keepalived run without authentication

Bug #1551314 reported by Jeffrey Zhang on 2016-02-29
20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla
Medium
Jeffrey Zhang

Bug Description

The keepalived conf file is like below. No authentication. The potential issue is that anyone can easily create a same keepalived service and take over the VIP. then all the OpenStack will request to the imitative server.

vrrp_script check_alive {
    script "/check_alive.sh"
    interval 2
    fall 2
    rise 10
}

vrrp_instance kolla_internal_vip {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 1
    advert_int 1
    virtual_ipaddress {
        10.2.0.254
    }
    track_script {
        check_alive
    }
}

Steven Dake (sdake) wrote :

Jeffrey,

Just to be clear, you would have to run a second copy of keepalived to create another VIP. So the authentication just prevents multiple keepaliveds from trouncing each other on a network? If that is the case, this is no a security problem as there is no attack vector that doesn't already involve root on one of the deployed targets or in the secured private management network.

Jeffrey Zhang (jeffrey4l) wrote :

yea, that's the case.

But I do not think the private management network is secured and trusted. If it is, why we need mariadb password? why we need ssl every thing? we can make our service open( without any password) on the management network(it will simplify the OPS's work).

Sam Yaple (s8m) wrote :

Jeffrey it absolutely is secure and trusted. Memcache is a nova requirement. We run it. It provides no auth. With access to the private network I could own an openstack cloud in a single one-liner.

information type: Private → Public
Steven Dake (sdake) on 2016-03-03
Changed in kolla:
status: New → Triaged
importance: Undecided → Medium
assignee: nobody → Jeffrey Zhang (jeffrey4l)
milestone: none → mitaka-3
Changed in kolla:
status: Triaged → In Progress

Reviewed: https://review.openstack.org/277085
Committed: https://git.openstack.org/cgit/openstack/kolla/commit/?id=e6b230d78436dfb7b38b1c30c4a9325909ae1d20
Submitter: Jenkins
Branch: master

commit e6b230d78436dfb7b38b1c30c4a9325909ae1d20
Author: Jeffrey Zhang <jeffrey.zhang@99cloud.net>
Date: Sat Feb 6 22:18:01 2016 +0800

    Add authentication for keepalived

    TrivialFix

    Closes-Bug: #1551314
    Change-Id: Id85859500aec283703b6b6714abf213a42286182

Changed in kolla:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers