[kuryr] Job running open resolver

mdulko at redhat.com mdulko at redhat.com
Tue Mar 3 17:23:50 UTC 2020


On Tue, 2020-03-03 at 08:04 -0800, James E. Blair wrote:
> Hi,
> 
> The openstack-infra team received a report from one of our
> infrastructure donors that a gate job run by Kuryr is running a DNS
> resolver open to the Internet.  This is dangerous as, if discovered, it
> can be used as part of DNS reflection attacks.  The community and our
> infrastructure donors share an interest in avoiding misuse of our
> resources.
> 
> Would you please look into whether this job is perhaps opening its
> iptables ports too liberally, and whether that can be avoided?
> 
> The job is kuryr-kubernetes-tempest-containerized-ovn, and the build
> which triggered the alerting system is this one:
> 
> https://zuul.opendev.org/t/openstack/build/166301f57b21402d8d8443bb1e17f970

Hi,

The patch that disables the DNS is in review [1]. We'll come up with a
way to run it locally, at the moment it should be safe for us to just
disable it.

[1] https://review.opendev.org/#/c/711069/

Thanks,
MichaƂ

> Thanks,
> 
> Jim
> 





More information about the openstack-discuss mailing list