[kuryr] Job running open resolver
Hi, The openstack-infra team received a report from one of our infrastructure donors that a gate job run by Kuryr is running a DNS resolver open to the Internet. This is dangerous as, if discovered, it can be used as part of DNS reflection attacks. The community and our infrastructure donors share an interest in avoiding misuse of our resources. Would you please look into whether this job is perhaps opening its iptables ports too liberally, and whether that can be avoided? The job is kuryr-kubernetes-tempest-containerized-ovn, and the build which triggered the alerting system is this one: https://zuul.opendev.org/t/openstack/build/166301f57b21402d8d8443bb1e17f970 Thanks, Jim
Hi James, Thank you for reporting it. We will take a look at it. Best, Maysa. On Tue, Mar 3, 2020 at 5:11 PM James E. Blair <corvus@inaugust.com> wrote:
Hi,
The openstack-infra team received a report from one of our infrastructure donors that a gate job run by Kuryr is running a DNS resolver open to the Internet. This is dangerous as, if discovered, it can be used as part of DNS reflection attacks. The community and our infrastructure donors share an interest in avoiding misuse of our resources.
Would you please look into whether this job is perhaps opening its iptables ports too liberally, and whether that can be avoided?
The job is kuryr-kubernetes-tempest-containerized-ovn, and the build which triggered the alerting system is this one:
https://zuul.opendev.org/t/openstack/build/166301f57b21402d8d8443bb1e17f970
Thanks,
Jim
On Tue, 2020-03-03 at 08:04 -0800, James E. Blair wrote:
Hi,
The openstack-infra team received a report from one of our infrastructure donors that a gate job run by Kuryr is running a DNS resolver open to the Internet. This is dangerous as, if discovered, it can be used as part of DNS reflection attacks. The community and our infrastructure donors share an interest in avoiding misuse of our resources.
Would you please look into whether this job is perhaps opening its iptables ports too liberally, and whether that can be avoided?
The job is kuryr-kubernetes-tempest-containerized-ovn, and the build which triggered the alerting system is this one:
https://zuul.opendev.org/t/openstack/build/166301f57b21402d8d8443bb1e17f970
Hi, The patch that disables the DNS is in review [1]. We'll come up with a way to run it locally, at the moment it should be safe for us to just disable it. [1] https://review.opendev.org/#/c/711069/ Thanks, Michał
Thanks,
Jim
participants (3)
-
corvus@inaugust.com
-
Maysa De Macedo Souza
-
mdulko@redhat.com