openstack/nova
Code Issues Proposed changes
nova/doc/source/admin/security.rst
Kashyap Chamarthy f394703f7e Document mitigation for Intel MDS security flaws 
In May 2019, four new microprocessor security flaws, known as "MDS"
(Microarchitectural Data Sampling) have been discovered.  These flaws
affect unpatched Nova Compute nodes and instances running on Intel
x86_64 CPUs.  The said security flaws are also referred to as "RIDL"
(Rogue In-Flight Data Load) and "Fallout".

Refer to the following pages for further details:

 - https://access.redhat.com/security/vulnerabilities/mds
 - https://mdsattacks.com/
 - https://zombieloadattack.com/

            * * *

If we're adding the guide for "MDS" flaws, then it begs the
question: "What about mitigation guides for previous vulnerabilities?"

Two points:

(a) Write the mitigation document for rest of the previous
    vulnerabilities too, for completeness' sake. (In April 2018 I wrote
    this doc[1] for Meltdown — polish it and submit it. Parts of that
    document's content is already incorporated into the help text for
    the config attribute `cpu_model_extra_flags`.)

(b) For now, we can live with the cliché, "something is better than
    nothing"; we'll add the other docs "when we get to it".  Meanwhile,
    operators get mitigation details from various other places —
    processor vendors, Linux distributions, etc.

[1] https://kashyapc.fedorapeople.org/Reducing-OpenStack-Guest-Perf-Impact-from-Meltdown.txt

Change-Id: I1bb472c3438cc9a91945999d2350b2c59fa6a1f3
Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
2019-06-05 15:55:24 +00:00

61 lines
1.8 KiB
ReStructuredText
Raw Blame History

==================
Security hardening
==================
OpenStack Compute can be integrated with various third-party technologies to
increase security. For more information, see the `OpenStack Security Guide
<https://docs.openstack.org/security-guide/>`_.
Encrypt Compute metadata traffic
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
**Enabling SSL encryption**
OpenStack supports encrypting Compute metadata traffic with HTTPS. Enable SSL
encryption in the ``metadata_agent.ini`` file.
#. Enable the HTTPS protocol.
.. code-block:: ini
nova_metadata_protocol = https
#. Determine whether insecure SSL connections are accepted for Compute metadata
server requests. The default value is ``False``.
.. code-block:: ini
nova_metadata_insecure = False
#. Specify the path to the client certificate.
.. code-block:: ini
nova_client_cert = PATH_TO_CERT
#. Specify the path to the private key.
.. code-block:: ini
nova_client_priv_key = PATH_TO_KEY
Securing live migration streams with QEMU-native TLS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is strongly recommended to secure all the different live migration
streams of a nova instance—i.e. guest RAM, device state, and disks (via
NBD) when using non-shared storage. For further details on how to set
this up, refer to the
:doc:`secure-live-migration-with-qemu-native-tls` document.
Mitigation for MDS (Microarchitectural Data Sampling) security flaws
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It is strongly recommended to patch all compute nodes and nova instances
against the processor-related security flaws, such as MDS (and other
previous vulnerabilities). For details on applying mitigation for the
MDS flaws, refer to the :doc:`mitigation-for-Intel-MDS-security-flaws`
document.
View Git Blame Copy Permalink