kolla-ansible

default config results in arbitrary forwarding being allowed

Bug #1931615 reported by Radosław Piliszek
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
High
Unassigned
Wallaby
Fix Committed
High
Unassigned
Xena
Fix Released
High
Unassigned

Bug Description

Since Wallaby, Kolla Ansible defaults docker config to not manage iptables. However, it does not disable its ip_forward control which makes docker turn the host into any-any forwarder.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/795852

Changed in kolla-ansible:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/795852
Committed: https://opendev.org/openstack/kolla-ansible/commit/0fa4ee56eb86eb7d4b4e3bb9d9c9993f6906c1bd
Submitter: "Zuul (22348)"
Branch: master

commit 0fa4ee56eb86eb7d4b4e3bb9d9c9993f6906c1bd
Author: Radosław Piliszek <email address hidden>
Date: Thu Jun 10 17:26:38 2021 +0000

    Disable docker's ip-forward when iptables disabled

    With the new default since Wallaby, starting Docker makes it
    enable forwarding and not filter it at all.
    This may pose a security risk and should be mitigated.

    Closes-Bug: #1931615
    Change-Id: I5129136c066489fdfaa4d93741c22e5010b7e89d

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/796223

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to kolla-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/796406

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/796223
Committed: https://opendev.org/openstack/kolla-ansible/commit/eb4815345a1af33372da52f39c5cf6696b2f903f
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit eb4815345a1af33372da52f39c5cf6696b2f903f
Author: Radosław Piliszek <email address hidden>
Date: Thu Jun 10 17:26:38 2021 +0000

    Disable docker's ip-forward when iptables disabled

    With the new default since Wallaby, starting Docker makes it
    enable forwarding and not filter it at all.
    This may pose a security risk and should be mitigated.

    Closes-Bug: #1931615
    Change-Id: I5129136c066489fdfaa4d93741c22e5010b7e89d
    (cherry picked from commit 0fa4ee56eb86eb7d4b4e3bb9d9c9993f6906c1bd)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/796406
Committed: https://opendev.org/openstack/kolla-ansible/commit/3f9662278cdf3a15e3f5c2ef07587c8f00217a8b
Submitter: "Zuul (22348)"
Branch: master

commit 3f9662278cdf3a15e3f5c2ef07587c8f00217a8b
Author: Mark Goddard <email address hidden>
Date: Tue Jun 15 09:49:38 2021 +0100

    Reno follow up for docker_disable_ip_forward

    Follow up to I5129136c066489fdfaa4d93741c22e5010b7e89d, adding upgrade
    notes.

    Related-Bug: #1931615
    Change-Id: I2f88b8fc2c6924de9f6bc1840b183ee024c5c1e9

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to kolla-ansible (stable/wallaby)

Related fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/796440

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to kolla-ansible (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/796440
Committed: https://opendev.org/openstack/kolla-ansible/commit/e3f43eee51ee9acf83f74bd563139b1479597a6f
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit e3f43eee51ee9acf83f74bd563139b1479597a6f
Author: Mark Goddard <email address hidden>
Date: Tue Jun 15 09:49:38 2021 +0100

    Reno follow up for docker_disable_ip_forward

    Follow up to I5129136c066489fdfaa4d93741c22e5010b7e89d, adding upgrade
    notes.

    Related-Bug: #1931615
    Change-Id: I2f88b8fc2c6924de9f6bc1840b183ee024c5c1e9
    (cherry picked from commit 3f9662278cdf3a15e3f5c2ef07587c8f00217a8b)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 12.0.0.0rc2

This issue was fixed in the openstack/kolla-ansible 12.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/799240

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to kolla-ansible (stable/victoria)

Related fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/799241

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla-ansible (stable/victoria)

Change abandoned by "Mark Goddard <email address hidden>" on branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/799241
Reason: Actually, we're not changing the default, so no upgrade note required.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/799240
Committed: https://opendev.org/openstack/kolla-ansible/commit/5c70c920c0ad6ad38d98c04c6a12a8a212ad1cc4
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 5c70c920c0ad6ad38d98c04c6a12a8a212ad1cc4
Author: Radosław Piliszek <email address hidden>
Date: Thu Jun 10 17:26:38 2021 +0000

    Disable docker's ip-forward when iptables disabled

    With the new default since Wallaby, starting Docker makes it
    enable forwarding and not filter it at all.
    This may pose a security risk and should be mitigated.

    Closes-Bug: #1931615
    Change-Id: I5129136c066489fdfaa4d93741c22e5010b7e89d
    (cherry picked from commit 0fa4ee56eb86eb7d4b4e3bb9d9c9993f6906c1bd)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/801719

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/801720

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/train)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/801720
Committed: https://opendev.org/openstack/kolla-ansible/commit/f725a500a11ee04144042676f393aec62bfed1c0
Submitter: "Zuul (22348)"
Branch: stable/train

commit f725a500a11ee04144042676f393aec62bfed1c0
Author: Radosław Piliszek <email address hidden>
Date: Thu Jun 10 17:26:38 2021 +0000

    Disable docker's ip-forward when iptables disabled

    With the new default since Wallaby, starting Docker makes it
    enable forwarding and not filter it at all.
    This may pose a security risk and should be mitigated.

    Closes-Bug: #1931615
    Change-Id: I5129136c066489fdfaa4d93741c22e5010b7e89d
    (cherry picked from commit 0fa4ee56eb86eb7d4b4e3bb9d9c9993f6906c1bd)

tags: added: in-stable-train
tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/801719
Committed: https://opendev.org/openstack/kolla-ansible/commit/0055332bdee758f70a0cfb6f1d2759baa762d167
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 0055332bdee758f70a0cfb6f1d2759baa762d167
Author: Radosław Piliszek <email address hidden>
Date: Thu Jun 10 17:26:38 2021 +0000

    Disable docker's ip-forward when iptables disabled

    With the new default since Wallaby, starting Docker makes it
    enable forwarding and not filter it at all.
    This may pose a security risk and should be mitigated.

    Closes-Bug: #1931615
    Change-Id: I5129136c066489fdfaa4d93741c22e5010b7e89d
    (cherry picked from commit 0fa4ee56eb86eb7d4b4e3bb9d9c9993f6906c1bd)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 11.1.0

This issue was fixed in the openstack/kolla-ansible 11.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 10.3.0

This issue was fixed in the openstack/kolla-ansible 10.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 13.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 13.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible train-eol

This issue was fixed in the openstack/kolla-ansible train-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.