Make libvirt safe again
At the current moment libvirt is not authenticated and listens
all incoming connection on his port.
The current patch proposes:
1. Use unix socket to connect to libvirt from nova compute
so it won't be affected by
2. protect libvirt port with firewall.
so we will drop all connections to libvirt port from anywhere.
Live migrations seems not be affected because at the current
configuration it seems libvirt uses another randomly-chosen port.
Rel-Prod: 15651
Change-Id: I1dcca1ad34029b5c158c4013036f33827255235b
diff --git a/nova/compute/cluster.yml b/nova/compute/cluster.yml
index 5d0e6a1..e8b29cc 100644
--- a/nova/compute/cluster.yml
+++ b/nova/compute/cluster.yml
@@ -1,5 +1,6 @@
classes:
- service.nova.compute.kvm
+- service.iptables.server
parameters:
_param:
nova_vncproxy_url: https://${_param:cluster_public_host}:6080
@@ -94,3 +95,15 @@
public_key: ${_param:nova_compute_ssh_public}
private_key: ${_param:nova_compute_ssh_private}
my_ip: ${_param:single_address}
+ libvirt:
+ uri: qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
+ iptables:
+ service:
+ enabled: true
+ chain:
+ INPUT:
+ rules:
+ # deny any connections to libvirt port
+ - destination_port: 16509
+ protocol: tcp
+ jump: DROP
\ No newline at end of file
diff --git a/nova/compute/single.yml b/nova/compute/single.yml
index b915145..d5126df 100644
--- a/nova/compute/single.yml
+++ b/nova/compute/single.yml
@@ -2,6 +2,7 @@
- nova
classes:
- service.nova.compute.kvm
+- service.iptables.server
parameters:
_param:
nova_vncproxy_url: https://${_param:cluster_public_host}:6080
@@ -90,3 +91,15 @@
public_key: ${_param:nova_compute_ssh_public}
private_key: ${_param:nova_compute_ssh_private}
my_ip: ${_param:single_address}
+ libvirt:
+ uri: qemu+unix:///system?socket=/var/run/libvirt/libvirt-sock
+ iptables:
+ service:
+ enabled: true
+ chain:
+ INPUT:
+ rules:
+ # deny any connections to libvirt port
+ - destination_port: 16509
+ protocol: tcp
+ jump: DROP
\ No newline at end of file