osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OSH][Infra] Open UDP port 111 on test nodes


Clark,

This was originally meant to be a short term band-aid when we first
implemented the gates, I'll look into the ports we actually require open
and make adjustments as necessary. Once I've been able to improve things
from our end, we can report back and see if we can get these into the
zuul-job standard library.

Cheers,

Pete


On Tue, 17 Dec 2019 at 16:38, Clark Boylan <cboylan at sapwetik.org> wrote:

> Hello,
>
> One of our contributing test node clouds has discovered that occasionally
> one of our test nodes will have udp port 111 open. The concern with this is
> that the RPC portmap service can be used in reflection DDoS attacks. Upon
> further investigation we've discovered that this seems to happen in OSH
> jobs (like openstack-helm-multinode-temp-ubuntu) [0] that run OSH's
> setup-firewall role [1].
>
> These jobs do indeed disable the host firewall which would leave any
> running port mapper service exposed.
>
> It looks like these jobs run with multiple nodes in their nodeset, but do
> not use the multinode base job. I point this out because the multinode base
> job aims to set up networking and firewalls such that the nodes can talk
> freely among themselves while still blocking out the outside world. If we
> need to enable network communicate between hosts in these jobs this seems
> like a good place to start.
>
> That said there is a good chance that kubernetes may need additional open
> traffic. Additionally, I expect those specific depend on the CNI plugin
> that has been chosen?
>
> From an infrastructure perspective we'd like to be good stewards of the
> resources donated to us and in this case that means preventing unwanted
> network traffic. We are more than happy to help set up more appropriate
> firewall rules if we can get details on what is needed. I expect the Zuul
> project is also interested and we can bake some of these common network
> needs for kubernetes into Zuul's zuul-job standard library.
>
> Can the OSH project work with us to fix this problem? Perhaps other
> kubernetes users/devs/operators can chime in on how they have reconciled
> host firewalls with kubernetes network needs? Any help that can be provided
> here would be much appreciated.
>
> [0]
> http://zuul.opendev.org/t/openstack/build/6fc5285fdb76484b894f0d288facdbb2/console#2/1/6/primary
> [1]
> https://opendev.org/openstack/openstack-helm-infra/src/branch/master/roles/setup-firewall/tasks/main.yaml
>
> Thank you,
> Clark
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191217/b7908cb9/attachment.html>