From f5dd178fc534c4585fa7168ca0649c684ff869b4 Mon Sep 17 00:00:00 2001 From: Jeffrey Zhang Date: Wed, 19 Jul 2017 10:52:41 +0800 Subject: [PATCH] Disable trace for all containers running httpd Trace method is enabled in default for httpd. There is security risk with trace enabled. So disable it in default. more info please check[0]. [0] https://security.stackexchange.com/a/7711 Change-Id: I4496a6d058d88e1abfb210085f189e7a610e0362 Closes-Bug: #1705160 --- ansible/roles/aodh/templates/wsgi-aodh.conf.j2 | 2 ++ ansible/roles/cinder/templates/cinder-wsgi.conf.j2 | 2 ++ ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2 | 2 ++ ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 | 2 ++ ansible/roles/horizon/templates/horizon.conf.j2 | 2 ++ ansible/roles/keystone/templates/wsgi-keystone.conf.j2 | 2 ++ ansible/roles/nova/templates/placement-api-wsgi.conf.j2 | 2 ++ ansible/roles/panko/templates/wsgi-panko.conf.j2 | 2 ++ ansible/roles/zun/templates/wsgi-zun.conf.j2 | 2 ++ 9 files changed, 18 insertions(+) diff --git a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 b/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 index 8a28104009..95fe8462b0 100644 --- a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 +++ b/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 @@ -1,6 +1,8 @@ {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %} Listen {{ api_interface_address }}:{{ aodh_api_port }} +TraceEnable off + ## Vhost docroot diff --git a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 index 0b6b3e1e14..23327fce57 100644 --- a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 +++ b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 @@ -1,6 +1,8 @@ {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %} Listen {{ api_interface_address }}:{{ cinder_api_port }} +TraceEnable off + WSGIDaemonProcess cinder-api processes={{ openstack_service_workers }} threads=1 user=cinder group=cinder display-name=%{GROUP} python-path={{ python_path }} WSGIProcessGroup cinder-api diff --git a/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2 b/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2 index cfcf37c3c9..dd76ae7c5d 100644 --- a/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2 +++ b/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2 @@ -2,6 +2,8 @@ {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %} Listen {{ api_interface_address }}:{{ freezer_api_port }} +TraceEnable off + WSGIDaemonProcess freezer-api processes={{ openstack_service_workers }} threads=1 user=freezer display-name=%{GROUP} WSGIProcessGroup freezer-api diff --git a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 b/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 index 3ba0c2ddfd..e66df6910c 100644 --- a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 +++ b/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 @@ -2,6 +2,8 @@ {% set wsgi_path = '/usr/bin' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/bin' %} Listen {{ api_interface_address }}:{{ gnocchi_api_port }} +TraceEnable off + ErrorLog "/var/log/kolla/gnocchi/gnocchi-api-error.log" diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2 index 7d352060ee..83d1c6164a 100644 --- a/ansible/roles/horizon/templates/horizon.conf.j2 +++ b/ansible/roles/horizon/templates/horizon.conf.j2 @@ -1,6 +1,8 @@ {% set python_path = '/usr/share/openstack-dashboard' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %} Listen {{ api_interface_address }}:{{ horizon_port }} +TraceEnable off + LogLevel warn ErrorLog /var/log/kolla/horizon/horizon.log diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 index a3f98173ab..83b297a6ad 100644 --- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 +++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 @@ -3,6 +3,8 @@ Listen {{ api_interface_address }}:{{ keystone_public_port }} Listen {{ api_interface_address }}:{{ keystone_admin_port }} +TraceEnable off + WSGIDaemonProcess keystone-public processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=%{GROUP} python-path={{ python_path }} WSGIProcessGroup keystone-public diff --git a/ansible/roles/nova/templates/placement-api-wsgi.conf.j2 b/ansible/roles/nova/templates/placement-api-wsgi.conf.j2 index 0eadd2d1fb..8659842cb5 100644 --- a/ansible/roles/nova/templates/placement-api-wsgi.conf.j2 +++ b/ansible/roles/nova/templates/placement-api-wsgi.conf.j2 @@ -3,6 +3,8 @@ {% set wsgi_directory = '/usr/bin' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/bin' %} Listen {{ api_interface_address }}:{{ placement_api_port }} +TraceEnable off + WSGIDaemonProcess placement-api processes={{ openstack_service_workers }} threads=1 user=nova group=nova display-name=%{GROUP} python-path={{ python_path }} WSGIProcessGroup placement-api diff --git a/ansible/roles/panko/templates/wsgi-panko.conf.j2 b/ansible/roles/panko/templates/wsgi-panko.conf.j2 index bac3beabc5..a0fff61b2c 100644 --- a/ansible/roles/panko/templates/wsgi-panko.conf.j2 +++ b/ansible/roles/panko/templates/wsgi-panko.conf.j2 @@ -1,6 +1,8 @@ {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %} Listen {{ api_interface_address }}:{{ panko_api_port }} +TraceEnable off + ErrorLog "/var/log/kolla/panko/panko-api-error.log" diff --git a/ansible/roles/zun/templates/wsgi-zun.conf.j2 b/ansible/roles/zun/templates/wsgi-zun.conf.j2 index e484ea7306..1c40715292 100644 --- a/ansible/roles/zun/templates/wsgi-zun.conf.j2 +++ b/ansible/roles/zun/templates/wsgi-zun.conf.j2 @@ -1,6 +1,8 @@ {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %} Listen {{ api_interface_address }}:{{ zun_api_port }} +TraceEnable off + ## Vhost docroot