Bug 1252081

Summary: Secure redis installation for overcloud
Product: Red Hat OpenStack Reporter: Giulio Fidente <gfidente>
Component: openstack-tripleo-heat-templatesAssignee: Giulio Fidente <gfidente>
Status: CLOSED ERRATA QA Contact: Marius Cornea <mcornea>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 8.0 (Liberty)CC: emacchi, hbrock, jslagle, mburns, rhel-osp-director-maint, sclewis, security-response-team, yeylon, yprokule
Target Milestone: gaKeywords: Triaged, ZStream
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-0.8.12-1.el7ost python-tripleoclient-0.3.1-1.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1251105
: 1252083 (view as bug list) Environment:
Last Closed: 2016-04-15 14:29:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1251484    
Bug Blocks:    

Description Giulio Fidente 2015-08-10 16:38:03 UTC 
Description of problem:
Redis instances running at overcloud can be accessed by anyone who knows their ips and access to dbs is not restricted.

Version-Release number of selected component (if applicable):
openstack-tripleo-heat-templates-0.8.6-46.el7ost.noarch
Comment 5 Hugh Brock 2016-02-03 17:03:24 UTC 
Synced with gfidente on this. This is going to require a nasty t-h-t hack to fix but we do need to fix it for OSP 8.
Comment 10 Marius Cornea 2016-04-10 10:21:50 UTC 
listen redis
  bind fd00:fd00:fd00:2000::11:6379 transparent
  balance first
  option tcp-check
  tcp-check send AUTH\ Jkcn9RNpHcVhqYpFzeHfGdTkX\r\n
  tcp-check send PING\r\n
  tcp-check expect string +PONG
  tcp-check send info\ replication\r\n
  tcp-check expect string role:master
  tcp-check send QUIT\r\n
  tcp-check expect string +OK
  server overcloud-controller-0 fd00:fd00:fd00:2000::14:6379 check fall 5 inter 2000 rise 2
  server overcloud-controller-1 fd00:fd00:fd00:2000::12:6379 check fall 5 inter 2000 rise 2
  server overcloud-controller-2 fd00:fd00:fd00:2000::13:6379 check fall 5 inter 2000 rise 2

[root@overcloud-controller-0 ~]# nc fd00:fd00:fd00:2000::11 6379
AUTH Jkcn9RNpHcVhqYpFzeHfGdTkX
+OK
info replication
$358
# Replication
role:master
connected_slaves:2
slave0:ip=fd00:fd00:fd00:2000::14,port=6379,state=online,offset=22189129,lag=1
slave1:ip=fd00:fd00:fd00:2000::11,port=6379,state=online,offset=22189226,lag=1
master_repl_offset:22189711
repl_backlog_active:1
repl_backlog_size:1048576
repl_backlog_first_byte_offset:21141136
repl_backlog_histlen:1048576
Comment 12 errata-xmlrpc 2016-04-15 14:29:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0637.html