Use of ufw circumvents standard juju firewall control mechanism
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Charm Helpers |
Fix Released
|
High
|
Felipe Reyes | ||
memcached (Juju Charms Collection) |
Fix Released
|
High
|
Felipe Reyes |
Bug Description
The memcached charm implements its own firewall outside of the standard juju expose mechanism. It offers no controls over which protocols, ports, or hosts are allowed, or even whether or not the firewall should be enabled at all.
This means that subordinate charms such as nrpe-external-
If there are security concerns regarding memcached's exposure on the local segment which warrant additional firewalling, the charm's firewall should limit access to memcached only, and should not make assumptions about other services on the unit.
Related branches
- Adam Israel (community): Approve
- Review Queue (community): Needs Fixing (automated testing)
- charmers: Pending requested
-
Diff: 33 lines (+13/-0)2 files modifiedREADME.md (+10/-0)
hooks/memcached_hooks.py (+3/-0)
- Jorge Niedbalski (community): Approve
-
Diff: 189 lines (+118/-3)2 files modifiedcharmhelpers/contrib/network/ufw.py (+46/-3)
tests/contrib/network/test_ufw.py (+72/-0)
- Jorge Niedbalski (community): Approve
-
Diff: 1409 lines (+670/-113)18 files modifiedMakefile (+1/-1)
hooks/charmhelpers/contrib/hahelpers/cluster.py (+52/-4)
hooks/charmhelpers/contrib/network/ip.py (+84/-1)
hooks/charmhelpers/contrib/network/ufw.py (+46/-3)
hooks/charmhelpers/core/fstab.py (+2/-2)
hooks/charmhelpers/core/hookenv.py (+272/-39)
hooks/charmhelpers/core/host.py (+30/-8)
hooks/charmhelpers/core/services/base.py (+43/-19)
hooks/charmhelpers/core/services/helpers.py (+14/-6)
hooks/charmhelpers/core/strutils.py (+42/-0)
hooks/charmhelpers/core/unitdata.py (+1/-1)
hooks/charmhelpers/fetch/__init__.py (+21/-13)
hooks/charmhelpers/fetch/giturl.py (+7/-5)
hooks/memcached_hooks.py (+19/-0)
hooks/memcached_utils.py (+6/-2)
tests/10_deploy_test.py (+1/-1)
tests/20_deploy_replication_test.py (+1/-1)
unit_tests/test_memcached_hooks.py (+28/-7)
tags: | added: canonical-bootstack |
Changed in memcached (Juju Charms Collection): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Felipe Reyes (freyes) |
Changed in charm-helpers: | |
importance: | Undecided → High |
assignee: | nobody → Felipe Reyes (freyes) |
status: | New → Fix Released |
Changed in memcached (Juju Charms Collection): | |
status: | In Progress → Fix Released |