Description of problem: The overcloud memcached listens on both tcp and udp but the services that use memcached only seem to use tcp. We should restrict memcached to listen on tcp only to reduce attack surface and increase product security. Version-Release number of selected component (if applicable): memcached-1.4.33-3.el7ost.x86_64 How reproducible: Deploy overcloud using director, memcached listens on tcp and udp by default. Steps to Reproduce: 1. Deploy overcloud. Actual results: memcached listens on tcp and udp while services only seem to communicate with it using tcp. Expected results: memcached listens on tcp only. Additional info: I've tested this in my lab and I did not notice any problems with restricting it. I monitored my running overcloud nodes for traffic on udp port 11211 and notice none over a few hours. [root@controller-0 ~]# cat /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="8192" CACHESIZE="15087" OPTIONS="-l 172.17.1.19 -U 0 -t 4 >> /var/log/memcached.log 2>&1"
This is getting resolved as part of the CVE-2018-1000115 mitigation. *** This bug has been marked as a duplicate of bug 1551182 ***