Description of problem: Redis instances running at overcloud can be accessed by anyone who knows their ips and access to dbs is not restricted. Version-Release number of selected component (if applicable): openstack-tripleo-heat-templates-0.8.6-46.el7ost.noarch
Synced with gfidente on this. This is going to require a nasty t-h-t hack to fix but we do need to fix it for OSP 8.
listen redis bind fd00:fd00:fd00:2000::11:6379 transparent balance first option tcp-check tcp-check send AUTH\ Jkcn9RNpHcVhqYpFzeHfGdTkX\r\n tcp-check send PING\r\n tcp-check expect string +PONG tcp-check send info\ replication\r\n tcp-check expect string role:master tcp-check send QUIT\r\n tcp-check expect string +OK server overcloud-controller-0 fd00:fd00:fd00:2000::14:6379 check fall 5 inter 2000 rise 2 server overcloud-controller-1 fd00:fd00:fd00:2000::12:6379 check fall 5 inter 2000 rise 2 server overcloud-controller-2 fd00:fd00:fd00:2000::13:6379 check fall 5 inter 2000 rise 2 [root@overcloud-controller-0 ~]# nc fd00:fd00:fd00:2000::11 6379 AUTH Jkcn9RNpHcVhqYpFzeHfGdTkX +OK info replication $358 # Replication role:master connected_slaves:2 slave0:ip=fd00:fd00:fd00:2000::14,port=6379,state=online,offset=22189129,lag=1 slave1:ip=fd00:fd00:fd00:2000::11,port=6379,state=online,offset=22189226,lag=1 master_repl_offset:22189711 repl_backlog_active:1 repl_backlog_size:1048576 repl_backlog_first_byte_offset:21141136 repl_backlog_histlen:1048576
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0637.html