Bug 1683145

Summary: [RHOSP13] Need Hardening recommondation to remove file-system module and path MTU discovery
Product: Red Hat OpenStack Reporter: Pradipta Kumar Sahoo <psahoo>
Component: openstack-tripleoAssignee: Harry Rybacki <hrybacki>
Status: CLOSED EOL QA Contact: Nobody <nobody>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: alee, anharris, cyril, dmendiza, fpantano, gfidente, ggrasza, hrybacki, johfulto, jslagle, mburns, pgrist, skaplons, slinaber, yrabl
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: ---Flags: hrybacki: needinfo? (alee)
Hardware: x86_64   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-11 20:20:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pradipta Kumar Sahoo 2019-02-26 10:34:48 UTC
Description of problem:

We need an official recommendation to enable below hardening in the OpenStack environment since we didn't find any recommendation in our official guide.

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/security_and_hardening_guide/



Hardening Details:
1. Wish to disable "path MTU discovery" since it could be used by a malicious attacker to receive a reply from the server despite the firewall configuration by forcefully sending a large packet. The customer suspecting is that, since some interfaces do have a 9000-byte MTU this discovery mechanism might be used if the MTU in some part of the path is in fact lower.

#      - name: Disable PMTUD on sysctl.conf
#        sysctl:
#          name: net.ipv4.ip_no_pmtu_disc
#          value: 0
#          state: present
#          reload: yes

2. Regarding the filesystems, the customer has already disabled freevxfs, jffs2, hfs and hfsplus since none of them will ever be used on the OSP infra. But they are having doubt in UDF fs where it used in ISO files and suspecting QEMU did some conversation where it needs to load the module. Please confirm whether it is safe to remove all these file system modules from overcloud nodes.
modprobe -r cramfs
modprobe -r freevxfs
modprobe -r jffs2
modprobe -r  hfs
modprobe -r hfsplus
modprobe -r UDF


Version-Release number of selected component (if applicable):
Red Hat OpenStack 13 Director

Comment 13 Cyril Roelandt 2019-03-28 20:37:41 UTC
I feel like UDF should not be needed for Glance/Ceph, but I'm putting a needinfo on Yogev, who knows Ceph better than I do.

Comment 23 Lon Hohberger 2023-07-11 20:20:14 UTC
OSP 13 was retired on June 27, 2023. If this was to be targeted for a different release, please reopen and retarget.