On Tue, 1 Oct 2013, Sven Kieske wrote:
We read about some "vdsm bootstrap script" (e.g. BZ 893680), may this be related?
SvenKieske appeared in the OFTC IRC channel #ovirt with this issue, and we discussed it some more 11:41 < SvenKieske> meaning you can't ping compute nodes, this is in the default install 11:41 < orc_orc> SvenKieske: * nod * that effect would occur with the physdev rule, I think 11:41 < SvenKieske> and I think this default iptables rule is just plain useless :) 11:42 < SvenKieske> and prevents proper network debugging, as we are having some issues with network related to newest ovirt nodes 11:42 < orc_orc> SvenKieske: assumedly you are following a guide. can you point out that URL and the step at which the problem is first noticed and he pointed to the wiki outline at: http://www.ovirt.org/Quick_Start_Guide#Install_oVirt_Node 11:43 < orc_orc> but from a policy POV, it may make sense that a node is not reachible until it has had time to become hardened .. and I also pointed out an example of an ICMP fragmantation attack and its remdiation in the Red Hat bugzilla
I don't see why you shouldn't be able to ping the hypervisor in the management lan? this is useful for monitoring and network debugging.
ICMP is no danger at all.
and in IRC he there stated 11:45 < SvenKieske> I'm not sure you can harden this node any further, as it resides on a read only file system, beside that, I can not think of any attack vector via icmp on the compute node 11:46 < orc_orc> SvenKieske: there are some ICMP attacks, particularly on ipv6 stacks, which can cause machines to fall over and die 11:46 < orc_orc> I reported one a while back 11:47 < orc_orc> the packet reassembly code had an unsuspected re-construction method with a problem in it and at that point he concluded that perhaps the ICMP block limitation had policy reasons behind it 11:49 < SvenKieske> Well then that's fine with me, but maybe the node devs should more focus on reliable network configuration and then harden it for security and not the other way around, it was just a small nuisance, if network setup in 3.3 would work ootb I'd maybe never noticed ping doesn't work ootb to which I can only respond: 11:49 < orc_orc> SvenKieske: sounds like you are saying that you need to file an RFE as to debugging tools extensions or amend the setup documentation I had a private inquiry about KVM hardening and so had been looking at the physdev iptables rules recently, and on a VM for which I am responsible an incident just last weekend 11:50 < orc_orc> SvenKieske: I had a person at my office just today, who was the victim of a TOR attack on a VM 11:50 < orc_orc> so VM's _do_ get scanned for and attacked ... in part we mitigated the attack via a temporary iptables rule on the KVM based hypervisor ... and he closed that he may file something tomorrow. 11:50 < SvenKieske> yeah, might be the way to go, but my workday is over now, so maybe tomorrow :) 11:50 < orc_orc> SvenKieske * nod * don't forget ;) 11:51 < SvenKieske> I'm all in for more computer security :) 11:51 < SvenKieske> see you! 11:51 * orc_orc waves I've been working through the setup documentation as well since the 3.3 update, and have a list of questions as to the wiki materials, as of course bit rot happens in wiki's (heck, in _any_ documentation) as new releases are issued -- Russ herrold
Kind regards
Sven Kieske _______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
-- -- end ================================== .-- -... ---.. ... -.- -.-- Copyright (C) 2013 R P Herrold herrold@owlriver.com My words are not deathless prose, but they are mine.