kolla

keepalived run without authentication

Bug #1551314 reported by Jeffrey Zhang on 2016-02-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kolla	Fix Released	Medium	Jeffrey Zhang	kolla mitaka-3 "mitaka-3"

Bug Description

The keepalived conf file is like below. No authentication. The potential issue is that anyone can easily create a same keepalived service and take over the VIP. then all the OpenStack will request to the imitative server.

vrrp_script check_alive {
    script "/check_alive.sh"
    interval 2
    fall 2
    rise 10
}

vrrp_instance kolla_internal_vip {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 1
    advert_int 1
    virtual_ipaddress {
        10.2.0.254
    }
    track_script {
        check_alive
    }
}

Revision history for this message

Steven Dake (sdake) wrote on 2016-03-01:

Jeffrey,

Just to be clear, you would have to run a second copy of keepalived to create another VIP. So the authentication just prevents multiple keepaliveds from trouncing each other on a network? If that is the case, this is no a security problem as there is no attack vector that doesn't already involve root on one of the deployed targets or in the secured private management network.

Revision history for this message

Jeffrey Zhang (jeffrey4l) wrote on 2016-03-01:

yea, that's the case.

But I do not think the private management network is secured and trusted. If it is, why we need mariadb password? why we need ssl every thing? we can make our service open( without any password) on the management network(it will simplify the OPS's work).

Revision history for this message

Sam Yaple (s8m) wrote on 2016-03-01:

Jeffrey it absolutely is secure and trusted. Memcache is a nova requirement. We run it. It provides no auth. With access to the private network I could own an openstack cloud in a single one-liner.

Jeffrey Zhang (jeffrey4l) on 2016-03-02

information type:

Private → Public

Steven Dake (sdake) on 2016-03-03

Changed in kolla:
status:	New → Triaged
importance:	Undecided → Medium
assignee:	nobody → Jeffrey Zhang (jeffrey4l)
milestone:	none → mitaka-3

OpenStack Infra (hudson-openstack) on 2016-03-04

Changed in kolla:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-04: Fix merged to kolla (master)

Reviewed: https://review.openstack.org/277085
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=e6b230d78436dfb7b38b1c30c4a9325909ae1d20
Submitter: Jenkins
Branch: master

commit e6b230d78436dfb7b38b1c30c4a9325909ae1d20
Author: Jeffrey Zhang <jeffrey.zhang@99cloud.net>
Date: Sat Feb 6 22:18:01 2016 +0800

Add authentication for keepalived

TrivialFix

Closes-Bug: #1551314
Change-Id: Id85859500aec283703b6b6714abf213a42286182

Changed in kolla:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.