Insecure live migration with libvirt driver
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Invalid
|
Low
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
OpenStack Security Notes |
Fix Released
|
Undecided
|
Nathan Kinder |
Bug Description
By default, libvirt on the receiving end of a live migration starts a qemu process listening on 0.0.0.0 waiting for a tcp connection from the sender. During block migration, qemu-nbd is started similarly. This is bad because compute nodes have interfaces on the guest network. As a result, guests can interfere with live migrations.
There is a flag during migration to remedy this called VIR_MIGRATE_
which tunnels traffic over the libvirt socket (which can be secured with TLS). This seems like a great option. Unfortunately it doesn't work with the new nbd-based block migration code, so there isn't a great option for securing the traffic.
Related to this, libvirt just added:
- Default migration bind()/listen() IP addr in /etc/libvirt/
- Pass in bind()/listen() IP address to migration APIs
So with libvirt >= 1.1.4, Nova will have the ability to control the
interface used
(Problem originally reported by Vish Ishaya)
description: | updated |
description: | updated |
Changed in ossa: | |
status: | Incomplete → Won't Fix |
Changed in ossn: | |
status: | In Progress → Fix Released |
information type: | Public Security → Public |
tags: | added: live-migrate |
tags: |
added: live-migration removed: live-migrate |
Changed in nova: | |
assignee: | nobody → lvmxh (shaohef) |
Changed in nova: | |
assignee: | lvmxh (shaohef) → nobody |
Even ignoring this live migration issue, guest VMs should never be allowed to access services on the host, except those explicitly intended for their usage - eg a DNS & DHCP service. So if Nova/Neutron have set up a guest on the same network as a host, they should also setup firewall rules to block access to *all* host ports, except for a whitelist of intended services.