openstack/nova
Code Issues Proposed changes
Files
f394703f7e1e0d2df3af197ff39be04c8f51a562
nova/doc/source/admin/index.rst
Kashyap Chamarthy f394703f7e Document mitigation for Intel MDS security flaws 
In May 2019, four new microprocessor security flaws, known as "MDS"
(Microarchitectural Data Sampling) have been discovered.  These flaws
affect unpatched Nova Compute nodes and instances running on Intel
x86_64 CPUs.  The said security flaws are also referred to as "RIDL"
(Rogue In-Flight Data Load) and "Fallout".

Refer to the following pages for further details:

 - https://access.redhat.com/security/vulnerabilities/mds
 - https://mdsattacks.com/
 - https://zombieloadattack.com/

            * * *

If we're adding the guide for "MDS" flaws, then it begs the
question: "What about mitigation guides for previous vulnerabilities?"

Two points:

(a) Write the mitigation document for rest of the previous
    vulnerabilities too, for completeness' sake. (In April 2018 I wrote
    this doc[1] for Meltdown — polish it and submit it. Parts of that
    document's content is already incorporated into the help text for
    the config attribute `cpu_model_extra_flags`.)

(b) For now, we can live with the cliché, "something is better than
    nothing"; we'll add the other docs "when we get to it".  Meanwhile,
    operators get mitigation details from various other places —
    processor vendors, Linux distributions, etc.

[1] https://kashyapc.fedorapeople.org/Reducing-OpenStack-Guest-Perf-Impact-from-Meltdown.txt

Change-Id: I1bb472c3438cc9a91945999d2350b2c59fa6a1f3
Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
2019-06-05 15:55:24 +00:00

1.5 KiB
Raw Blame History

Compute

The OpenStack Compute service allows you to control an Infrastructure-as-a-Service (IaaS) cloud computing platform. It gives you control over instances and networks, and allows you to manage access to the cloud through users and projects.

Compute does not include virtualization software. Instead, it defines drivers that interact with underlying virtualization mechanisms that run on your host operating system, and exposes functionality over a web-based API.

admin-password-injection.rst adv-config.rst arch.rst availability-zones.rst cells.rst configuration/index.rst configuring-migrations.rst cpu-topologies.rst default-ports.rst evacuate.rst flavors.rst huge-pages.rst live-migration-usage.rst manage-logs.rst manage-the-cloud.rst manage-users.rst manage-volumes.rst migration.rst migrate-instance-with-snapshot.rst networking-nova.rst networking.rst node-down.rst pci-passthrough.rst quotas2.rst quotas.rst remote-console-access.rst root-wrap-reference.rst security-groups.rst security.rst service-groups.rst services.rst ssh-configuration.rst support-compute.rst system-admin.rst secure-live-migration-with-qemu-native-tls.rst mitigation-for-Intel-MDS-security-flaws.rst