[Yahoo-eng-team] [Bug 1316271] Re: Network Security: VM hosts can SSH to compute node

Tue, 06 May 2014 07:16:18 -0700 

** Also affects: ossa
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1316271

Title:
  Network Security: VM hosts can SSH to compute node

Status in OpenStack Compute (Nova):
  New
Status in OpenStack Security Advisories:
  New

Bug description:
  Hi guys,

      We're still using nova-network and we'll be using it for a while
  and we noticed that the VM guests can contact the compute nodes on all
  ports ... The one we're the most preoccupied with is SSH.   We've
  written the following patch in order to isolate the VM guests from the
  VM hosts.

  --- linux_net.py.orig   2014-05-05 17:25:10.171746968 +0000
  +++ linux_net.py        2014-05-05 18:42:54.569209220 +0000
  @@ -805,6 +805,24 @@

  
   @utils.synchronized('lock_gateway', external=True)
  +def isolate_compute_from_guest(network_ref):
  +    if not network_ref:
  +        return
  +
  +    iptables_manager.ipv4['filter'].add_rule('INPUT',
  +                                             '-p tcp -d %s --dport 8775 '
  +                                             '-j ACCEPT' % 
network_ref['dhcp_server'])
  +    iptables_manager.ipv4['filter'].add_rule('FORWARD',
  +                                             '-p tcp -d %s --dport 8775 '
  +                                             '-j ACCEPT' % 
network_ref['dhcp_server'])
  +    iptables_manager.ipv4['filter'].add_rule('INPUT',
  +                                             '-d %s '
  +                                             '-j DROP' % 
network_ref['dhcp_server'])
  +    iptables_manager.ipv4['filter'].add_rule('FORWARD',
  +                                             '-d %s '
  +                                             '-j DROP' % 
network_ref['dhcp_server'])
  +    iptables_manager.apply()
  +
   def initialize_gateway_device(dev, network_ref):
       if not network_ref:
           return
  @@ -1046,6 +1064,7 @@
               try:
                   _execute('kill', '-HUP', pid, run_as_root=True)
                   _add_dnsmasq_accept_rules(dev)
  +                isolate_compute_from_guest(network_ref)
                   return
               except Exception as exc:  # pylint: disable=W0703
                   LOG.error(_('Hupping dnsmasq threw %s'), exc)
  @@ -1098,6 +1117,7 @@

       _add_dnsmasq_accept_rules(dev)

  +    isolate_compute_from_guest(network_ref)

   @utils.synchronized('radvd_start')
   def update_ra(context, dev, network_ref):

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to