Nova networking IPtables rules not reinstated with soft reboot
Change-Id: Ib6158b24fbb4b1bbff328df664091f51a8013b95 Closes-Bug: 1316822
This commit is contained in:
Doug Chivers
Nathan Kinder
parent
abb944a64d
commit
98faa2717a
|
|
@ -0,0 +1,53 @@
|
|||
Nova Networking does not enforce security group rules following a soft
|
||||
reboot of an instance
|
||||
---
|
||||
|
||||
### Summary ###
|
||||
In deployments using Nova Networking, security group rules associated
|
||||
with an instance may not be enforced after a soft reboot. If the
|
||||
security group rules have not previously been applied to an instance,
|
||||
then performing a soft reboot of that instance will cause it to be
|
||||
started without security group rules being applied.
|
||||
|
||||
Deployments using Neutron are not impacted.
|
||||
|
||||
### Affected Services / Software ###
|
||||
Nova, Havana, Grizzly
|
||||
|
||||
### Discussion ###
|
||||
In Nova deployments using Nova Networking, security groups are
|
||||
implemented using iptables, which is used to configure and control
|
||||
network traffic into Nova instances. When an instance is first booted
|
||||
using the normal boot method (nova boot <instance_id>), the security
|
||||
group rules are applied to that instance.
|
||||
|
||||
When an instance is rebooted using the soft reboot method (nova reboot
|
||||
<instance_id>), the security group rules are not reapplied since they
|
||||
should have been already applied when the instance was initially booted.
|
||||
If the security group rules have not been previously applied, the
|
||||
instance will be brought up without security group enforcement. This
|
||||
situation is most likely to arise in cases where the Nova compute
|
||||
service has been terminated or restarted, which removes all iptables
|
||||
rules. If a stopped instance is then started by using a soft reboot, it
|
||||
will not have any security group rules applied. A hard reboot (nova
|
||||
reboot --hard <instance_id>) reapplies the security group rules, so it
|
||||
is not susceptible to this issue.
|
||||
|
||||
Depending on the deployment architecture, this could breach security
|
||||
assumptions and leave an instance vulnerable to network based attacks.
|
||||
|
||||
This issue only affects the Havana and Grizzly releases. The Icehouse
|
||||
release does not allow a stopped instance to be started using a soft
|
||||
reboot, therefore this issue does not affect the Icehouse release.
|
||||
|
||||
### Recommended Actions ###
|
||||
Do not to use the soft reboot method to start instances from the
|
||||
stopped state. If instances are in the stopped state, boot using "nova
|
||||
boot <instance_id>" or reboot using "nova reboot --hard <instance_id>"
|
||||
to force the security group rules to be applied.
|
||||
|
||||
### Contacts / References ###
|
||||
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0022
|
||||
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1316822
|
||||
OpenStack Security ML : openstack-security@lists.openstack.org
|
||||
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
||||
Loading…
Reference in New Issue