Bug 1594333

Summary: [Deployment] Karaf shell should only be exposed to internal API network
Product: Red Hat OpenStack Reporter: Daniel Farrell <dfarrell>
Component: puppet-opendaylightAssignee: Tim Rozet <trozet>
Status: CLOSED ERRATA QA Contact: Tomas Jamrisko <tjamrisk>
Severity: high Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: aadam, dcain, jjoyce, jschluet, lmarsh, mburns, mkolesni, nyechiel, slinaber, tjamrisk, trozet, tvignaud
Target Milestone: z1Keywords: Security, Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: Deployment
Fixed In Version: puppet-opendaylight-8.1.2-2.38977efgit.el7ost Doc Type: Bug Fix
Doc Text:
Previously, the Karaf shell (the management shell for OpenDaylight) was not bound to a specific IP on port 8101, causing the Karaf shell to listen on the public-facing, external network. This created a security vulnerability, because the external network could be used to access OpenDaylight on the port. This update binds the Karaf shell to the internal API network IP during deployment, which makes the Karaf shell only accessible on the private internal API network.
 Story Points: ---
Clone Of: Environment:
N/A
Last Closed: 2018-07-19 14:27:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Farrell 2018-06-22 16:14:37 UTC 
The OpenDaylight Karaf shell should only be accessible from the admin network (TODO: is that the right network name?). It's currently listening on all IPs, which is insecure.


[heat-admin@controller-0 ~]$ sudo netstat -tulpn | grep 8101
tcp 0 0 0.0.0.0:8101 0.0.0.0:* LISTEN 36976/java 
[heat-admin@controller-0 ~]$ sudo netstat -tulpn | grep 8081
tcp 0 0 192.168.24.11:8081 0.0.0.0:* LISTEN 67377/haproxy 
tcp 0 0 172.17.1.13:8081 0.0.0.0:* LISTEN 67377/haproxy 
tcp 0 0 172.17.1.17:8081 0.0.0.0:* LISTEN 36976/java
Comment 15 errata-xmlrpc 2018-07-19 14:27:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2214
Comment 16 Tim Rozet 2018-07-24 14:53:53 UTC 
I just realized that although this fix improves the security, it was not that big of a security hole because the port was blocked by default in iptables:
https://github.com/openstack/tripleo-heat-templates/blob/master/puppet/services/opendaylight-api.yaml#L110