From f959acfa5cde66838f8e3d90e275c2bbcd0bb3bf Mon Sep 17 00:00:00 2001 From: Jean-Philippe Evrard Date: Wed, 29 Nov 2017 12:07:00 +0000 Subject: [PATCH] Harden the xinetd security In galera_server role we allow anyone to know galera state, from any network by default. We change this behavior here, to allow only the nodes from galera_all and haproxy_all to query the galera state. Change-Id: Ieb3a8315a7599f850ba922da4c782230bd850125 --- group_vars/galera_all.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/group_vars/galera_all.yml b/group_vars/galera_all.yml index bcb0959478..8da15e85b6 100644 --- a/group_vars/galera_all.yml +++ b/group_vars/galera_all.yml @@ -27,6 +27,11 @@ galera_container_bind_mounts: # See https://bugs.launchpad.net/openstack-ansible/+bug/1697531 for details. galera_disable_privatedevices: "{{ ((properties.is_metal | default(false)) | bool) | ternary('false', 'true') }}" +# By default galera_monitoring xinetd app is open to 0.0.0.0/0 +# This makes sure the monitoring is only restricted to the necessary nodes: +# the load balancers, and the galera nodes. +galera_monitoring_allowed_source: "{% for node in galera_cluster_members + groups['haproxy_all'] %}{{ node }} {% endfor %}" + # Galera sessions are long lived, so if we do endpoint maintenance we will # force kill the sessions to force a failover to the active endpoint. haproxy_shutdown_sessions: yes