openstack/security-doc
Code Issues Proposed changes
Files
f7df1f4041041cea06afd0cf811ccee6cc29b76c
security-doc/security-notes/OSSN-0018
Nathan Kinder 67b5ec2943 Migrate OSSNs to the security-doc repo 
The OpenStack Security Notes are being migrated to the new
security-doc repository that we use for the security guide.  This
patch migrates over the existing content of the old OSSN repository
without any modification to content.

Change-Id: I348d0591fc71c1174368fad7ef761e489c88ab9c
2014-08-11 12:59:28 -07:00

64 lines
2.8 KiB
Plaintext
Raw Blame History

Nova Network configuration allows guest VMs to connect to host services
---
### Summary ###
When using Nova Network to manage networking for compute instances,
instances are able to reach network services running on the host
system. This may be a security issue for the operator.
### Affected Services / Software ###
Nova, Folsom, Grizzly, Havana, Icehouse
### Discussion ###
OpenStack deployments using Nova Network, rather than Neutron for
network configuration will cause the host running the instances to be
reachable on the virtual network. Specifically, booted instances can
check the address of their gateway and try to connect to it. Any host
service which listens on the interfaces created by OpenStack and does
not apply any additional filtering will receive such traffic.
This is a security issue for deployments where the OpenStack service
users are not trusted parties, or should not be allowed to access
underlying services of the host system.
Using a specific example of devstack in default configuration, the
instance spawned inside of it will see the following routing table:
$ ip r s
default via 172.16.1.1 dev eth0
172.16.1.0/24 dev eth0 src 172.16.1.2
The instance can then use the gateway's address (172.16.1.1) to connect
to the sshd service on the host system (if one is running and listening
on all interfaces). The host system will see the connection coming from
interface `br100`.
### Recommended Actions ###
Connections like this can be stopped at various levels (libvirt filters,
specific host's iptables entries, ebtables, network service
configuration). The recommended way to protect against the incoming
connections is to stop the critical services from binding to the
Nova-controlled interfaces.
Using the sshd service as an example, the default configuration on most
systems is to bind to all interfaces and all local addresses
("ListenAddress :22" in sshd_config). In order to configure it only on
a specific interface, use "ListenAddress a.b.c.d:22" where a.b.c.d is
the address assigned to the chosen interface. Similar settings can be
found for most other services.
The list of services listening on all interfaces can be obtained by
running command 'netstat -ltu', where the '*:port' in the "Local
Address" field means the service will likely accept connections from the
local Nova instances.
If filtering of the traffic is chosen instead, care must be taken to
allow traffic coming from the running instances to services controlled
by Nova - DHCP and DNS providers.
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0018
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1316271
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
View Git Blame Copy Permalink