[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Port Binding



Thanks Brenton. I just implemented both of the iptables and selinux scripts. I had an issue with the rules generated by the iptables script where the node's apache proxy was no-longer able to communicate with the gears after I set up the rules. I solved it by adding a --uid-owner restriction to the output chain rule that jumps to the app table rules. Does that make sense?

The modified rule looks like

-A OUTPUT -d 127.0.0.0/8 -o lo -m owner --uid-owner 500-16000 -m state --state NEW -j rhc-app-table

instead of

-A OUTPUT -d 127.0.0.0/8 -o lo -m state --state NEW -j rhc-app-table

Is this the right thing to do here?

I can create a pull request if you'd like.

Thanks,
Aaron


On Wed, Sep 18, 2013 at 7:57 AM, Brenton Leanhardt <bleanhar redhat com> wrote:
+++ Aaron Knister [15/09/13 14:02 -0400]:

Hi Everyone,

I'm running an OpenShift Origin cluster and am trying to understand why within a gear there are seemingly no restrictions on the IPs/ports to which I can bind. I can even "steal" another gears assigned IP/port and listen on them (assuming the other gear's processes happen to be shut down). I noticed that on the hosted openshift this is not the case. The bind system call fails when binding to anything other than the IPs/ports allocated to my gear. Any insight into the secret sauce red hat is using to do this?

Thanks!

-aaron

Hi Aaron,

It's always our intention to publish useful tools with the rest of the
source but it looks like we missed these.  While not integrated with
Origin yet by default, we went ahead and published what we use:'

https://github.com/openshift/openshift-extras/tree/master/security

--Brenton


Sent from my iPad

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]