Project

General

Profile

Actions

Bug #853

closed

If used with the proxy, the dhcpd server is open for connections from any server

Added by Marcello de Sousa over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
DHCP
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

When using :

omapi-port 7911;

The dhcpd api server will listen to any host. You might need to add something like this to provide basic security:

key omapi_key {
algorithm HMAC-MD5;
secret "XXXXXXXXX";
};
omapi-key omapi_key;

At first sight, it looks logic to me that the foreman's "subnet" settings should get an extra field "omapi_key".
If that field is not empty, "foreman-proxy/lib/proxy/dhcp/server/isc.rb" should issue an extra command ("OMSHELL key omapi_key XXXXXXXXX") when connecting to the dhcpd server.


Related issues 1 (1 open0 closed)

Related to Foreman - Bug #947: Foreman UI doesn't report omapi_key error properlyNewActions
Actions #1

Updated by Ohad Levy over 13 years ago

You are correct.

at the moment its best to protect it via iptables, as its not possible to define which interfaces to bind to (ideally lo).

I guess we should add both the secret key (as a configuration option on the proxy similar to dns setup), and potentially allow to use a remote isc server as well.

Actions #2

Updated by Ohad Levy over 13 years ago

  • Status changed from New to Ready For Testing
  • % Done changed from 0 to 100
Actions #3

Updated by Marcello de Sousa over 13 years ago

I don't think this code is working 100%.
I've changed it to:

def omcmd cmd, msg=nil
      if cmd == "connect" 
        @om = IO.popen("/bin/sh -c '/usr/bin/omshell 2>&1'", "r+")
         if SETTINGS.dhcp_key_name and SETTINGS.dhcp_key_secret
          @om.puts "key #{SETTINGS.dhcp_key_name} \"#{SETTINGS.dhcp_key_secret}\"" 
         end
        @om.puts "server #{name}" 
        @om.puts "connect" 
        @om.puts "new host" 
(...)

And a typo ("gsub" instead of "sub"):
logger.debug "omshell: executed - #{SETTINGS.dhcp_key_secret.nil? ? cmd : cmd.gsub(SETTINGS.dhcp_key_secret,"[filtered]")}" 

then it seems to work.

There's one problem, if the key is incorrect (I forced an incorrect key) Foreman's interface is not reporting the error. In the proxy.log (in debug mode) I can see the error:

(...)
E, [2011-05-03T17:51:57.835019 #10819] ERROR -- : Omshell failed:
> > > obj: <null>
, > obj: host
, > obj: host
, hardware-address = 00:0c:29:38:71:62
, > can't open object: connection reset by peer
, obj: host
, hardware-address = 00:0c:29:38:71:62
, > can't destroy object: not connected
, obj: host
, hardware-address = 00:0c:29:38:71:62
, >
E, [2011-05-03T17:51:57.835393 #10819] ERROR -- : Failed to remove DHCP reservation for  => 192.168.115.156 / 00:0c:29:38:71:62: No response from DHCP server

Actions #4

Updated by Ohad Levy over 13 years ago

  • Status changed from Ready For Testing to Closed
  • Assignee set to Ohad Levy

Marcello, I'm closing this ticket, if you want to follow up on the error, please create a new ticket.

it would be great if you could update the wiki with the new settings as well.

Actions

Also available in: Atom PDF