Bug 1553274

Summary: Restrict memcached on overcloud nodes to listen to tcp only
Product: Red Hat OpenStack Reporter: Cody Swanson <cswanson>
Component: openstack-tripleo-heat-templatesAssignee: Emilien Macchi <emacchi>
Status: CLOSED DUPLICATE QA Contact: Gurenko Alex <agurenko>
Severity: low Docs Contact:
Priority: medium    
Version: 10.0 (Newton)CC: aschultz, mburns, rhel-osp-director-maint
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-19 20:15:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Cody Swanson 2018-03-08 15:41:12 UTC 
Description of problem: 

The overcloud memcached listens on both tcp and udp but the services that use memcached only seem to use tcp. We should restrict memcached to listen on tcp only to reduce attack surface and increase product security. 

Version-Release number of selected component (if applicable):

memcached-1.4.33-3.el7ost.x86_64

How reproducible:

Deploy overcloud using director, memcached listens on tcp and udp by default.  

Steps to Reproduce:

1. Deploy overcloud.

Actual results: 

memcached listens on tcp and udp while services only seem to communicate with it using tcp.

Expected results: 

memcached listens on tcp only.

Additional info: 

I've tested this in my lab and I did not notice any problems with restricting it. I monitored my running overcloud nodes for traffic on udp port 11211 and notice none over a few hours. 

[root@controller-0 ~]# cat /etc/sysconfig/memcached 
PORT="11211"
USER="memcached"
MAXCONN="8192"
CACHESIZE="15087"
OPTIONS="-l 172.17.1.19 -U 0 -t 4 >> /var/log/memcached.log 2>&1"
Comment 1 Alex Schultz 2018-03-19 20:15:55 UTC 
This is getting resolved as part of the CVE-2018-1000115 mitigation.

*** This bug has been marked as a duplicate of bug 1551182 ***