Nova Networking does not enforce security group rules following a softreboot o

1. Nova Networking does not enforce security group rules following a soft
2. reboot of an instance
3. ---
4.  
5. ### Summary ###
6. In deployments using Nova Networking, security group rules associated
7. with an instance may not be enforced after a soft reboot. Nova is
8. designed to apply the configured security group rules to an instance
9. when certain operations are performed, such as a normal boot operation.
10. If an operation has been performed that results in the clearing of
11. security group rules, such as restarting the nova compute service, then
12. performing a soft reboot of that instance will cause it to be started
13. without security group rules being applied.
14.  
15. Deployments using Neutron are not impacted.
16.  
17. ### Affected Services / Software ###
18. Nova, Havana, Grizzly
19.  
20. ### Discussion ###
21. In Nova deployments using Nova Networking, security groups are
22. implemented using iptables, which is used to configure and control
23. network traffic into Nova instances. When an instance is first booted
24. using the normal boot method (nova boot <instance_id>), the security
25. group rules are applied to that instance.
26.  
27. When an instance is rebooted using the soft reboot method (nova reboot
28. <instance_id>), the security group rules are not reapplied since they
29. should have been already applied when the instance was initially
30. booted. If the security group rules have not been applied following an
31. event that resulted in their clearing, such as restarting the compute
32. service, the instance will be brought up without security group
33. enforcement. This situation is most likely to arise in cases where the
34. Nova compute service has been terminated or restarted, which removes
35. all iptables rules. If a stopped instance is then started by using a
36. soft reboot, it will not have any security group rules applied. A hard
37. reboot (nova reboot --hard <instance_id>) reapplies the security group
38. rules, so it is not susceptible to this issue.
39.  
40. Depending on the deployment architecture, this could breach security
41. assumptions and leave an instance vulnerable to network based attacks.
42.  
43. This issue only affects the Havana and Grizzly releases. The Icehouse
44. release does not allow a stopped instance to be started using a soft
45. reboot, therefore this issue does not affect the Icehouse release.
46.  
47. ### Recommended Actions ###
48. Do not to use the soft reboot method to start instances from the
49. stopped state. If instances are in the stopped state, boot using "nova
50. boot <instance_id>" or reboot using "nova reboot --hard <instance_id>"
51. to force the security group rules to be applied.
52.  
53. ### Contacts / References ###
54. This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0022
55. Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1316822
56. OpenStack Security ML : [email protected]
57. OpenStack Security Group : https://launchpad.net/~openstack-ossg