Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenStack: Dev

question about security

 

 

OpenStack dev RSS feed   Index | Next | Previous | View Threaded


william.herry.china at gmail

May 31, 2012, 7:35 PM

Post #1 of 3 (246 views)
Permalink
question about security

We use FlatDHCP network mode, all thing work fine, instance has 10.0.0.x ip
and 10.0.0.1 as gateway
Our problem is that service(most time compute node) has little restrict
from instance,
which instance can see a lot opened port on service, I am thinking if this
is a security problem

restrict service on compute node not listen on 10.0.0.x ip is the way I can
thing to solve this, any other ways?

Thanks

--



William Herry
====================
WilliamHerryChina [at] Gmail


vishvananda at gmail

Jun 1, 2012, 12:39 AM

Post #2 of 3 (237 views)
Permalink
Re: question about security [In reply to]

Generally I handle this by using a different eth device (or vlan) for the instance network. Then you make sure that no services on compute are listening on 0.0.0.0

If you have only one interface for example, you can run three vlans across it

eth0:10 -> public network <public ip address> for routing and floating ips and such. Nothing should listen here
eth0:11 -> management network <192.168.0.0/24 range> Rabbit and mysql run on this network. All services (ssh, etc.) run here
eth0:12 -> vm network <10.0.0.0/8 range> for vms. Nothing should listen here (except dnsmasq obviously)

Vish

On May 31, 2012, at 7:35 PM, William Herry wrote:

> We use FlatDHCP network mode, all thing work fine, instance has 10.0.0.x ip and 10.0.0.1 as gateway
> Our problem is that service(most time compute node) has little restrict from instance,
> which instance can see a lot opened port on service, I am thinking if this is a security problem
>
> restrict service on compute node not listen on 10.0.0.x ip is the way I can thing to solve this, any other ways?
>
> Thanks
>
> --
>
>
>
> William Herry
> ====================
> WilliamHerryChina [at] Gmail
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp


william.herry.china at gmail

Jun 1, 2012, 12:58 AM

Post #3 of 3 (236 views)
Permalink
Re: question about security [In reply to]

I have Multi interface and my network is similar with your describe

so I just need to make all other service not listening on 0.0.0.0

Thank you Vish

William

On Fri, Jun 1, 2012 at 3:39 PM, Vishvananda Ishaya <vishvananda [at] gmail>wrote:

> Generally I handle this by using a different eth device (or vlan) for the
> instance network. Then you make sure that no services on compute are
> listening on 0.0.0.0
>
> If you have only one interface for example, you can run three vlans across
> it
>
> eth0:10 -> public network <public ip address> for routing and floating ips
> and such. Nothing should listen here
> eth0:11 -> management network <192.168.0.0/24 range> Rabbit and mysql run
> on this network. All services (ssh, etc.) run here
> eth0:12 -> vm network <10.0.0.0/8 range> for vms. Nothing should listen
> here (except dnsmasq obviously)
>
> Vish
>
> On May 31, 2012, at 7:35 PM, William Herry wrote:
>
> We use FlatDHCP network mode, all thing work fine, instance has 10.0.0.x
> ip and 10.0.0.1 as gateway
> Our problem is that service(most time compute node) has little restrict
> from instance,
> which instance can see a lot opened port on service, I am thinking if this
> is a security problem
>
> restrict service on compute node not listen on 10.0.0.x ip is the way I
> can thing to solve this, any other ways?
>
> Thanks
>
> --
>
>
>
> William Herry
> ====================
> WilliamHerryChina [at] Gmail
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>


--



William Herry
====================
WilliamHerryChina [at] Gmail

OpenStack dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.