Make SSH bind to management net only
Our present amphora image create scripts set up the ssh daemon on the amphora to bind to the wildcard interface (which is the default). However, this causes problems for anyone who tries to set up a listener on TCP port 22, since haproxy will not be able to bind to the same IP. This patch introduces a dhclient post-bind script to the amphora image to gracefully rebind the SSH-daemon to only the load balancer management net IP when it comes up on the network, solving the above use case. This patch has the secondary benefit of making the amphora's SSH daemon only respond to requests on the management network, which incrementally increases the security of the amphora. Change-Id: Iab93cec1f4dc4a2e37ad3cb8a92c132383dcda6a Closes-Bug: #1551505
This commit is contained in:
parent
5c8ebf0784
commit
81c73bd1b5
@ -329,6 +329,7 @@ fi
|
|||||||
|
|
||||||
# Add the Octavia keepalived, Amphora Agent and Pyroute elements
|
# Add the Octavia keepalived, Amphora Agent and Pyroute elements
|
||||||
if [ "$AMP_BASEOS" = "ubuntu" ]; then
|
if [ "$AMP_BASEOS" = "ubuntu" ]; then
|
||||||
|
AMP_element_sequence="$AMP_element_sequence rebind-sshd"
|
||||||
AMP_element_sequence="$AMP_element_sequence no-resolvconf"
|
AMP_element_sequence="$AMP_element_sequence no-resolvconf"
|
||||||
AMP_element_sequence="$AMP_element_sequence amphora-agent-ubuntu"
|
AMP_element_sequence="$AMP_element_sequence amphora-agent-ubuntu"
|
||||||
AMP_element_sequence="$AMP_element_sequence pyroute2"
|
AMP_element_sequence="$AMP_element_sequence pyroute2"
|
||||||
|
8
elements/rebind-sshd/README.rst
Normal file
8
elements/rebind-sshd/README.rst
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
This element adds a post-BOUND script to the dhclient configuration to rebind
|
||||||
|
the ssh daemon to listen only on the management network interface. The reason
|
||||||
|
for doing this is that some use cases require load balancing services on TCP
|
||||||
|
port 22 to work, and if SSH binds to the wildcard address on port 22, then
|
||||||
|
haproxy can't.
|
||||||
|
|
||||||
|
This also has the secondary benefit of making the amphora slightly more secure
|
||||||
|
as its SSH daemon will only respond to requests on the management network.
|
11
elements/rebind-sshd/finalise.d/98-rebind-sshd-after-dhcp
Executable file
11
elements/rebind-sshd/finalise.d/98-rebind-sshd-after-dhcp
Executable file
@ -0,0 +1,11 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
echo '#!/bin/sh
|
||||||
|
if [ "$reason" = "BOUND" ]; then
|
||||||
|
if `grep -q "#ListenAddress 0.0.0.0" /etc/ssh/sshd_config`; then
|
||||||
|
/bin/sed -i "s/^#ListenAddress 0.0.0.0.*$/ListenAddress $new_ip_address/g" /etc/ssh/sshd_config
|
||||||
|
if `/bin/ps -ef|/bin/grep -v grep|/bin/grep -q sshd`; then
|
||||||
|
/usr/sbin/service ssh restart
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi' > /etc/dhcp/dhclient-enter-hooks.d/rebind-sshd
|
||||||
|
chmod +x /etc/dhcp/dhclient-enter-hooks.d/rebind-sshd
|
Loading…
Reference in New Issue
Block a user