Re: Hardening access to metadata in OpenStack instances

To: debian-cloud@lists.debian.org
Subject: Re: Hardening access to metadata in OpenStack instances
From: Bastian Blank <waldi@debian.org>
Date: Tue, 2 Sep 2025 10:11:54 +0200
Message-id: <[🔎] 20250902081154.wvfesxtoyyp7xvoc@shell.thinkmo.de>
Mail-followup-to: debian-cloud@lists.debian.org
In-reply-to: <[🔎] efa406f8-8191-4aa8-8825-963708e5d6f7@debian.org>
References: <[🔎] efa406f8-8191-4aa8-8825-963708e5d6f7@debian.org>

Hi

On Tue, Sep 02, 2025 at 09:36:15AM +0200, Thomas Goirand wrote:
> Under "normal" circumstances, anyone has access to a VM's metadata. It'd be
> nice to restrict access to it for only the VM (ie: do not accept forwarding)
> and only from root. This could be done this way:

Why is this a problem?  What information does the metadata service
provide?

> iptables -A FORWARD -d 169.254.169.254/32 \
> 	-j REJECT --reject-with icmp-port-unreachable
> iptables -A OUTPUT -d 169.254.169.254/32 \
> 	-m owner ! --uid-owner 0 -j REJECT \
> 	--reject-with icmp-port-unreachable
> 
> Would the team agree to add this by default?

How would that integrate with user config?  The packet filter is a
global resource.  Also how do you intend to handle the incompatibility
between nft and iptables?

> Your thoughts?

Don't provide network services that you don't want someone to use.

Bastian

-- 
Virtue is a relative term.
		-- Spock, "Friday's Child", stardate 3499.1

Reply to:

References:
- Hardening access to metadata in OpenStack instances
  - From: Thomas Goirand <zigo@debian.org>

Prev by Date: Hardening access to metadata in OpenStack instances
Next by Date: Re: Hardening access to metadata in OpenStack instances
Previous by thread: Hardening access to metadata in OpenStack instances
Next by thread: Re: Hardening access to metadata in OpenStack instances
Index(es):
- Date
- Thread