Bug 1124850 - RHEL OSP installer iptables should be updated and DHCP should be opened
Summary: RHEL OSP installer iptables should be updated and DHCP should be opened
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: rhel-osp-installer
Version: Foreman (RHEL 6)
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ga
: Installer
Assignee: Mike Burns
QA Contact: Omri Hochman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-30 13:03 UTC by Ofer Blaut
Modified: 2016-04-27 02:25 UTC (History)
10 users (show)

Fixed In Version: rhel-osp-installer-0.1.8-1.el6ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1127724 (view as bug list)
Environment:
Last Closed: 2014-08-21 18:07:05 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1090 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory 2014-08-22 15:28:08 UTC

Description Ofer Blaut 2014-07-30 13:03:26 UTC
Description of problem:

when installing RHEL-OSP-Installer with iptables

port 80/443 should be opened only from management interface 
All other ports (DHCP/TFTP/DNS .... ) should be opened only on provision  interface 

Current status - ports are opened on all interfaces 

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 443 /* 443 accept - apache */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 53 /* 53 accept - dns tcp */ 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 53 /* 53 accept - dns udp */ 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 69 /* 69 accept - tftp */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 80 /* 80 accept - apache */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 8140 /* 8140 accept - puppetmaster */ 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.check iptables on rhel-osp-installer host
2.port 80/443 must be opened on management interface only  
3.port 8140/53/69
4.DHCP port must be opened as well (67/68)

Actual results:


Expected results:


Additional info:

Comment 2 Ofer Blaut 2014-07-30 13:39:09 UTC
(In reply to Ofer Blaut from comment #0)
> Description of problem:
> 
> when installing RHEL-OSP-Installer with iptables
> 
> port 80/443 should be opened only from management interface 
> All other ports (DHCP/TFTP/DNS .... ) should be opened only on provision 
> interface 
> 
> Current status - ports are opened on all interfaces 
> 
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports
> 443 /* 443 accept - apache */ 
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports
> 53 /* 53 accept - dns tcp */ 
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport ports
> 53 /* 53 accept - dns udp */ 
> ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport ports
> 69 /* 69 accept - tftp */ 
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports
> 80 /* 80 accept - apache */ 
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports
> 8140 /* 8140 accept - puppetmaster */ 
> 
> 
> Version-Release number of selected component (if applicable):
> 
> 
> How reproducible:
> 
> 
> Steps to Reproduce:
> 1.check iptables on rhel-osp-installer host
> 2.port 80/443 must be opened on management interface only  
> 3.port 8140/53/69
> 4.DHCP port must be opened as well (67/68)

port 8443 should be opened as well for  * Foreman Proxy is running at https://puma33.scl.lab.tlv.redhat.com:8443 "

> 
> Actual results:
> 
> 
> Expected results:
> 
> 
> Additional info:

Comment 3 Ofer Blaut 2014-07-30 13:58:01 UTC
workaround 

iptables -A INPUT -p udp --dport 67 -j ACCEPT
iptables -A INPUT -p tcp  --dport 8443 -j ACCEPT
iptables-save > /etc/sysconfig/iptables

Comment 4 Hugh Brock 2014-07-30 14:10:15 UTC
To be honest, I'm not sure there should be any ports blocked on the management network -- it's just going to cause problems with NFS, NTP, etc. etc. Obviously yes you want them closed on the external network...

Comment 5 Mike Burns 2014-07-30 14:40:12 UTC
port 8443 should not be opened.  it's only used internally for the proxy.  connections are only from localhost.

Patch for port 67

https://github.com/theforeman/foreman-installer-staypuft/pull/57

Comment 7 Perry Myers 2014-08-01 20:57:58 UTC
(In reply to Ofer Blaut from comment #0)
> Description of problem:
> 
> Steps to Reproduce:
> 1.check iptables on rhel-osp-installer host
> 2.port 80/443 must be opened on management interface only  

I do not agree with this specific point.  80/443 should be opened on all interfaces.  The user will likely want to access the Foreman web interface from either the pxe network (and in fact has to, since Puppet on the managed network will need access) but will likely also want to access the provisioning server from outside of that network.  So this point is not valid.

Comment 8 Alexander Chuzhoy 2014-08-01 21:12:47 UTC
Verified: FailedQA   rhel-osp-installer-0.1.6-5.el6ost.noarch

No need to open port 68.

Need to add IPTABLES_MODULES="nf_conntrack_netbios_ns ip_conntrack_tftp" to /etc/sysconfig/iptables-config.

Comment 11 Marek Hulan 2014-08-07 13:13:30 UTC
Allowed port 68 in https://github.com/theforeman/foreman-installer-staypuft/pull/66 and created a clone bug to allow modules, which is not that straightforward.

Comment 13 Alexander Chuzhoy 2014-08-13 15:35:49 UTC
Verified: rhel-osp-installer-0.1.9-1.el6ost.noarch


Taking in mind the comments, verifying this bug, as the following rules are added:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 22 /* 22 accept - ssh */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 443 /* 443 accept - apache */ 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 53 /* 53 accept - dns tcp */  
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 53 /* 53 accept - dns udp */  
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 67 /* 67 accept - dhcp */     
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 68 /* 68 accept - bootp */    
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 69 /* 69 accept - tftp */     
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 80 /* 80 accept - apache */   
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           multiport ports 8140 /* 8140 accept - puppetmaster */ 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED   

For comment #8: https://bugzilla.redhat.com/show_bug.cgi?id=1127724

Comment 14 errata-xmlrpc 2014-08-21 18:07:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1090.html


Note You need to log in before you can comment on or make changes to this bug.