controller iptables rules open ports on all IPs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Expired
|
Undecided
|
Unassigned |
Bug Description
All of the iptables rules on the controller open the given ports on all src/dst IPs and interfaces. Ideally the rules would limit connections to the appropriate subnet.
For example:
[root@overcloud
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 6379,26379 /* 108 redis */ state NEW
There is nobody listening in this case. Redis binds to the node IP & haproxy binds to the VIP on the provisioning network:
[root@overcloud
tcp 0 0 192.0.2.17:6379 0.0.0.0:* LISTEN 36168/redis-server
tcp 0 0 192.0.2.15:6379 0.0.0.0:* LISTEN 27149/haproxy
Changed in tripleo: | |
assignee: | nobody → Emilien Macchi (emilienm) |
milestone: | none → ocata-3 |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in tripleo: | |
milestone: | ocata-3 → pike-1 |
Changed in tripleo: | |
milestone: | pike-1 → pike-2 |
Changed in tripleo: | |
milestone: | pike-2 → pike-3 |
Changed in tripleo: | |
milestone: | pike-3 → pike-rc1 |
Changed in tripleo: | |
milestone: | pike-rc1 → queens-1 |
Changed in tripleo: | |
milestone: | queens-1 → queens-2 |
Changed in tripleo: | |
milestone: | queens-2 → queens-3 |
Changed in tripleo: | |
milestone: | queens-3 → queens-rc1 |
description: | updated |
Changed in tripleo: | |
milestone: | queens-rc1 → rocky-1 |
Changed in tripleo: | |
milestone: | rocky-1 → rocky-2 |
Changed in tripleo: | |
milestone: | rocky-2 → rocky-3 |
Changed in tripleo: | |
milestone: | rocky-3 → rocky-rc1 |
Changed in tripleo: | |
milestone: | rocky-rc1 → stein-1 |
Changed in tripleo: | |
milestone: | stein-1 → stein-2 |
There are no currently open reviews on this bug, changing the status back to the previous state and unassigning. If there are active reviews related to this bug, please include links in comments.