From f959acfa5cde66838f8e3d90e275c2bbcd0bb3bf Mon Sep 17 00:00:00 2001
From: Jean-Philippe Evrard <jean-philippe@evrard.me>
Date: Wed, 29 Nov 2017 12:07:00 +0000
Subject: [PATCH] Harden the xinetd security

In galera_server role we allow anyone to know galera state, from
any network by default. We change this behavior here, to allow
only the nodes from galera_all and haproxy_all to query the
galera state.

Change-Id: Ieb3a8315a7599f850ba922da4c782230bd850125
---
 group_vars/galera_all.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/group_vars/galera_all.yml b/group_vars/galera_all.yml
index bcb0959478..8da15e85b6 100644
--- a/group_vars/galera_all.yml
+++ b/group_vars/galera_all.yml
@@ -27,6 +27,11 @@ galera_container_bind_mounts:
 # See https://bugs.launchpad.net/openstack-ansible/+bug/1697531 for details.
 galera_disable_privatedevices: "{{ ((properties.is_metal | default(false)) | bool) | ternary('false', 'true') }}"
 
+# By default galera_monitoring xinetd app is open to 0.0.0.0/0
+# This makes sure the monitoring is only restricted to the necessary nodes:
+# the load balancers, and the galera nodes.
+galera_monitoring_allowed_source: "{% for node in galera_cluster_members + groups['haproxy_all'] %}{{ node }} {% endfor %}"
+
 # Galera sessions are long lived, so if we do endpoint maintenance we will
 # force kill the sessions to force a failover to the active endpoint.
 haproxy_shutdown_sessions: yes