swift charm sets up unrestricted read/write access to swift storage via rsync
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
swift-proxy (Juju Charms Collection) |
Fix Released
|
High
|
Edward Hope-Morley | ||
swift-storage (Juju Charms Collection) |
Fix Released
|
High
|
Edward Hope-Morley |
Bug Description
Swift relies on rsync for replication; unfortunately the charm sets up
rsync on each storage node with unrestricted read/write access to the
swift data for anyone who can see port 873.
Worse, even if you have a dedicated/locked down storage network,
there's no support in the charm for configuring rsync to listen
on/only accept connections from that network for the swift modules.
At an absolute minimum, the swift-storage charm needs to support for
limiting rsync connections to swift modules by IP address.
Building on that, it would also be very useful if the charm could use
its knowledge the other swift nodes to lock down rsync to just other
swift nodes. This would help people who (perhaps not of their own
volition) are running in a 'single flat network'.
And (if upstream supports this) it would be even better if the swift
modules in rsync could be protected by a password.
(Obviously that's still less than ideal as rsync + passwords isn't
awesome unless you trust your network, but I think fixing that is
probably out of scope of the charm and more of a swift upstream bug.)
Related branches
- Liam Young (community): Approve
- James Page: Approve
-
Diff: 82 lines (+28/-6)3 files modifiedhooks/swift_storage_hooks.py (+3/-0)
lib/swift_storage_context.py (+16/-5)
templates/050-swift-storage.conf (+9/-1)
- Liam Young (community): Approve
- James Page: Needs Resubmitting
-
Diff: 142 lines (+81/-12)2 files modifiedhooks/swift_hooks.py (+50/-11)
unit_tests/test_swift_hooks.py (+31/-1)
Changed in swift-storage (Juju Charms Collection): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in swift-storage (Juju Charms Collection): | |
milestone: | none → 15.04 |
tags: | added: openstack |
Changed in swift-storage (Juju Charms Collection): | |
assignee: | nobody → Edward Hope-Morley (hopem) |
status: | Triaged → In Progress |
tags: | added: cts |
Changed in swift-storage (Juju Charms Collection): | |
milestone: | 15.04 → 15.07 |
Changed in swift-storage (Juju Charms Collection): | |
milestone: | 15.07 → 15.10 |
Changed in swift-storage (Juju Charms Collection): | |
milestone: | 15.10 → 16.01 |
Changed in swift-proxy (Juju Charms Collection): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Edward Hope-Morley (hopem) |
milestone: | none → 16.01 |
tags: |
added: sts removed: cts |
Changed in swift-proxy (Juju Charms Collection): | |
status: | In Progress → Fix Committed |
Changed in swift-storage (Juju Charms Collection): | |
status: | In Progress → Fix Committed |
Changed in swift-storage (Juju Charms Collection): | |
status: | Fix Committed → Fix Released |
Changed in swift-proxy (Juju Charms Collection): | |
status: | Fix Committed → Fix Released |
Please note if iptables is used net.nf_ conttrack_ max must be updated from its default of 65k.
/etc/sysctl. d/50-max- conntrack. conf: conntrack_ max = 2097152
net.nf_