Description of problem: the undercloud installs a tftp server for dnsmasq. it is bound to the ctlplane ip: udp 0 0 127.0.0.1:69 0.0.0.0:* 11638/dnsmasq udp 0 0 172.31.19.1:69 0.0.0.0:* 11638/dnsmasq udp6 0 0 ::1:69 :::* 11638/dnsmasq udp6 0 0 fe80::5054:ff:fede:c:69 :::* 11638/dnsmasq but to do this it installs the tftp rpm (tftp-server-5.2-12.el7.x86_64) which drops a default tftp server config in /etc/xinetd/ that binds to all IPs. iptables is given this rule: -A INPUT -p udp -m udp --dport 69 -j ACCEPT which allows access to that default, generic tftp server. This can create a security risk. Version-Release number of selected component (if applicable): tftp-server-5.2-12.el7.x86_64 python-tripleoclient-0.3.4-4.el7ost.noarch How reproducible: Install the undercloud as per normal and the tftp server will be running under xinetd. Steps to Reproduce: 1. Install undercloud 2. Check /etc/sysconfig/iptables 3. Check /etc/xinetd/tftp Actual results: two tftp servers listening; one on all interfaces: [stack@lxvcw1di201 ~]$ sudo netstat -anp | grep \:69 udp 0 0 0.0.0.0:69 0.0.0.0:* 29584/xinetd udp 0 0 127.0.0.1:69 0.0.0.0:* 1611/dnsmasq udp 0 0 172.31.19.1:69 0.0.0.0:* 1611/dnsmasq udp6 0 0 :::69 :::* 1/systemd udp6 0 0 ::1:69 :::* 1611/dnsmasq udp6 0 0 fe80::5054:ff:fe56:2:69 :::* 1611/dnsmasq Expected results: Only one tftp server listening on a locked down interface: [root@lxvcw1di202 ~]# netstat -anp | grep \:69 udp 0 0 127.0.0.1:69 0.0.0.0:* 11638/dnsmasq udp 0 0 172.31.19.1:69 0.0.0.0:* 11638/dnsmasq udp6 0 0 ::1:69 :::* 11638/dnsmasq udp6 0 0 fe80::5054:ff:fede:c:69 :::* 11638/dnsmasq Additional info: Can the iptables rule be ammended to be: -A INPUT -s ctlplane_subnet -p udp -m udp --dport 69 -j ACCEPT
Good news: starting with OSP10 we only have one TFTP server! However, it still listens on 0.0.0.0:69. We can try fixing it for OSP10, but it may be delated to Ocata.
Thinking more about that, we need to fix it in a fashion which won't break overcloud Ironic. Due to this complexity, I'd prefer we target it to OSP 11. Then, depending on how the resulting fix looks like, we can consider backporting the fix.
Derek - it looks like both patches have merged so moving this to POST.
is component for this correct? I see 2 patches one for THT and one for tripleo-common but nothing for puppet-ironic. Or are we missing an additional patch for puppet-ironic for this fix?
There were 4 patches in total, I'm adding a reference now to the other two (puppet-ironic and instack-undercloud)
Verified: Environment: openstack-tripleo-heat-templates-8.0.2-11.el7ost.noarch puppet-ironic-12.4.0-0.20180329034302.8285d85.el7ost.noarch openstack-tripleo-common-containers-8.6.1-6.el7ost.noarch instack-undercloud-8.4.1-4.el7ost.noarch openstack-tripleo-common-8.6.1-6.el7ost.noarch (undercloud) [stack@undercloud-0 ~]$ sudo netstat -anp | grep \:69 udp 0 0 192.168.24.1:69 0.0.0.0:* 11843/xinetd
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:2086