womax/nova
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
58,846 Commits 1 Branch 0 Tags
bcf225daf4f265a052d71955abff19317ab3cc98
Commit Graph

5 Commits

Author SHA1 Message Date
Kashyap Chamarthy f394703f7e Document mitigation for Intel MDS security flaws 
In May 2019, four new microprocessor security flaws, known as "MDS"
(Microarchitectural Data Sampling) have been discovered.  These flaws
affect unpatched Nova Compute nodes and instances running on Intel
x86_64 CPUs.  The said security flaws are also referred to as "RIDL"
(Rogue In-Flight Data Load) and "Fallout".

Refer to the following pages for further details:

 - https://access.redhat.com/security/vulnerabilities/mds
 - https://mdsattacks.com/
 - https://zombieloadattack.com/

            * * *

If we're adding the guide for "MDS" flaws, then it begs the
question: "What about mitigation guides for previous vulnerabilities?"

Two points:

(a) Write the mitigation document for rest of the previous
    vulnerabilities too, for completeness' sake. (In April 2018 I wrote
    this doc[1] for Meltdown — polish it and submit it. Parts of that
    document's content is already incorporated into the help text for
    the config attribute `cpu_model_extra_flags`.)

(b) For now, we can live with the cliché, "something is better than
    nothing"; we'll add the other docs "when we get to it".  Meanwhile,
    operators get mitigation details from various other places —
    processor vendors, Linux distributions, etc.

[1] https://kashyapc.fedorapeople.org/Reducing-OpenStack-Guest-Perf-Impact-from-Meltdown.txt

Change-Id: I1bb472c3438cc9a91945999d2350b2c59fa6a1f3
Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
 2019-06-05 15:55:24 +00:00
Kashyap Chamarthy 6a61b68c31 docs: Update references to "QEMU-native TLS" document 
Link to the "Secure live migration with QEMU-native TLS" document from
other relevant guides, and small blurbs of text where appropriate.

Blueprint: support-qemu-native-tls-for-live-migration

Change-Id: I9c6676897d27254e2e16bf7e36a74bf9f3da3832
Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>
 2019-01-22 11:09:09 +01:00
zhangyangyang aecc165a58 Remove deprecated TrustedFilter 
The TrustedFilter and the related trusted_computing config options
were deprecated in Pike:

  If6e53feeb97e6050c1eb7962110ed89504c952fc

Co-Authored-By: Matt Riedemann <mriedem.os@gmail.com>

Change-Id: I0a7ab3a4fb2cfad567a8644bed4de574393ee11a
 2017-11-28 14:54:31 -05:00
Matt Riedemann 7055b5305c Note TrustedFilter deprecation in docs 
Change 82f16b88f3 deprecated
the TrustedFilter for removal in Queens, but there is an
entire document about using it which doesn't mention this,
so it's noted here.

Change-Id: I4f772a50cfdbc1f50759c67b234e5c7e29e81100
 2017-10-05 18:47:40 -04:00
chenxing 575b529118 doc: Import administration guide 
Import all docs from openstack-manuals.

Part of bp: doc-migration

Change-Id: I28bb8ce1f4a8653f176a554d2e95b4423c437972
Co-Authored-By: Stephen Finucane <sfinucan@redhat.com>
 2017-08-04 07:00:45 -04:00