[kuryr] Job running open resolver

Maysa De Macedo Souza mdemaced at redhat.com
Tue Mar 3 17:14:28 UTC 2020


Hi James,

Thank you for reporting it. We will take a look at it.

Best,
Maysa.

On Tue, Mar 3, 2020 at 5:11 PM James E. Blair <corvus at inaugust.com> wrote:

> Hi,
>
> The openstack-infra team received a report from one of our
> infrastructure donors that a gate job run by Kuryr is running a DNS
> resolver open to the Internet.  This is dangerous as, if discovered, it
> can be used as part of DNS reflection attacks.  The community and our
> infrastructure donors share an interest in avoiding misuse of our
> resources.
>
> Would you please look into whether this job is perhaps opening its
> iptables ports too liberally, and whether that can be avoided?
>
> The job is kuryr-kubernetes-tempest-containerized-ovn, and the build
> which triggered the alerting system is this one:
>
> https://zuul.opendev.org/t/openstack/build/166301f57b21402d8d8443bb1e17f970
>
> Thanks,
>
> Jim
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200303/ed0be2c0/attachment.html>


More information about the openstack-discuss mailing list