Bug 1124850
| Summary: | RHEL OSP installer iptables should be updated and DHCP should be opened | |||
|---|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Ofer Blaut <oblaut> | |
| Component: | rhel-osp-installer | Assignee: | Mike Burns <mburns> | |
| Status: | CLOSED ERRATA | QA Contact: | Omri Hochman <ohochman> | |
| Severity: | high | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | Foreman (RHEL 6) | CC: | acathrow, hbrock, mburns, mhulan, morazi, oblaut, rhos-maint, sasha, sclewis, yeylon | |
| Target Milestone: | ga | |||
| Target Release: | Installer | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | rhel-osp-installer-0.1.8-1.el6ost | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1127724 (view as bug list) | Environment: | ||
| Last Closed: | 2014-08-21 18:07:05 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
Ofer Blaut
2014-07-30 13:03:26 UTC
(In reply to Ofer Blaut from comment #0) > Description of problem: > > when installing RHEL-OSP-Installer with iptables > > port 80/443 should be opened only from management interface > All other ports (DHCP/TFTP/DNS .... ) should be opened only on provision > interface > > Current status - ports are opened on all interfaces > > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 443 /* 443 accept - apache */ > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 53 /* 53 accept - dns tcp */ > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 53 /* 53 accept - dns udp */ > ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 69 /* 69 accept - tftp */ > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 80 /* 80 accept - apache */ > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports > 8140 /* 8140 accept - puppetmaster */ > > > Version-Release number of selected component (if applicable): > > > How reproducible: > > > Steps to Reproduce: > 1.check iptables on rhel-osp-installer host > 2.port 80/443 must be opened on management interface only > 3.port 8140/53/69 > 4.DHCP port must be opened as well (67/68) port 8443 should be opened as well for * Foreman Proxy is running at https://puma33.scl.lab.tlv.redhat.com:8443 " > > Actual results: > > > Expected results: > > > Additional info: workaround iptables -A INPUT -p udp --dport 67 -j ACCEPT iptables -A INPUT -p tcp --dport 8443 -j ACCEPT iptables-save > /etc/sysconfig/iptables To be honest, I'm not sure there should be any ports blocked on the management network -- it's just going to cause problems with NFS, NTP, etc. etc. Obviously yes you want them closed on the external network... port 8443 should not be opened. it's only used internally for the proxy. connections are only from localhost. Patch for port 67 https://github.com/theforeman/foreman-installer-staypuft/pull/57 (In reply to Ofer Blaut from comment #0) > Description of problem: > > Steps to Reproduce: > 1.check iptables on rhel-osp-installer host > 2.port 80/443 must be opened on management interface only I do not agree with this specific point. 80/443 should be opened on all interfaces. The user will likely want to access the Foreman web interface from either the pxe network (and in fact has to, since Puppet on the managed network will need access) but will likely also want to access the provisioning server from outside of that network. So this point is not valid. Verified: FailedQA rhel-osp-installer-0.1.6-5.el6ost.noarch No need to open port 68. Need to add IPTABLES_MODULES="nf_conntrack_netbios_ns ip_conntrack_tftp" to /etc/sysconfig/iptables-config. Allowed port 68 in https://github.com/theforeman/foreman-installer-staypuft/pull/66 and created a clone bug to allow modules, which is not that straightforward. Verified: rhel-osp-installer-0.1.9-1.el6ost.noarch Taking in mind the comments, verifying this bug, as the following rules are added: ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 22 /* 22 accept - ssh */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 443 /* 443 accept - apache */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 53 /* 53 accept - dns tcp */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 53 /* 53 accept - dns udp */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 67 /* 67 accept - dhcp */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 68 /* 68 accept - bootp */ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 69 /* 69 accept - tftp */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 80 /* 80 accept - apache */ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 multiport ports 8140 /* 8140 accept - puppetmaster */ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED For comment #8: https://bugzilla.redhat.com/show_bug.cgi?id=1127724 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1090.html |