Fuel for OpenStack

Secure NTP and DNS

  1. Series 6.1.x
  2. Bug #1466090
Bug #1466090 reported by Oleksiy Molchanov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
Fix Released
High
Alex Schultz
Fuel for OpenStack 7.0
6.1.x
Fix Committed
High
Alexey Stupnikov
Fuel for OpenStack 6.1-updates
7.0.x
Fix Released
High
Alex Schultz
Fuel for OpenStack 7.0

Bug Description

Disable external access to NTP and DNS ports in vrouter.

Expected result:

NTP should listen for IPv4 only
DNS should listen for IPv4 only and on vrouter-management port

Actual result:

NTP listens on IPv4 and IPv6
DNS listens on all interfaces

How to reproduce:
ip netns exec vrouter netstat -natlup | grep -E '53|123'

Should be merged with https://bugs.launchpad.net/fuel/+bug/1481627

See original description
Oleksiy Molchanov (omolchanov)
Changed in fuel:
milestone: none → 6.1-updates
OpenStack Infra (hudson-openstack)
Changed in fuel:
status: Confirmed → In Progress
Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

https://review.openstack.org/192680

Revision history for this message
Oleksiy Molchanov (omolchanov) wrote :

https://review.openstack.org/#/c/192680/

OpenStack Infra (hudson-openstack)
Changed in fuel:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/6.1)

Fix proposed to branch: stable/6.1
Review: https://review.openstack.org/193009

Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

The fix was reverted, and there is a revert of revert on review. Hence, it is not Fix committed for the 7.0

Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

The revert was done for the scope of the 6.1, so the new patch is still on review https://review.openstack.org/#/c/193009/
and the 6.1 milestone is "In progress" also, not Fix committed

Revision history for this message
Bogdan Dobrelya (bogdando) wrote :

Passing to the MOS sustaining team as a new bug to be considered

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on fuel-library (stable/6.1)

Change abandoned by Sergii Golovatiuk (<email address hidden>) on branch: stable/6.1
Review: https://review.openstack.org/193009

Revision history for this message
Vitaly Sedelnik (vsedelnik) wrote :

The description is not complete and now it looks like as a feature request, not a bug. Please add more detail - which MOS version the issue was discovered in, what is the expected and actual behavior.

Revision history for this message
Oleksiy Molchanov (omolchanov) wrote :

@Dima, please comment

OpenStack Infra (hudson-openstack)
Changed in fuel:
status: Confirmed → In Progress
OpenStack Infra (hudson-openstack)
Changed in fuel:
assignee: Dmitry Ilyin (idv1985) → Alex Schultz (alex-schultz)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/197629
Committed: https://git.openstack.org/cgit/stackforge/fuel-library/commit/?id=7ae589baeee7877c5dd597e106c2673dd65b2530
Submitter: Jenkins
Branch: master

commit 7ae589baeee7877c5dd597e106c2673dd65b2530
Author: Dmitry Ilyin <email address hidden>
Date: Thu Jul 2 14:54:19 2015 +0300

    Make ntpd listen all interfaces

    * Remove ntpd listen restrictions
    * Remove client run on controllers
    * Add ubuntu service overrides for ntp
    * ntp server should use only ipv4
    * update dnsmasq to only listen on management vrouter vip

    TestImpact
    Change-Id: Ic78394fddaafa82e085c55a1a0fdd3c46d4f0089
    Closes-Bug: 1466090
    Closes-Bug: 1470569

Oleksiy Molchanov (omolchanov)
description: updated
Oleksiy Molchanov (omolchanov)
tags: added: on-verification
Revision history for this message
Oleksiy Molchanov (omolchanov) wrote :

Verified

VERSION:
  feature_groups:
    - mirantis
  production: "docker"
  release: "7.0"
  openstack_version: "2015.1.0-7.0"
  api: "1.0"
  build_number: "284"
  build_id: "284"
  nailgun_sha: "5c33995a2e6d9b1b8cdddfa2630689da5084506f"
  python-fuelclient_sha: "1ce8ecd8beb640f2f62f73435f4e18d1469979ac"
  fuel-agent_sha: "082a47bf014002e515001be05f99040437281a2d"
  fuel-nailgun-agent_sha: "d7027952870a35db8dc52f185bb1158cdd3d1ebd"
  astute_sha: "8283dc2932c24caab852ae9de15f94605cc350c6"
  fuel-library_sha: "f81fdabe6c05be7a3d11d88a7c3a8f3931921c73"
  fuel-ostf_sha: "1f08e6e71021179b9881a824d9c999957fcc7045"
  fuelmain_sha: "9ab01caf960013dc882825dc9b0e11ccf0b81cb0"

tags: removed: on-verification
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fuel-library (stable/6.1)

Fix proposed to branch: stable/6.1
Review: https://review.openstack.org/310409

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fuel-library (stable/6.1)

Reviewed: https://review.openstack.org/310409
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=bd3345ae33f37136bd50b00931d7308d43520f97
Submitter: Jenkins
Branch: stable/6.1

commit bd3345ae33f37136bd50b00931d7308d43520f97
Author: Dmitry Ilyin <email address hidden>
Date: Thu Jul 2 14:54:19 2015 +0300

    Make ntpd listen all interfaces

    * Remove ntpd listen restrictions
    * Remove client run on controllers
    * Add ubuntu service overrides for ntp
    * ntp server should use only ipv4
    * update dnsmasq to only listen on management vrouter vip

    TestImpact
    Change-Id: Ic78394fddaafa82e085c55a1a0fdd3c46d4f0089
    Closes-Bug: 1466090
    Closes-Bug: 1470569

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.