Bug 1371715 - Make undercloud tftp server listen only on ctlplane IP
Summary: Make undercloud tftp server listen only on ctlplane IP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-ironic
Version: 8.0 (Liberty)
Hardware: x86_64
OS: Linux
medium
low
Target Milestone: beta
: 13.0 (Queens)
Assignee: Derek Higgins
QA Contact: Alexander Chuzhoy
URL:
Whiteboard:
Depends On:
Blocks: 1473267
TreeView+ depends on / blocked
 
Reported: 2016-08-30 22:25 UTC by August Simonelli
Modified: 2019-12-16 06:34 UTC (History)
23 users (show)

Fixed In Version: openstack-tripleo-heat-templates-8.0.0-0.20180227121938.e0f59ee.el7ost openstack-tripleo-common-8.4.1-0.20180224032817.d51ed49.el7ost instack-undercloud-8.2.1-0.20180228034814.945b1d0.el7ost puppet-ironic-12.3.1-0.20180221115553.12ab03d.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-27 13:26:39 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 528250 None master: MERGED puppet-ironic: Add an option to specify the tftp bind host IP (Iea204fe993ecc9e3a273491c083e06a78ee0e19d) 2018-02-28 13:19:19 UTC
OpenStack gerrit 528252 None master: MERGED instack-undercloud: Set tftp to only listen to the provisioning network (I3a40732b2c61a4d8cb4d1f9e0f8023347870a51d) 2018-02-28 13:19:13 UTC
OpenStack gerrit 529023 None master: MERGED tripleo-heat-templates: Set tftp to only listen to the provisioning network (Ib51fe69b32533f5d8814cc0529cd79cf93fbac63) 2018-02-28 13:19:06 UTC
OpenStack gerrit 530979 None master: MERGED tripleo-common: Read the tftp IP to test from the command line (I2246861291c1af3c60c6443e45c156c21094fa81) 2018-02-28 13:19:00 UTC
Red Hat Product Errata RHEA-2018:2086 None None None 2018-06-27 13:28:35 UTC

Description August Simonelli 2016-08-30 22:25:17 UTC
Description of problem:
the undercloud installs a tftp server for dnsmasq. it is bound to the ctlplane ip:

udp        0      0 127.0.0.1:69            0.0.0.0:*                           11638/dnsmasq
udp        0      0 172.31.19.1:69          0.0.0.0:*                           11638/dnsmasq
udp6       0      0 ::1:69                  :::*                                11638/dnsmasq
udp6       0      0 fe80::5054:ff:fede:c:69 :::*                                11638/dnsmasq

but to do this it installs the tftp rpm (tftp-server-5.2-12.el7.x86_64) which drops a default tftp server config in /etc/xinetd/ that binds to all IPs. 

iptables is given this rule:

-A INPUT -p udp -m udp --dport 69 -j ACCEPT

which allows access to that default, generic tftp server. This can create a security risk.

Version-Release number of selected component (if applicable):
tftp-server-5.2-12.el7.x86_64
python-tripleoclient-0.3.4-4.el7ost.noarch

How reproducible:
Install the undercloud as per normal and the tftp server will be running under xinetd.

Steps to Reproduce:
1. Install undercloud
2. Check /etc/sysconfig/iptables
3. Check /etc/xinetd/tftp

Actual results:
two tftp servers listening; one on all interfaces:

[stack@lxvcw1di201 ~]$ sudo netstat -anp | grep \:69
udp        0      0 0.0.0.0:69              0.0.0.0:*                           29584/xinetd
udp        0      0 127.0.0.1:69            0.0.0.0:*                           1611/dnsmasq
udp        0      0 172.31.19.1:69          0.0.0.0:*                           1611/dnsmasq
udp6       0      0 :::69                   :::*                                1/systemd
udp6       0      0 ::1:69                  :::*                                1611/dnsmasq
udp6       0      0 fe80::5054:ff:fe56:2:69 :::*                                1611/dnsmasq

Expected results:
Only one tftp server listening on a locked down interface:
[root@lxvcw1di202 ~]# netstat -anp | grep \:69
udp        0      0 127.0.0.1:69            0.0.0.0:*                           11638/dnsmasq
udp        0      0 172.31.19.1:69          0.0.0.0:*                           11638/dnsmasq
udp6       0      0 ::1:69                  :::*                                11638/dnsmasq
udp6       0      0 fe80::5054:ff:fede:c:69 :::*                                11638/dnsmasq

Additional info:
Can the iptables rule be ammended to be:

-A INPUT -s ctlplane_subnet -p udp -m udp --dport 69 -j ACCEPT

Comment 3 Dmitry Tantsur 2016-10-14 16:43:03 UTC
Good news: starting with OSP10 we only have one TFTP server! However, it still listens on 0.0.0.0:69. We can try fixing it for OSP10, but it may be delated to Ocata.

Comment 4 Dmitry Tantsur 2016-10-14 16:49:54 UTC
Thinking more about that, we need to fix it in a fashion which won't break overcloud Ironic. Due to this complexity, I'd prefer we target it to OSP 11. Then, depending on how the resulting fix looks like, we can consider backporting the fix.

Comment 7 Bob Fournier 2018-02-01 00:10:31 UTC
Derek - it looks like both patches have merged so moving this to POST.

Comment 8 Jon Schlueter 2018-02-21 14:18:15 UTC
is component for this correct? I see 2 patches one for THT and one for tripleo-common but nothing for puppet-ironic.  Or are we missing an additional patch for puppet-ironic for this fix?

Comment 9 Derek Higgins 2018-02-22 15:42:55 UTC
There were 4 patches in total, I'm adding a reference now to the other two (puppet-ironic and instack-undercloud)

Comment 13 Alexander Chuzhoy 2018-05-07 15:59:17 UTC
Verified:

Environment:
openstack-tripleo-heat-templates-8.0.2-11.el7ost.noarch
puppet-ironic-12.4.0-0.20180329034302.8285d85.el7ost.noarch
openstack-tripleo-common-containers-8.6.1-6.el7ost.noarch
instack-undercloud-8.4.1-4.el7ost.noarch
openstack-tripleo-common-8.6.1-6.el7ost.noarch


(undercloud) [stack@undercloud-0 ~]$ sudo netstat -anp | grep \:69
udp        0      0 192.168.24.1:69         0.0.0.0:*                           11843/xinetd

Comment 15 errata-xmlrpc 2018-06-27 13:26:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086


Note You need to log in before you can comment on or make changes to this bug.