yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #16967
[Bug 1316822] Re: soft reboot of instance does not ensure iptables rules are present
After discussing with Andrew and Thierry, I'm convinced that the
potential behavior change introduced by a backport of that mitigating
commit, when weighed against the amount of social engineering needed to
exploit this in Havana, means this bug is probably better just
documented as a known behavior.
Removed the advisory task and tagged security in case the OSSG has any
interest in documenting this.
** Tags added: security
** Information type changed from Public Security to Public
** No longer affects: ossa
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1316822
Title:
soft reboot of instance does not ensure iptables rules are present
Status in OpenStack Compute (Nova):
New
Bug description:
The iptables rules needed to implement instance security group rules
get inserted by the "_create_domain_and_network" function in
nova/virt/libvirt/driver.py
This function is called by the following functions: _hard_reboot,
resume and spawn (also in a couple of migration related functions).
Doing "nova reboot <instance_id>" only does a soft reboot
(_soft_reboot) and assumes that the rules are already present and
therefore does not check or try to add them.
If the instances is stopped (nova stop <instance_id>) and nova-compute
is restarted (for example for a maintenance or problem), the iptables
rules are removed as observed via output displayed in iptables -S.
If the instance is started via nova reboot <instance_id> the rule is
NOT reapplied until a service nova-compute restart is issued. I have
reports that this may affect "nova start <instance_id>" as well.
Depending on if the Cloud is public facing, this opens up a
potentially huge security vulnerability as an instance can be powered
on without being protected by any security group rules (not even the
sg-fallback rule). This is unbeknownst to the instance owner or Cloud
operators unless they specifically monitor for this situation.
The code should not do a soft reboot/start and error out or fallback
to a resume (start)or hard reboot if it detects that the domain is not
running.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316822/+subscriptions