tripleo

mariadb and rabbitdb on the undercloud have the ports accessible from everywhere

Bug #1617537 reported by Michele Baldessari
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Michele Baldessari
tripleo newton-rc1 "newton-rc1"

Bug Description

In Liberty and Mitaka the network ports of mariadb and rabbit were not accessible on the ctlplane (and any other networks). With the firewall migration to puppet they became exposed. Since we currently do not set a password for the root sql user on the undercloud, this would be a security regression.

OpenStack Infra (hudson-openstack)
Changed in tripleo:
assignee: nobody → Michele Baldessari (michele)
status: New → In Progress
Revision history for this message
Michele Baldessari (michele) wrote :

https://review.openstack.org/#/c/352484/

Steven Hardy (shardy)
Changed in tripleo:
milestone: none → newton-rc1
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to instack-undercloud (master)

Reviewed: https://review.openstack.org/352484
Committed: https://git.openstack.org/cgit/openstack/instack-undercloud/commit/?id=ab178005ebbb5c5d29bfd37821ba83fc225a7dcc
Submitter: Jenkins
Branch: master

commit ab178005ebbb5c5d29bfd37821ba83fc225a7dcc
Author: Michele Baldessari <email address hidden>
Date: Mon Aug 8 17:33:09 2016 +0200

    galera and rabbit do not need to be accessible over the network

    Both rabbitmq and galera do not need to be accessible from any network
    except from the undercloud. By dropping the corresponding firewall rules
    we make sure that only the undercloud can access these services.
    All openstack services use the 192.0.2.X ip address and not
    localhost. This all keeps on working because we have the following
    netfilter rule:
     1563 93780 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* 002 accept all to lo interface */ state NEW

    The network stack is smart enough to realize that these are all local
    packets. A cleaner approach might be to actually make sure
    that rabbitmq and galera only listen to localhost and configure all
    the openstack services to talk to localhost.

    Note that in liberty and mitaka we did not let galera be reachable from
    the network, so this is a newton regression likely caused by the move
    to puppet managing the firewall.

    Future work should make rabbit and galera listen to localhost by
    default as they are not needed to be exposed to the network at all.

    Closes-Bug: 1617537
    Change-Id: Iba66c0f5127ed3d394f9482b5843ddaf80538a76

Changed in tripleo:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.