tripleo

controller iptables rules open ports on all IPs

Bug #1645893 reported by Oliver Walsh on 2016-11-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Expired	Undecided	Unassigned	tripleo stein-2

Bug Description

All of the iptables rules on the controller open the given ports on all src/dst IPs and interfaces. Ideally the rules would limit connections to the appropriate subnet.

For example:
[root@overcloud-controller-0 heat-admin]# iptables -L -n | grep 0.0.0.0 | grep redis
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport dports 6379,26379 /* 108 redis */ state NEW

There is nobody listening in this case. Redis binds to the node IP & haproxy binds to the VIP on the provisioning network:

[root@overcloud-controller-0 heat-admin]# netstat -nltp | grep 6379
tcp 0 0 192.0.2.17:6379 0.0.0.0:* LISTEN 36168/redis-server
tcp 0 0 192.0.2.15:6379 0.0.0.0:* LISTEN 27149/haproxy

See original description

Oliver Walsh (owalsh) on 2016-11-29

Changed in tripleo:
assignee:	nobody → Emilien Macchi (emilienm)
milestone:	none → ocata-3
status:	New → Triaged
importance:	Undecided → Medium

Emilien Macchi (emilienm) on 2017-01-17

Changed in tripleo:
milestone:	ocata-3 → pike-1

Emilien Macchi (emilienm) on 2017-04-11

Changed in tripleo:
milestone:	pike-1 → pike-2

Emilien Macchi (emilienm) on 2017-06-08

Changed in tripleo:
milestone:	pike-2 → pike-3

Revision history for this message

Emilien Macchi (emilienm) wrote on 2017-07-05:

There are no currently open reviews on this bug, changing the status back to the previous state and unassigning. If there are active reviews related to this bug, please include links in comments.

Changed in tripleo:
assignee:	Emilien Macchi (emilienm) → nobody

Emilien Macchi (emilienm) on 2017-07-30

Changed in tripleo:
milestone:	pike-3 → pike-rc1

Emilien Macchi (emilienm) on 2017-07-31

Changed in tripleo:
milestone:	pike-rc1 → queens-1

Alex Schultz (alex-schultz) on 2017-10-04

Changed in tripleo:
milestone:	queens-1 → queens-2

Alex Schultz (alex-schultz) on 2017-11-02

Changed in tripleo:
milestone:	queens-2 → queens-3

Emilien Macchi (emilienm) on 2018-01-26

Changed in tripleo:
milestone:	queens-3 → queens-rc1

Oliver Walsh (owalsh) on 2018-01-26

description:

updated

Alex Schultz (alex-schultz) on 2018-02-20

Changed in tripleo:
milestone:	queens-rc1 → rocky-1

Alex Schultz (alex-schultz) on 2018-04-20

Changed in tripleo:
milestone:	rocky-1 → rocky-2

Emilien Macchi (emilienm) on 2018-06-05

Changed in tripleo:
milestone:	rocky-2 → rocky-3

Emilien Macchi (emilienm) on 2018-07-26

Changed in tripleo:
milestone:	rocky-3 → rocky-rc1

Emilien Macchi (emilienm) on 2018-07-26

Changed in tripleo:
milestone:	rocky-rc1 → stein-1

Juan Antonio Osorio Robles (juan-osorio-robles) on 2018-10-30

Changed in tripleo:
milestone:	stein-1 → stein-2

Revision history for this message

Emilien Macchi (emilienm) wrote on 2018-12-29: Cleanup EOL bug report

This is an automated cleanup. This bug report has been closed because it
is older than 18 months and there is no open code change to fix this.
After this time it is unlikely that the circumstances which lead to
the observed issue can be reproduced.

If you can reproduce the bug, please:
* reopen the bug report (set to status "New")
* AND add the detailed steps to reproduce the issue (if applicable)
* AND leave a comment "CONFIRMED FOR: <RELEASE_NAME>"
Only still supported release names are valid (FUTURE, PIKE, QUEENS, ROCKY, STEIN).
Valid example: CONFIRMED FOR: FUTURE

Changed in tripleo:
importance:	Medium → Undecided
status:	Triaged → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.