openstack-manuals

Bug #1287194
Comment #13

Comment 13 for bug 1287194

Revision history for this message

Anne Gentle (annegentle) wrote on 2014-03-06: Re: [Bug 1287194] Re: Docs recommend insecure configuration option

#13

+1 to this Robert, thanks.

On Thu, Mar 6, 2014 at 9:56 AM, Robert Clark <email address hidden>wrote:

> Can we get the OSSN published as soon as possible please?
>
> The anticipation with the security guide was that we'd inter-weave OSSNs
> throughout, we've done that in a few places but there are also
> significant gaps. I hope that we can look to include this as a standard
> part of the process as the new OSSN process rolls out in the future.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1287194
>
> Title:
> Docs recommend insecure configuration option
>
> Status in OpenStack Manuals:
> New
> Status in OpenStack Security Advisories:
> Won't Fix
> Status in OpenStack Security Notes:
> In Progress
>
> Bug description:
> From Daniel Berrange:
>
> ---------
> I just came across the following docs for configuring migration with
> nova+libvirt+kvm
>
>
> http://docs.openstack.org/trunk/config-reference/content//section_configuring-compute-migrations.html
>
> http://docs.openstack.org/grizzly/openstack-compute/admin/content//configuring-migrations.html
>
> At point 7 the docs say
>
> 7. Update the libvirt configurations. Modify the
> /etc/libvirt/libvirtd.conf file:
>
> before : #listen_tls = 0
> after : listen_tls = 0
> before : #listen_tcp = 1
> after : listen_tcp = 1
> add: auth_tcp = "none"
>
> Modify the /etc/init/libvirt-bin.conf file:
>
> before : exec /usr/sbin/libvirtd -d
> after : exec /usr/sbin/libvirtd -d -l
>
> What this does is tell the libvirt daemon listen for client TCP
> connections
> on all network interfaces, and accept any clients performing absolutely
> zero authentication.
>
> Sure this works for migration, but it also allows anyone of the network
> to be able to completely own all your compute hosts, by invoking whatever
> libvirt API calls they like.
>
> This is equivalent to telling someone to configure SSH to allow root
> logins with no passwords or keys at all. Actually it is worse because
> as well as killing authentication, it kills any encryption too.
>
> Libvirt has a choice of 4 secure options for remote access over TCP
>
> - SSH tunnel to libvirtd's UNIX socket
> - libvirtd TCP socket, with GSSAPI/Kerberos for auth+data encryption
> - libvirtd TCP socket, with TLS for encryption and x509 client
> certs for authentication
> - libvirtd TCP socket, with TLS for encryption and Kerberos for
> authentication
>
> documenting any of these setups would be better than what's there
> now, which needs to be removed asap.
>
> I don't know whether these docs are the current supported / preferred
> docs for this - they're just what I found via google. If we have other
> docs covering migration setup, they should be checked too.
> ----------------
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openstack-manuals/+bug/1287194/+subscriptions
>

+1 to this Robert, thanks.

On Thu, Mar 6, 2014 at 9:56 AM, Robert Clark <1287194@bugs.launchpad.net>wrote:

> Can we get the OSSN published as soon as possible please?
>
> The anticipation with the security guide was that we'd inter-weave OSSNs
> throughout, we've done that in a few places but there are also
> significant gaps. I hope that we can look to include this as a standard
> part of the process as the new OSSN process rolls out in the future.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1287194
>
> Title:
>   Docs recommend insecure configuration option
>
> Status in OpenStack Manuals:
>   New
> Status in OpenStack Security Advisories:
>   Won't Fix
> Status in OpenStack Security Notes:
>   In Progress
>
> Bug description:
>   From Daniel Berrange:
>
>   ---------
>   I just came across the following docs for configuring migration with
>   nova+libvirt+kvm
>
>
> http://docs.openstack.org/trunk/config-reference/content//section_configuring-compute-migrations.html
>
> http://docs.openstack.org/grizzly/openstack-compute/admin/content//configuring-migrations.html
>
>   At point 7 the docs say
>
>    7. Update the libvirt configurations. Modify the
>   /etc/libvirt/libvirtd.conf file:
>
>     before : #listen_tls = 0
>     after : listen_tls = 0
>     before : #listen_tcp = 1
>     after : listen_tcp = 1
>     add: auth_tcp = "none"
>
>     Modify the /etc/init/libvirt-bin.conf file:
>
>     before : exec /usr/sbin/libvirtd -d
>     after : exec /usr/sbin/libvirtd -d -l
>
>   What this does is tell the libvirt daemon listen for client TCP
> connections
>   on all network interfaces, and accept any clients performing absolutely
>   zero authentication.
>
>   Sure this works for migration, but it also allows anyone of the network
>   to be able to completely own all your compute hosts, by invoking whatever
>   libvirt API calls they like.
>
>   This is equivalent to telling someone to configure SSH to allow root
>   logins with no passwords or keys at all. Actually it is worse because
>   as well as killing authentication, it kills any encryption too.
>
>   Libvirt has a choice of 4 secure options for remote access over TCP
>
>    - SSH tunnel to libvirtd's UNIX socket
>    - libvirtd TCP socket, with GSSAPI/Kerberos for auth+data encryption
>    - libvirtd TCP socket, with TLS for encryption and x509 client
>      certs for authentication
>    - libvirtd TCP socket, with TLS for encryption and Kerberos for
>      authentication
>
>   documenting any of these setups would be better than what's there
>   now, which needs to be removed asap.
>
>   I don't know whether these docs are the current supported / preferred
>   docs for this - they're just what I found via google. If we have other
>   docs covering migration setup, they should be checked too.
>   ----------------
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/openstack-manuals/+bug/1287194/+subscriptions
>