neutron metadata agent is always binding to 0.0.0.0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
networking-ovn |
Fix Released
|
Low
|
Daniel Alvarez | ||
neutron |
Fix Released
|
Low
|
Bernard Cafarelli |
Bug Description
Dear Devs,
while using kolla-ansible (5.0.1) to deploy Openstack Pike, I have spotted one potential security issue with the way Neutron metadata agent is listening.
Potential, because it all depends whether users are adding anything sensitive to their meta-data / user-data.
ns-metadata-proxy always binds to a 0.0.0.0 https:/
$ ip netns exec qdhcp-f2780ea0-
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 22103/haproxy
tcp 0 0 10.0.0.2:53 0.0.0.0:* LISTEN 22446/dnsmasq
tcp 0 0 169.254.169.254:53 0.0.0.0:* LISTEN 22446/dnsmasq
...
My Openstack has a private subnet 10.0.0.0/24, where 10.0.0.1 is a gateway and 10.0.0.2-10.0.0.254 is the allocation pool.
$ ip netns exec qdhcp-f2780ea0-
2: ns-a1f7e93e-
link/ether fa:16:3e:07:8a:c8 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.0.0.2/24 brd 10.0.0.255 scope global ns-a1f7e93e-53
inet 169.254.169.254/16 brd 169.254.255.255 scope global ns-a1f7e93e-53
I am running Docker containers (via Kubernetes) in Openstack VM's.
What concerns me is that any container (with its namespaced container network) is able to access the Neutron metadata agent not only via http://
Pretty much any IP address available on the namespaced network interface will return Metadata if accessed via HTTP port 80.
I am using this iptables rule so that no Docker container is able to access the 169.254.169.254 as they do not need to access it:
iptables -I DOCKER-USER -d 169.254.169.254/32 # where DOCKER-USER is the first subchain in the FORWARD chain
That works well for blocking random users accessing the 169.254.169.254.
(As a workaround) I am modifying the driver.py directly so that it will listen only over 169.254.169.254:
docker exec -u root -ti neutron_dhcp_agent bash -c "sed -i 's/bind 0.0.0.0/bind 169.254.169.254/' /usr/lib/
docker restart neutron_dhcp_agent
From your point of view, does it makes sense to change the default bind 0.0.0.0 to bind 169.254.169.254 ?
In meanwhile, I have prepared a little patch to neutron ns-metadata-proxy so that the listener binds to dhcp.METADATA_
I have also attached a preliminary patch to this issue, but haven't tested it yet.
Kind regards,
Andrey Arapov
description: | updated |
Changed in neutron: | |
status: | New → Confirmed |
Changed in neutron: | |
importance: | Undecided → Low |
Changed in neutron: | |
assignee: | Bernard Cafarelli (bcafarel) → Brian Haley (brian-haley) |
Changed in neutron: | |
assignee: | Brian Haley (brian-haley) → Bernard Cafarelli (bcafarel) |
Changed in networking-ovn: | |
assignee: | nobody → Daniel Alvarez (dalvarezs) |
importance: | Undecided → Low |
Changed in networking-ovn: | |
status: | New → In Progress |
Also affects me