1182330 – [RFE] Disable services that listen on all available network interfaces (0.0.0.0) if not needed

Bug 1182330 - [RFE] Disable services that listen on all available network interfaces (0.0.0.0) if not needed

Summary: [RFE] Disable services that listen on all available network interfaces (0.0.0...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Appliance
Sub Component:
Version:	5.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	low
Target Milestone:	GA
Target Release:	5.4.0
Assignee:	Joe Rafaniello
QA Contact:	Milan Falešník
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-14 21:05 UTC by Jared Deubel
Modified:	2019-07-11 08:32 UTC (History)
CC List:	10 users (show)
Fixed In Version:	5.4.0.0.11
Doc Type:	Enhancement
Doc Text:	This version of the CloudForms Management Engine appliance reconfigures all services that do not need to listen to all available network interfaces (0.0.0.0), to accept incoming connections on the loop back interface (127.0.0.1) only.
Clone Of:
Environment:
Last Closed:	2015-06-16 12:47:41 UTC
Category:	---
Cloudforms Team:	---
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:1100	0	normal	SHIPPED_LIVE	CFME 5.4.0 bug fixes, and enhancement update	2015-06-16 16:28:42 UTC

Comment 5 Joe Rafaniello 2015-02-23 17:47:53 UTC

Added upstream pull request to make ui/werbserivce workers (ports 3000+/4000+) not listen on 0.0.0.0 and instead only loopback.  https://github.com/ManageIQ/manageiq/pull/1832

Comment 6 CFME Bot 2015-02-23 18:35:57 UTC

New commit detected on manageiq/master:
https://github.com/ManageIQ/manageiq/commit/f315d4dc411d501d200d2fe5c7be7ee284873e1c

commit f315d4dc411d501d200d2fe5c7be7ee284873e1c
Author:     Joe Rafaniello <jrafanie>
AuthorDate: Mon Feb 23 12:30:46 2015 -0500
Commit:     Joe Rafaniello <jrafanie>
CommitDate: Mon Feb 23 12:42:10 2015 -0500

    Bind to loopback address in production mode.
    
    The appliances are already blocking ports 3000+, 4000+ as only local apache
    workers communicate with the Rails "thin" server on those ports.
    
    Let's not bind to 0.0.0.0 in production since we can't access them anyway.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1182330

 vmdb/app/models/mixins/web_server_worker_mixin.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 7 CFME Bot 2015-02-23 18:36:01 UTC

New commit detected on manageiq/master:
https://github.com/ManageIQ/manageiq/commit/c1aec8d111dbd3205dc0fea402e7965d83127493

commit c1aec8d111dbd3205dc0fea402e7965d83127493
Author:     Joe Rafaniello <jrafanie>
AuthorDate: Mon Feb 23 12:31:08 2015 -0500
Commit:     Joe Rafaniello <jrafanie>
CommitDate: Mon Feb 23 12:42:16 2015 -0500

    Use Rails.env only.  It must be known here or things will blow up.
    
    Commit 051c582d9 changed from using the old RAILS_ENV environment variable
    to the new Rails.env.
    
    -      :environment => (RAILS_ENV || "development").dup,
    +      :environment => (Rails.env || "development").to_s.dup,
    
    This defaulting of development shouldn't be needed anymore as we're using
    Rails.root in this same method.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1182330

 vmdb/app/models/mixins/web_server_worker_mixin.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 8 Joe Rafaniello 2015-02-23 18:53:07 UTC

Add upstream pull request to change memcached to also only listen on localhost/127.0.0.1, not 0.0.0.0: https://github.com/ManageIQ/manageiq/pull/1834

Comment 9 CFME Bot 2015-02-24 17:15:59 UTC

New commit detected on manageiq/master:
https://github.com/ManageIQ/manageiq/commit/3dc1f408330995647f20f409787321fffe1c1d18

commit 3dc1f408330995647f20f409787321fffe1c1d18
Author:     Joe Rafaniello <jrafanie>
AuthorDate: Mon Feb 23 13:08:39 2015 -0500
Commit:     Joe Rafaniello <jrafanie>
CommitDate: Mon Feb 23 13:33:25 2015 -0500

    Make memcached listen on loopback address, not all addresses.
    
    In other words, listen on 127.0.0.1, not 0.0.0.0.
    
    We don't actually share memcached between appliances so our default iptables
    blocks incoming requests on port 11211 already so let's only listen on the
    loopback address used by the UI/Web Service workers.
    
    Note, since existing appliance configurations contain memcache_server_opts in
    the session section, users will have to update their current configuration if they
    want to limit memcached to 127.0.0.1.
    
    In other words, change the configuration in the user interface as below:
    
    Configure, Configuration, Select the correct server, Advanced tab.
    
