From ea2b19038d4b19286ceb27598a1368044b7bca90 Mon Sep 17 00:00:00 2001 From: Javier Pena Date: Thu, 11 May 2017 10:43:06 +0200 Subject: [PATCH] Improve security of the Nova migration Several improvements have been made: - SSH is now the default protocol for Nova migration. - A specific user for migration is required, instead of nova Change-Id: I21d131b7dab735ee9c5a033a3108490f5bdfb8cb --- docs/packstack.rst | 2 +- packstack/plugins/nova_300.py | 4 +- .../packstack/manifests/nova/compute.pp | 52 ++++++++++++++----- .../manifests/nova/compute/libvirt.pp | 5 +- ...gration-improvements-85b208c2b45a3fbe.yaml | 5 ++ 5 files changed, 49 insertions(+), 19 deletions(-) create mode 100644 releasenotes/notes/nova-migration-improvements-85b208c2b45a3fbe.yaml diff --git a/docs/packstack.rst b/docs/packstack.rst index 0acff915c..4a1a20b91 100755 --- a/docs/packstack.rst +++ b/docs/packstack.rst @@ -752,7 +752,7 @@ Nova Options Overcommitment ratio for virtual to physical RAM. Specify 1.0 to disable RAM overcommitment. **CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL** - Protocol used for instance migration. Valid options are: tcp and ssh. Note that by default, the Compute user is created with the /sbin/nologin shell so that the SSH protocol will not work. To make the SSH protocol work, you must configure the Compute user on compute hosts manually. ['tcp', 'ssh'] + Protocol used for instance migration. Valid options are: ssh and tcp. Note that the tcp protocol is not encrypted, so it is insecure. ['ssh', 'tcp'] **CONFIG_NOVA_PCI_ALIAS** Enter the PCI passthrough array of hash in JSON style for controller eg. diff --git a/packstack/plugins/nova_300.py b/packstack/plugins/nova_300.py index 0977a14bf..06e9aadf5 100644 --- a/packstack/plugins/nova_300.py +++ b/packstack/plugins/nova_300.py @@ -134,7 +134,7 @@ def initConfig(controller): "migration"), "OPTION_LIST": ['tcp', 'ssh'], "VALIDATORS": [validators.validate_options], - "DEFAULT_VALUE": 'tcp', + "DEFAULT_VALUE": 'ssh', "MASK_INPUT": False, "LOOSE_VALIDATION": True, "CONF_NAME": "CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL", @@ -346,7 +346,7 @@ def create_compute_manifest(config, messages): key = "%s.%s" % (host_key_type, hostname) ssh_keys_details.setdefault(key, {}) ssh_keys_details[key]['ensure'] = 'present' - ssh_keys_details[key]['host_aliases'] = aliases + addrs + ssh_keys_details[key]['host_aliases'] = [hostname] + aliases + addrs ssh_keys_details[key]['key'] = host_key_data ssh_keys_details[key]['type'] = host_key_type diff --git a/packstack/puppet/modules/packstack/manifests/nova/compute.pp b/packstack/puppet/modules/packstack/manifests/nova/compute.pp index 50ac1fd8d..7cb8afc24 100644 --- a/packstack/puppet/modules/packstack/manifests/nova/compute.pp +++ b/packstack/puppet/modules/packstack/manifests/nova/compute.pp @@ -10,20 +10,46 @@ class packstack::nova::compute () # Install the private key to be used for live migration. This needs to be # configured into libvirt/live_migration_uri in nova.conf. - file { '/etc/nova/ssh': - ensure => directory, - owner => root, - group => root, - mode => '0700', - require => Package['nova-common'], - } + $migrate_transport = hiera('CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL') + if $migrate_transport == 'ssh' { + ensure_packages(['openstack-nova-migration'], {'ensure' => 'present'}) - file { '/etc/nova/ssh/nova_migration_key': - content => hiera('NOVA_MIGRATION_KEY_SECRET'), - mode => '0600', - owner => root, - group => root, - require => File['/etc/nova/ssh'], + file { '/etc/nova/migration/identity': + content => hiera('NOVA_MIGRATION_KEY_SECRET'), + mode => '0600', + owner => root, + group => root, + require => Package['openstack-nova-migration'], + } + + $key_type = hiera('NOVA_MIGRATION_KEY_TYPE') + $key_content = hiera('NOVA_MIGRATION_KEY_PUBLIC') + + file { '/etc/nova/migration/authorized_keys': + content => "${key_type} ${key_content}", + mode => '0640', + owner => root, + group => nova_migration, + require => Package['openstack-nova-migration'], + } + + augeas{'Match block for user nova_migration': + context => '/files/etc/ssh/sshd_config', + changes => [ + 'set Match[User nova_migration]/Condition/User nova_migration', + 'set Match[Condition/User = "nova_migration"]/Settings/AllowTcpForwarding no', + 'set Match[Condition/User = "nova_migration"]/Settings/AuthorizedKeysFile /etc/nova/migration/authorized_keys', + 'set Match[Condition/User = "nova_migration"]/Settings/ForceCommand /bin/nova-migration-wrapper', + 'set Match[Condition/User = "nova_migration"]/Settings/PasswordAuthentication no', + 'set Match[Condition/User = "nova_migration"]/Settings/X11Forwarding no', + ], + onlyif => 'match Match[Condition/User = "nova_migration"] size == 0', + notify => Service['sshd'] + } + + service {'sshd': + ensure => running, + } } nova_config{ diff --git a/packstack/puppet/modules/packstack/manifests/nova/compute/libvirt.pp b/packstack/puppet/modules/packstack/manifests/nova/compute/libvirt.pp index 86f5a9548..4e6f350de 100644 --- a/packstack/puppet/modules/packstack/manifests/nova/compute/libvirt.pp +++ b/packstack/puppet/modules/packstack/manifests/nova/compute/libvirt.pp @@ -30,8 +30,7 @@ class packstack::nova::compute::libvirt () $migrate_transport = hiera('CONFIG_NOVA_COMPUTE_MIGRATE_PROTOCOL') if $migrate_transport == 'ssh' { $client_extraparams = { - no_verify => 1, - keyfile => '/etc/nova/ssh/nova_migration_key', + keyfile => '/etc/nova/migration/identity', } } else { $client_extraparams = {} @@ -39,7 +38,7 @@ class packstack::nova::compute::libvirt () class { '::nova::migration::libvirt': transport => $migrate_transport, - client_user => 'nova', + client_user => 'nova_migration', client_extraparams => $client_extraparams, require => Class['::nova::compute::libvirt'] } diff --git a/releasenotes/notes/nova-migration-improvements-85b208c2b45a3fbe.yaml b/releasenotes/notes/nova-migration-improvements-85b208c2b45a3fbe.yaml new file mode 100644 index 000000000..f3c034a22 --- /dev/null +++ b/releasenotes/notes/nova-migration-improvements-85b208c2b45a3fbe.yaml @@ -0,0 +1,5 @@ +--- +security: + - Improving security of the Nova migration configuration. + Now, ssh is the default option for Nova migration, and + a specific migration user is used.