On Mon, Feb 20, 2017 at 08:08:00PM +0000, Jeremy Stanley wrote: > On 2017-02-20 14:36:15 -0500 (-0500), Clint Byrum wrote: > > What exactly is the security concern of the metadata service? Perhaps > > those concerns can be addressed directly? > [...] > > A few I'm aware of: > > 1. It's something that runs in the control plane but needs to be > reachable from untrusted server instances (which may themselves even > want to be on completely non-routed networks).
That is the key problem that virtio-vsock solves, by separating traffic out from the network stack there's no way for a guest to use vsock to access anything except services on the local compute host listening on vsock > 2. If you put a Web proxy between your server instances and the > metadata service and also make it reachable without going through > that proxy then instances may be able to spoof one another > (OSSN-0074). FYI, with virtio-vsock it is impossible for the guest to spoof the sending address of another guest. So the process on the host can use the socket peer address to reliably identify which guest it is communicating with. With the IP based metadata service you need to setup firewall rules on the host to drop traffic with spoofed source mac/ip address. > 3. Lots of things, for example facter, like to beat on it heavily > which makes for a fun DDoS and so is a bit of a scaling challenge in > large deployments. FYI, with virtio-vsock, you would need to either run the metdata service on every compute host, or have some kind of vhost<->tcp proxy on every compute host that forwards requests to the real metadata service off-host. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :| _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
