petermakowski
commented
9 months ago Thank you for reporting this. As it's an enhancement/feature request, it has been moved to discourse per our Requesting features and enhancements guidelines.
Closed pduveau closed 9 months ago
petermakowski
commented
9 months ago Thank you for reporting this. As it's an enhancement/feature request, it has been moved to discourse per our Requesting features and enhancements guidelines.
Issue : Network provisioning with PXE boot could be a production vulnerability. An (internal) attacker could introduce a second DHCP server and a destructive image on the network, causing all or part of the servers to reboot, thus destroying partially an information system.
Expectations : So, to reduce this risk, the aim would be to execute a POST script after any action requiring a PXE boot, which could turn off the network port, change its vlan ID and/or disable the PXE boot on the managed server. And a PRE script reapply the configurations/conditions to enable PXE boot. Both scripts must of course be written and implemented by MaaS administrators (end user).
As the maas user is already a BMC administrator, the id and password of this account could be supplied as a parameter (or environment) to these scripts, to take advantage the existing secret storage security. Also the inventory of the managed server has the be accessible/provided to the scripts to manage network devices with discovered parameters (device/port).
Last point : the two scripts have to be executed on the rackd component to be able to reach the BMC network interface.
This was discussed with Aymen FRIKHA from CANONICAL aymen.frikha@canonical.com