Hello all, We have a security problem in Fuel 7.0. It's related to plugin development and allows to execute code in mcollective docker container on Fuel master node. Any fuel plugin may contains a yaml file with deployment tasks (tasks.yaml, deployment_tasks.yaml etc) and there is an ability to run some code on node with role "master". It's also possible to connect to any target node via ssh without a password from within the container.
As i understood, it was made to simplify some deployment cases. I see some steps for resolving this situation: 1. Fuel team should disallow execution of any puppet manifests or bash code on nodes with master role. 2. Append the Fuel documentation. Notify users about this security issue. What do you think about it? What deployment cases which require execution of code on role "master" do you know? -- Best regards, Alexey Deployment Engineer Mirantis, Inc Cell: +7 (968) 880 2288 Skype: shikelbober Slack: aelagin mailto:[email protected] __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
