Fuel for OpenStack

Restrict Apache2 port 8888 proxy to listen only on Admin (PXE) network

Bug #1523418 reported by Adam Heczko on 2015-12-07

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Released	Low	Maksim Malchuk	Fuel for OpenStack 8.0

Bug Description

Observed on MOS:
  release: "8.0"
  openstack_version: "2015.1.0-8.0"
  api: "1.0"
  build_number: "242"
  build_id: "242"

Problem description:
Controller nodes run Apache2 with proxy module enabled.
Purpose of this proxy is to allow performing OSTF tests initiated from Fuel node.
Currently thos proxy listens on all IP addresses:
<VirtualHost *:8888>
ServerName apache_api_proxy

Solution proposal:
Restrict Apache proxy to listen only on admin/pxe network
<VirtualHost [ADMIN_IP_ADDRESS]:8888>

See original description

Tags:

Adam Heczko (aheczko-mirantis) on 2015-12-07

Changed in fuel:
importance:	Undecided → Low
assignee:	nobody → Fuel Library Team (fuel-library)
milestone:	none → 8.0
description:	updated

Maksim Malchuk (mmalchuk) on 2015-12-07

Changed in fuel:
assignee:	Fuel Library Team (fuel-library) → Maksim Malchuk (mmalchuk)
status:	New → In Progress

Dmitry Pyzhov (dpyzhov) on 2015-12-09

tags:

added: area-library

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-09: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/255538

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-11: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/255538
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=c37048484366b7f276b385556029d855fa6866b5
Submitter: Jenkins
Branch: master

commit c37048484366b7f276b385556029d855fa6866b5
Author: Maksim Malchuk <email address hidden>
Date: Tue Dec 8 11:15:17 2015 +0300

IP-based Apache VirtualHosts configuration

    This commit configures IP-based virtual hosts for all services managed by
    Apache. These services (Horizon, Keystone, RADOS Gateway and API Proxy)
    now can be restricted to serve only on specified IP addresses/ports.

    This commit also fixes security issue by restricting the API Proxy
    served on port 8888 to listen only on Admin (PXE) network, because it
    used only for performing OSTF tests, initiated from Fuel node.

Change-Id: I1a3af4b5a3160a6904514da60f44c1b96dc54d57
Closes-Bug: #1523418

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-11: Related fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/256425
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=777a8b3f6238b8080196aa4f5f6d7b011800ccc3
Submitter: Jenkins
Branch: master

commit 777a8b3f6238b8080196aa4f5f6d7b011800ccc3
Author: Maksim Malchuk <email address hidden>
Date: Fri Dec 11 17:10:42 2015 +0300

Globals cleanup for IP-based Apache VirtualHosts configuration

This commit removes unused keystone_api_address from globals.

Change-Id: If065e81c91d5d8a665070540c54ca6f795d862a6
Related-bug: #1523418

Revision history for this message

Dmitry Tyzhnenko (dtyzhnenko) wrote on 2016-02-04:

root@node-1:~# grep \<VirtualHost /etc/apache2/sites-enabled/25-apache_api_proxy.conf
<VirtualHost 10.109.0.4:8888>

Verified on 8.0-521

VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "8.0"
  api: "1.0"
  build_number: "521"
  build_id: "521"
  fuel-nailgun_sha: "bae6d0062e0825d81409a04bcb4979302f8c65ea"
  python-fuelclient_sha: "4f234669cfe88a9406f4e438b1e1f74f1ef484a5"
  fuel-agent_sha: "658be72c4b42d3e1436b86ac4567ab914bfb451b"
  fuel-nailgun-agent_sha: "b2bb466fd5bd92da614cdbd819d6999c510ebfb1"
  astute_sha: "b81577a5b7857c4be8748492bae1dec2fa89b446"
  fuel-library_sha: "29829b131ca802830bc5a9a131c83cd0f43f702b"
  fuel-ostf_sha: "7bcddf18020f2d94a553a441ff57dff9632865df"
  fuel-mirror_sha: "c25d8931e30322ecf43246c8a957e376259b685c"
  fuelmenu_sha: "e071216cb214e34b4d861478033425ee6a54a3be"
  shotgun_sha: "63645dea384a37dde5c01d4f8905566978e5d906"
  network-checker_sha: "a43cf96cd9532f10794dce736350bf5bed350e9d"
  fuel-upgrade_sha: "616a7490ec7199f69759e97e42f9b97dfc87e85b"
  fuelmain_sha: "a365f05b903368225da3fea9aa42afc1d50dc9b4"

Changed in fuel:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.