Bug 1371715

Summary: Make undercloud tftp server listen only on ctlplane IP
Product: Red Hat OpenStack Reporter: August Simonelli <asimonel>
Component: puppet-ironicAssignee: Derek Higgins <derekh>
Status: CLOSED ERRATA QA Contact: Alexander Chuzhoy <sasha>
Severity: low Docs Contact:
Priority: medium    
Version: 8.0 (Liberty)CC: athomas, augol, bfournie, dbecker, derekh, dsneddon, dtantsur, gmollett, jcoufal, jjoyce, jschluet, mburns, mcornea, mlammon, morazi, racedoro, rhel-osp-director-maint, rhos-maint, sasha, slinaber, sputhenp, srevivo, tvignaud
Target Milestone: betaKeywords: Security, Triaged
Target Release: 13.0 (Queens)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-8.0.0-0.20180227121938.e0f59ee.el7ost openstack-tripleo-common-8.4.1-0.20180224032817.d51ed49.el7ost instack-undercloud-8.2.1-0.20180228034814.945b1d0.el7ost puppet-ironic-12.3.1-0.20180221115553.12ab03d.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 13:26:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1473267    

Description August Simonelli 2016-08-30 22:25:17 UTC 
Description of problem:
the undercloud installs a tftp server for dnsmasq. it is bound to the ctlplane ip:

udp        0      0 127.0.0.1:69            0.0.0.0:*                           11638/dnsmasq
udp        0      0 172.31.19.1:69          0.0.0.0:*                           11638/dnsmasq
udp6       0      0 ::1:69                  :::*                                11638/dnsmasq
udp6       0      0 fe80::5054:ff:fede:c:69 :::*                                11638/dnsmasq

but to do this it installs the tftp rpm (tftp-server-5.2-12.el7.x86_64) which drops a default tftp server config in /etc/xinetd/ that binds to all IPs. 

iptables is given this rule:

-A INPUT -p udp -m udp --dport 69 -j ACCEPT

which allows access to that default, generic tftp server. This can create a security risk.

Version-Release number of selected component (if applicable):
tftp-server-5.2-12.el7.x86_64
python-tripleoclient-0.3.4-4.el7ost.noarch

How reproducible:
Install the undercloud as per normal and the tftp server will be running under xinetd.

Steps to Reproduce:
1. Install undercloud
2. Check /etc/sysconfig/iptables
3. Check /etc/xinetd/tftp

Actual results:
two tftp servers listening; one on all interfaces:

[stack@lxvcw1di201 ~]$ sudo netstat -anp | grep \:69
udp        0      0 0.0.0.0:69              0.0.0.0:*                           29584/xinetd
udp        0      0 127.0.0.1:69            0.0.0.0:*                           1611/dnsmasq
udp        0      0 172.31.19.1:69          0.0.0.0:*                           1611/dnsmasq
udp6       0      0 :::69                   :::*                                1/systemd
udp6       0      0 ::1:69                  :::*                                1611/dnsmasq
udp6       0      0 fe80::5054:ff:fe56:2:69 :::*                                1611/dnsmasq

Expected results:
Only one tftp server listening on a locked down interface:
[root@lxvcw1di202 ~]# netstat -anp | grep \:69
udp        0      0 127.0.0.1:69            0.0.0.0:*                           11638/dnsmasq
udp        0      0 172.31.19.1:69          0.0.0.0:*                           11638/dnsmasq
udp6       0      0 ::1:69                  :::*                                11638/dnsmasq
udp6       0      0 fe80::5054:ff:fede:c:69 :::*                                11638/dnsmasq

Additional info:
Can the iptables rule be ammended to be:

-A INPUT -s ctlplane_subnet -p udp -m udp --dport 69 -j ACCEPT
Comment 3 Dmitry Tantsur 2016-10-14 16:43:03 UTC 
Good news: starting with OSP10 we only have one TFTP server! However, it still listens on 0.0.0.0:69. We can try fixing it for OSP10, but it may be delated to Ocata.
Comment 4 Dmitry Tantsur 2016-10-14 16:49:54 UTC 
Thinking more about that, we need to fix it in a fashion which won't break overcloud Ironic. Due to this complexity, I'd prefer we target it to OSP 11. Then, depending on how the resulting fix looks like, we can consider backporting the fix.
Comment 7 Bob Fournier 2018-02-01 00:10:31 UTC 
Derek - it looks like both patches have merged so moving this to POST.
Comment 8 Jon Schlueter 2018-02-21 14:18:15 UTC 
is component for this correct? I see 2 patches one for THT and one for tripleo-common but nothing for puppet-ironic.  Or are we missing an additional patch for puppet-ironic for this fix?
Comment 9 Derek Higgins 2018-02-22 15:42:55 UTC 
There were 4 patches in total, I'm adding a reference now to the other two (puppet-ironic and instack-undercloud)
Comment 13 Alexander Chuzhoy 2018-05-07 15:59:17 UTC 
Verified:

Environment:
openstack-tripleo-heat-templates-8.0.2-11.el7ost.noarch
puppet-ironic-12.4.0-0.20180329034302.8285d85.el7ost.noarch
openstack-tripleo-common-containers-8.6.1-6.el7ost.noarch
instack-undercloud-8.4.1-4.el7ost.noarch
openstack-tripleo-common-8.6.1-6.el7ost.noarch


(undercloud) [stack@undercloud-0 ~]$ sudo netstat -anp | grep \:69
udp        0      0 192.168.24.1:69         0.0.0.0:*                           11843/xinetd
Comment 15 errata-xmlrpc 2018-06-27 13:26:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086