Mirantis OpenStack

Fuel slaves sysctl.conf security hardening

Bug #1648792 reported by Adam Heczko
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Won't Fix
Medium
Fuel Sustaining
Mirantis OpenStack 9.x-updates
10.0.x
Won't Fix
Medium
Fuel Sustaining
Mirantis OpenStack 10.0
8.0.x
Won't Fix
Medium
Unassigned
Mirantis OpenStack 8.0-updates
9.x
Won't Fix
Medium
Unassigned
Mirantis OpenStack 9.x-updates

Bug Description

Detailed bug description:
Observe Linux network stack sysctl values of Fuel slave nodes.

Expected results:
generic-ip-source-routing-enabled
For Linux systems ensure the following sysctl values are set:
 * net.ipv4.conf.all.accept_source_route=0
 * net.ipv4.conf.all.forwarding=0
 * net.ipv6.conf.all.forwarding=0
 * net.ipv4.conf.all.mc_forwarding=0
 * net.ipv6.conf.all.mc_forwarding=0

sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.forwarding=0
sysctl -w net.ipv6.conf.all.forwarding=0
sysctl -w net.ipv4.conf.all.mc_forwarding=0
sysctl -w net.ipv6.conf.all.mc_forwarding=0

More Linux information can be found at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Server_Security-Disable-Source-Routing.html

linux-icmp-redirect
Disable ICMP redirect support
Issue the following commands as root:
 sysctl -w net.ipv4.conf.all.accept_redirects=0
 sysctl -w net.ipv4.conf.default.accept_redirects=0
 sysctl -w net.ipv4.conf.all.secure_redirects=0
 sysctl -w net.ipv4.conf.default.secure_redirects=0
These settings can be added to /etc/sysctl.conf to make them permanent.

generic-tcp-timestamp
Disable TCP timestamp responses on Linux
Set the value of net.ipv4.tcp_timestamps to 0 by running the following command:
sysctl -w net.ipv4.tcp_timestamps=0
Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
net.ipv4.tcp_timestamps=0

Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

Won't Fix for 8.0 as MUs for 8.0 are postponed. Confirmed for 9.2 and 10.

Changed in mos:
status: New → Confirmed
assignee: nobody → MOS Linux (mos-linux)
Revision history for this message
Ivan Suzdal (isuzdal) wrote :

I'm afraid, disabling forward could break connectivity between a lot of cluster components and vm's.

Changed in mos:
assignee: MOS Linux (mos-linux) → Fuel Library (Deprecated) (fuel-library)
Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

The net.ipv4.conf.all.forwarding=0 should not be used with OpenStack, indeed. The rest of the changes should be tested. If everything works w/o regressions, let's accept them.

Changed in mos:
assignee: Fuel Library (Deprecated) (fuel-library) → Fuel Sustaining (fuel-sustaining-team)
status: Confirmed → Triaged
Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

@Bogdan, net.ipv4.conf.all.forwarding shouldn't be 0 !!!
Because by default Fuel acts as a router prior networks configured on slaves via bridges.
The default route is configured in the fuel-menu.
Disable forwarding would break at least all deployments via VirtualBox scripts.

Dmitry Pyzhov (dpyzhov)
Changed in mos:
milestone: 9.2 → 9.3
Revision history for this message
Oleksiy Molchanov (omolchanov) wrote :

It looks like a feature and needs a lot of efforts and test coverage to implement this.

Also Fuel relies on part of the suggested parameters.

Closing as Won't fix.

Oleksiy Molchanov (omolchanov)
Changed in mos:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.