Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VM is left unprotected when there is an error in the Security Group rules #6759

Closed
3 tasks
OpenNebulaSupport opened this issue Oct 22, 2024 · 2 comments
Closed
3 tasks

VM is left unprotected when there is an error in the Security Group rules #6759

OpenNebulaSupport opened this issue Oct 22, 2024 · 2 comments
Assignees
@rsmontero @vvbohdan
Labels
Priority: Normal Sponsored Status: Accepted Type: Bug
Milestone
Release 6.10.2

Comments

@OpenNebulaSupport
Copy link
Collaborator

Description
The network Security Groups (SG) are composed of rules to play the role fo a firewall to the VM guest they are mapped to iptables and ipset rules on the hosts. When an operator defines an SG rule incompatible with iptables, the VNN_MAD deletes all the iptable chains for the given VM NIC and logs an error that is visible as a notification for the given VM. Simultaneously, the VM is left running vulnerable without any form of firewall protection and an inexperienced operator could not pay enough attention. It is possible to even edit the SG rules and then not look at the VM's tab in Sunstone to notice the raised errors...

To Reproduce

  • instantiate a VM with a SG
  • edit the SG and create broken definition, the simplest is to define multiport rule with starting port bigger than the ending port, like:
RULE=[
PROTOCOL="TCP",
RANGE="443:80",
RULE_TYPE="inbound" ]
  • When the SG is applied, all the VMs with the given SG will have an error and the vnn_mad driver will leave them running without protection...

Expected behavior
Any solution that does not leave the VM open and vulnerable to the internet in case of buggy SG rule is better than the current behavior. The simplest that I'd think of is, when there is a SG defined, in case of an error the append all DROP rule in the iptables chain. Because it is better to have the VM blocked needing further attention to fix it than leave it open to become hacked.

Details

  • Affected Component: [oned]
  • Hypervisor: [KVM]
  • Version: [6.8, 6.10]

Progress Status

  • Code committed
  • Testing - QA
  • Documentation (Release notes - resolved issues, compatibility, known issues)
atodorov-storpool added a commit to atodorov-storpool/one that referenced this issue Oct 22, 2024
@atodorov-storpool
B OpenNebula#6759: finalise the SG rules on sg rule error
e18477a 
instead of reseting the rules.
Open Nebula will raise and log the rule error for further investigation, but the VM will not be left unprotected.
@tinova tinova added this to the Release 6.10.1 milestone Oct 22, 2024
@tinova tinova linked a pull request Oct 22, 2024 that will close this issue
B #6759: finalize the SG rules on sg rule error #6760
Closed
3 tasks
@rsmontero
Copy link
Member

See comments here: #6760 (comment)

atodorov-storpool added a commit to atodorov-storpool/one that referenced this issue Nov 26, 2024
@atodorov-storpool
B OpenNebula#6759: finalise the SG rules on sg rule error (v2)
d1e4734 
try SG on all nick before raising an error
@rsmontero
Copy link
Member

Updating the issue here:

  • After a discussion in the PR the patch is not accepted as it does not solve the issue and leaves the hypervisor in an inconsistent state.
  • The root of this issue is that rules are not completely validated

Actions

The "bug" is actually in SecurityGroup::is_valid() . This needs to be extended when first port in range is greater than last, the range needs to be properly sorted.

@rsmontero rsmontero mentioned this issue Nov 26, 2024
Closed
3 tasks
rsmontero added a commit to OpenNebula/docs that referenced this issue Dec 11, 2024
@rsmontero
B OpenNebula/one#6759: Add to resolved issues
5579c72
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rsmontero rsmontero

@vvbohdan vvbohdan

Labels
Priority: Normal Sponsored Status: Accepted Type: Bug
Projects
None yet
Milestone
Release 6.10.2
Development

Successfully merging a pull request may close this issue.

B #6759: finalize the SG rules on sg rule error atodorov-storpool/one
5 participants
@tinova @rsmontero @vvbohdan @OpenNebulaSupport @dcarracedo