tripleo

  1. Bug #1188067
  2. Comment #6

Comment 6 for bug 1188067

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-image-elements (master)

Reviewed: https://review.openstack.org/139865
Committed: https://git.openstack.org/cgit/openstack/tripleo-image-elements/commit/?id=b77ec5cb5b3ed400b44302bdbd76e2275d819da3
Submitter: Jenkins
Branch: master

commit b77ec5cb5b3ed400b44302bdbd76e2275d819da3
Author: James Polley <email address hidden>
Date: Sun Dec 7 17:29:54 2014 +0100

    System dnsmasq daemon should only listen on lo

    Neutron runs dnsmasq. That's all nice and good.

    But just having dnsmasq installed means that the system runs a different
    dnsmasq, which by default listens (and response) on all interfaces.

    For machines that are accessible on the public internet, this means they
    can be used in dns-amplification DOS attacks. This tends to make
    security and network people sad.

    This patch drops some config for the system dnsmasq which tell it to
    only listen on 127.0.0.1.

    If the deployer needs dnsmasq listening on other interfaces, another
    file dropped in /etc/dnsmasq.d can be used to specifiy additional
    interfaces or IP addreses.

    Change-Id: I6b390e168c2f972b0beab52815922bb6b2ccf786
    Partial-bug: 1188067