Project

General

Profile

Task #1889

Portmap issues

Added by Alexander Werner over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Team - Pool
Start date:
Due date:
% Done:

0%

Estimated time:
Tags:
Salt
URL:

Description

Our default setup creates and opens rpcbind.
This might be dangerous and used for DDoS Attacks if open to the general, but the service is needed for some parts of our infra.
The current solution of security.rpcbind doesn't seem to work as expected, need triaging and some work to fix it permanently.

History

#1 Updated by Christian Lohmaier over 1 year ago

Found the reason why rpcbind did reappear on vm172-vm172:

disabling the service via salt, does indeed disable systemd based config, but debian has additional /etc/init/rpcbind-boot.conf (and /etc/init/rpcbind.conf ) - those nevertheless trigger starting of rpcbind when the machine is rebooted.

However, when disabling rpcbind on the host itself using sudo systemctl disable rpcbind a file /etc/init/rpcbind.override with content "manual" is created.

So solution for salt-based setup is to either find out why the override file is not triggered (probably it doesn't call systemctrl but manually removes the service from the wants target), or just create that file using a file.managed.

#2 Updated by Alexander Werner over 1 year ago

  • Status changed from New to Closed

Fixed in salt

Also available in: Atom PDF