    From:
    ```
    session:
      interval: 60
      memcache_server: 127.0.0.1:11211
      memcache_server_opts:
    ```
    
    To:
    ```
    session:
      interval: 60
      memcache_server: 127.0.0.1:11211
      memcache_server_opts: "-l 127.0.0.1"
    ```
    https://bugzilla.redhat.com/show_bug.cgi?id=1182330

 vmdb/config/vmdb.tmpl.yml | 2 +-
 vmdb/lib/miq_memcached.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comment 10 Joe Rafaniello 2015-02-24 21:02:28 UTC

Added upstream PR to migrate memcache_server_opts from "" to "-l 127.0.0.1" so we bind to 127.0.0.1 (not 0.0.0.0) unless the user configured their own memcache_server_opts settings.

https://github.com/ManageIQ/manageiq/pull/1865

Comment 11 Joe Rafaniello 2015-02-24 21:05:03 UTC

Added upstream PR to default on 127.0.0.1 for all environments included development and properly set the UI/WS worker uri fields: https://github.com/ManageIQ/manageiq/pull/1853

Comment 12 CFME Bot 2015-02-25 17:25:55 UTC

New commit detected on manageiq/master:
https://github.com/ManageIQ/manageiq/commit/e146f01fa9f1c69777482a3a3271c2115570166a

commit e146f01fa9f1c69777482a3a3271c2115570166a
Author:     Joe Rafaniello <jrafanie>
AuthorDate: Mon Feb 23 22:03:10 2015 -0500
Commit:     Joe Rafaniello <jrafanie>
CommitDate: Mon Feb 23 22:41:55 2015 -0500

    Apparently, developers don't need thin to bind to 0.0.0.0
    
    Bind on localhost.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1182330

 vmdb/app/models/mixins/web_server_worker_mixin.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 13 CFME Bot 2015-02-25 17:25:59 UTC

New commit detected on manageiq/master:
https://github.com/ManageIQ/manageiq/commit/189a73b2d8da88fe6a2d30198ade60ed287ff77e

commit 189a73b2d8da88fe6a2d30198ade60ed287ff77e
Author:     Joe Rafaniello <jrafanie>
AuthorDate: Mon Feb 23 22:32:58 2015 -0500
Commit:     Joe Rafaniello <jrafanie>
CommitDate: Mon Feb 23 22:42:03 2015 -0500

    Make 127.0.0.1 a constant with a getter method.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1182330

 vmdb/app/models/mixins/web_server_worker_mixin.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comment 14 CFME Bot 2015-02-25 17:26:02 UTC

New commit detected on manageiq/master:
https://github.com/ManageIQ/manageiq/commit/01cb19a7f2d4f97ee2a275798692f9d517913d64

commit 01cb19a7f2d4f97ee2a275798692f9d517913d64
Author:     Joe Rafaniello <jrafanie>
AuthorDate: Mon Feb 23 22:34:24 2015 -0500
Commit:     Joe Rafaniello <jrafanie>
CommitDate: Tue Feb 24 16:59:40 2015 -0500

    Build the UI/WS worker uri using binding_address.
    
    If this value ever is an IPv6 address, build the URI using URI#hostname.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1182330

 vmdb/app/models/mixins/web_server_worker_mixin.rb | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Comment 15 CFME Bot 2015-02-25 17:41:28 UTC

New commit detected on manageiq/master:
https://github.com/ManageIQ/manageiq/commit/3b60ed3b749b3eb90d47025328b1bca412769c91

commit 3b60ed3b749b3eb90d47025328b1bca412769c91
Author:     Joe Rafaniello <jrafanie>
AuthorDate: Tue Feb 24 15:49:31 2015 -0500
Commit:     Joe Rafaniello <jrafanie>
CommitDate: Tue Feb 24 15:49:31 2015 -0500

    Migrate empty memcache_server_opts to bind on localhost by default.
    
    Instead of having memcached bind on 0.0.0.0, we want 127.0.0.1 by default.
    If a user configured their own options, it is left intact.
    Followup to #1834
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1182330

 ...ack_to_memcache_server_opts_in_configuration.rb | 27 ++++++++++++
 ...o_memcache_server_opts_in_configuration_spec.rb | 51 ++++++++++++++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 vmdb/db/migrate/20150224164512_add_loopback_to_memcache_server_opts_in_configuration.rb
 create mode 100644 vmdb/spec/migrations/20150224164512_add_loopback_to_memcache_server_opts_in_configuration_spec.rb

Comment 17 CFME Bot 2015-02-26 17:05:55 UTC

New commit detected on manageiq/master:
https://github.com/ManageIQ/manageiq/commit/1e6e7c98e9353d58453137706e463b7582bac8cf

commit 1e6e7c98e9353d58453137706e463b7582bac8cf
Author:     Joe Rafaniello <jrafanie>
AuthorDate: Thu Feb 26 11:50:04 2015 -0500
Commit:     Joe Rafaniello <jrafanie>
CommitDate: Thu Feb 26 12:01:44 2015 -0500

    Thin server should bind on 0.0.0.0 in dev mode.
    
