Bug #853
If used with the proxy, the dhcpd server is open for connections from any server
| Status: | Closed | Start: | 04/18/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: |  Ohad Levy |
% Done: | 100% |
|
| Category: | DHCP | |||
| Target version: | 0.2 | |||
| Backlog: | No | Difficulity: | ||
| Votes: | 0 |
Description
When using :
omapi-port 7911;
The dhcpd api server will listen to any host. You might need to add something like this to provide basic security:
key omapi_key {
algorithm HMAC-MD5;
secret "XXXXXXXXX";
};
omapi-key omapi_key;
At first sight, it looks logic to me that the foreman's "subnet" settings should get an extra field "omapi_key".
If that field is not empty, "foreman-proxy/lib/proxy/dhcp/server/isc.rb" should issue an extra command ("OMSHELL key omapi_key XXXXXXXXX") when connecting to the dhcpd server.
Related issues
| related to Smart-Proxy - Bug #947: Foreman UI doesn't report omapi_key error properly | New | 05/26/2011 |
Associated revisions
Revision bf8dfda678ec7e59053585c357a79df3b9d340cb
fixes #853 - If used with the proxy, the dhcpd server is open for connections from any server
Revision 3e042b2cbb485e703ebc09618d226f0ecb54444a
refs #853 - fixes typo
Revision 025b5ad044944f5ed6a7e91b21afcf488e293613
partial fix - refs #853
History
Updated by Ohad Levy about 2 years ago
You are correct.
at the moment its best to protect it via iptables, as its not possible to define which interfaces to bind to (ideally lo).
I guess we should add both the secret key (as a configuration option on the proxy similar to dns setup), and potentially allow to use a remote isc server as well.
Updated by Ohad Levy about 2 years ago
- Status changed from New to Ready For Testing
- % Done changed from 0 to 100
Applied in changeset bf8dfda678ec7e59053585c357a79df3b9d340cb.
Updated by Marcello de Sousa about 2 years ago
I don't think this code is working 100%.
I've changed it to:
def omcmd cmd, msg=nil
if cmd == "connect"
@om = IO.popen("/bin/sh -c '/usr/bin/omshell 2>&1'", "r+")
if SETTINGS.dhcp_key_name and SETTINGS.dhcp_key_secret
@om.puts "key #{SETTINGS.dhcp_key_name} \"#{SETTINGS.dhcp_key_secret}\""
end
@om.puts "server #{name}"
@om.puts "connect"
@om.puts "new host"
(...)
And a typo ("gsub" instead of "sub"):
logger.debug "omshell: executed - #{SETTINGS.dhcp_key_secret.nil? ? cmd : cmd.gsub(SETTINGS.dhcp_key_secret,"[filtered]")}"
then it seems to work.
There's one problem, if the key is incorrect (I forced an incorrect key) Foreman's interface is not reporting the error. In the proxy.log (in debug mode) I can see the error:
(...) E, [2011-05-03T17:51:57.835019 #10819] ERROR -- : Omshell failed: > > > obj: <null> , > obj: host , > obj: host , hardware-address = 00:0c:29:38:71:62 , > can't open object: connection reset by peer , obj: host , hardware-address = 00:0c:29:38:71:62 , > can't destroy object: not connected , obj: host , hardware-address = 00:0c:29:38:71:62 , > E, [2011-05-03T17:51:57.835393 #10819] ERROR -- : Failed to remove DHCP reservation for => 192.168.115.156 / 00:0c:29:38:71:62: No response from DHCP server
Updated by Ohad Levy about 2 years ago
- Status changed from Ready For Testing to Closed
- Assigned to set to Ohad Levy
Marcello, I'm closing this ticket, if you want to follow up on the error, please create a new ticket.
it would be great if you could update the wiki with the new settings as well.
