

Security hardening

OpenStack Compute can be integrated with various third-party technologies to increase security. For more information, see the OpenStack Security Guide.

Encrypt Compute metadata traffic

Enabling SSL encryption

OpenStack supports encrypting Compute metadata traffic with HTTPS. Enable SSL encryption in the metadata_agent.ini file.

  1. Enable the HTTPS protocol.

    nova_metadata_protocol = https

  2. Determine whether insecure SSL connections are accepted for Compute metadata server requests. The default value is False.

    nova_metadata_insecure = False

  3. Specify the path to the client certificate.

    nova_client_cert = PATH_TO_CERT

  4. Specify the path to the private key.

    nova_client_priv_key = PATH_TO_KEY

Securing live migration streams with QEMU-native TLS

It is strongly recommended to secure all the different live migration streams of a nova instance—i.e. guest RAM, device state, and disks (via NBD) when using non-shared storage. For further details on how to set this up, refer to the secure-live-migration-with-qemu-native-tls document.

Mitigation for MDS (Microarchitectural Data Sampling) security flaws

It is strongly recommended to patch all compute nodes and nova instances against the processor-related security flaws, such as MDS (and other previous vulnerabilities). For details on applying mitigation for the MDS flaws, refer to the mitigation-for-Intel-MDS-security-flaws document.