> Da: Luke Hinds <lhinds at redhat.com>
> Data: 8 settembre 2016 12:38:43 GMT-5
> A: openstack at lists.openstack.org, openstack-dev at lists.openstack.org
> Oggetto: [Openstack] [OSSN-0069] Host machine exposed to tenant networks via IPv6
> Host machine exposed to tenant networks via IPv6
[...]
thanks for forwarding this! This is relatively serious. Instances
should NEVER be able to talk directly to their hypervisor host.
I've done a bit of research on our other OpenStack clusters - which
now run OpenStack Liberty, but ran Kilo two weeks ago - and was able
to reproduce the issue on older instances. We don't use Fuel to set
up our system, but I would not be surprised if other FIWARE Lab nodes
had the same issue.
Note that you may be vulnerable if when you don't support IPv6 for
customer instances.
Disabling IPv6 "by default" (as the "Recommended Actions", which I
find quite unclear, seem to suggest) on all interfaces sounds very
heavy-handed; in our case it would certainly be catastrophic if IPv6
were effectively deactivated on our infrastructure interfaces.
On Liberty (at least in our version from Ubuntu Cloud Archive), the
problem is fixed for new instances. And any existing instance with
the problem (where you can talk to the hypervisor from the instance)
can be fixed by live-migrating it to a node running Liberty.
My favorite solution on Kilo is to install the backport of the fix
(https://review.openstack.org/#/c/296659/) on our clusters.
Then live-migrate every running instance once and be done with it.
(As an alternative to live-migrating all instances, it might be
sufficient to run this one-liner on all compute nodes:
for x in `grep -l 0 /proc/sys/net/ipv6/conf/{qbr,qvo,qvb,tap}*/disable_ipv6`; do d=`dirname $x`; b=`basename $d`; echo 1 | sudo tee $x >/dev/null && echo "Disabled IPv6 on $b"; done
You still need the patch, because otherwise the hole will come back
for new (or migrated) instances.)
Unfortunately the code fix isn't in the Ubuntu Cloud Archive packages
for Kilo yet. What kind of OpenStack packages do FIWARE Lab nodes
generally use? Maybe we can help getting fixed packages released.
Of course one can always decide that this is not worth the effort.
But personally I consider *this* class of problem serious enough to
warrant action - in particular when a practical fix is available.
--
Simon.
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy