Hardening access to metadata in OpenStack instances

To: debian-cloud@lists.debian.org
Subject: Hardening access to metadata in OpenStack instances
From: Thomas Goirand <zigo@debian.org>
Date: Tue, 2 Sep 2025 09:36:15 +0200
Message-id: <[🔎] efa406f8-8191-4aa8-8825-963708e5d6f7@debian.org>

Hi,

Under "normal" circumstances, anyone has access to a VM's metadata. It'dbe nice to restrict access to it for only the VM (ie: do not acceptforwarding) and only from root. This could be done this way:


iptables -A FORWARD -d 169.254.169.254/32 \
	-j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -d 169.254.169.254/32 \
	-m owner ! --uid-owner 0 -j REJECT \
	--reject-with icmp-port-unreachable

Would the team agree to add this by default?

Also, we need to check if only root has access to the config drive.

Your thoughts?

Cheers,

Thomas Goirand (zigo)

Reply to:

Follow-Ups:
- Re: Hardening access to metadata in OpenStack instances
  - From: Bastian Blank <waldi@debian.org>
- Re: Hardening access to metadata in OpenStack instances
  - From: kuLa <debian@kulisz.net>

Next by Date: Re: Hardening access to metadata in OpenStack instances
Next by thread: Re: Hardening access to metadata in OpenStack instances
Index(es):
- Date
- Thread