    Followup to #1853
    
    We should be able to make rails development environments easier to setup
    while also making production abide by the STIG requirement:
    "The web server must be configured to listen on a specific IP address and port"
    
    http://www.stigviewer.com/stig/apache_server_2.2unix/2014-04-03/finding/V-26326
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1182330
    
    [skip ci]

 vmdb/app/models/mixins/web_server_worker_mixin.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 20 Pete Savage 2015-04-15 17:41:41 UTC

Verified that 3000,4000 are bound to localhost, noticed rpcbind is running on 0.0.0.0:111 known?

Comment 21 Joe Rafaniello 2015-04-27 13:57:15 UTC

Sorry Pete,

Yes, I only changed the behavior of our services: memcached (11211), the ui workers (3000, 3001, etc.) and the web service workers (4000, 4001, etc.).  The other services listening on 0.0.0.0 will have to be evaluated on a case by case basis since they're system services that have unknown effects on CFME if we try to change them.

Comment 22 Pete Savage 2015-04-28 10:19:10 UTC

Sorry Joe,

So in the context of the bug, how should we proceed? The initial request seemed like it wanted all services disabled that listen on 0.0.0.0, we should probably somewhere, docs?, list the services which _are_ allowed to listen on 0.0.0.0?

Comment 23 Joe Rafaniello 2015-05-11 15:12:25 UTC

Hi Pete,

Sorry for the delay.  The request was to disable the services that don't need to listen on 0.0.0.0.  Without specifics on which services are questionable, I disabled our services that I knew could be disabled on 0.0.0.0 without breaking other features of the product.  

I would prefer we link to RHEL documentation regarding the default system services that are running on a box as 1) they will change with each new version of RHEL and 2) RHEL documentation will better describe these services.

Thoughts?

Comment 24 Milan Falešník 2015-05-19 09:21:03 UTC

Verified in 5.4.0.1:

# lsof -i -P -n | grep -E ":[34]00[0-9]+|:11211"
memcached  2244 memcached   26u  IPv4  16832      0t0  TCP 127.0.0.1:11211 (LISTEN)
memcached  2244 memcached   27u  IPv4  16835      0t0  UDP 127.0.0.1:11211 
memcached  2244 memcached   28u  IPv4  17759      0t0  TCP 127.0.0.1:11211->127.0.0.1:39403 (ESTABLISHED)
memcached  2244 memcached   29u  IPv4 618559      0t0  TCP 127.0.0.1:11211->127.0.0.1:54952 (ESTABLISHED)
ruby       2315      root   24u  IPv4  17369      0t0  TCP 127.0.0.1:3000 (LISTEN)
ruby       2315      root   27u  IPv4  17758      0t0  TCP 127.0.0.1:39403->127.0.0.1:11211 (ESTABLISHED)
ruby       2332      root   24u  IPv4  17372      0t0  TCP 127.0.0.1:4000 (LISTEN)
ruby       2332      root   26u  IPv4 618558      0t0  TCP 127.0.0.1:54952->127.0.0.1:11211 (ESTABLISHED)
httpd      6204    apache   17u  IPv4 847717      0t0  TCP 127.0.0.1:34609->127.0.0.1:3000 (CLOSE_WAIT)
httpd      6205    apache   17u  IPv4 847720      0t0  TCP 127.0.0.1:34610->127.0.0.1:3000 (CLOSE_WAIT)
httpd      6206    apache   17u  IPv4 847714      0t0  TCP 127.0.0.1:34608->127.0.0.1:3000 (CLOSE_WAIT)
httpd      6207    apache   17u  IPv4 847701      0t0  TCP 127.0.0.1:34607->127.0.0.1:3000 (CLOSE_WAIT)
httpd      6208    apache   17u  IPv4 847739      0t0  TCP 127.0.0.1:34612->127.0.0.1:3000 (CLOSE_WAIT)
httpd      6209    apache   17u  IPv4 832482      0t0  TCP 127.0.0.1:33891->127.0.0.1:3000 (CLOSE_WAIT)
httpd      6210    apache   17u  IPv4 847721      0t0  TCP 127.0.0.1:34611->127.0.0.1:3000 (CLOSE_WAIT)
httpd      6211    apache   17u  IPv4 830173      0t0  TCP 127.0.0.1:33756->127.0.0.1:3000 (CLOSE_WAIT)
httpd     10641    apache   17u  IPv4 830477      0t0  TCP 127.0.0.1:33778->127.0.0.1:3000 (CLOSE_WAIT)

Comment 26 errata-xmlrpc 2015-06-16 12:47:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1100.html

Note You need to log in before you can comment on or make changes to this bug.