[Openstack-security] [Bug 1412393] [NEW] mariadb repo unnecessarily configured in all containers

Jesse Pretorius jesse.pretorius at gmail.com
Mon Jan 19 11:00:12 UTC 2015 

Public bug reported:

The mariadb repo is unnecessarily configured on every host and in every
container. The repo should only configured for containers and hosts that
require access to the database.

In order to provide a more secure-by-default installation, the /root/.my.cnf client configuration should only placed where necessary - the utility container is likely to be the only location that requires it as all DB access by services are done through explicit configuration with a restricted DB user.
Another set of containers it should perhaps be placed into would be the galera containers themselves.

** Affects: openstack-ansible
     Importance: Medium
         Status: New


** Tags: security

** Description changed:

  The mariadb repo is unnecessarily configured on every host and in every
  container. The repo should only configured for containers and hosts that
  require access to the database.
  
- In order to provide a more secure-by-default installation, the
- /root/.my.cnf client configuration should only placed where necessary -
- the utility container is likely to be the only location that requires it
- as all DB access by services are done through explicit configuration
- with a restricted DB user.
+ In order to provide a more secure-by-default installation, the /root/.my.cnf client configuration should only placed where necessary - the utility container is likely to be the only location that requires it as all DB access by services are done through explicit configuration with a restricted DB user.
+ Another set of containers it should perhaps be placed into would be the galera containers themselves.

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1412393

Title:
  mariadb repo unnecessarily configured in all containers

Status in Ansible playbooks for deploying OpenStack:
  New

Bug description:
  The mariadb repo is unnecessarily configured on every host and in
  every container. The repo should only configured for containers and
  hosts that require access to the database.

  In order to provide a more secure-by-default installation, the /root/.my.cnf client configuration should only placed where necessary - the utility container is likely to be the only location that requires it as all DB access by services are done through explicit configuration with a restricted DB user.
  Another set of containers it should perhaps be placed into would be the galera containers themselves.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-ansible/+bug/1412393/+subscriptions

More information about the Openstack-security mailing list