1、环境介绍
CentOS版本为7.8
# cat /etc/centos-release
CentOS Linux release 7.8.2003 (Core)
OpenStack 版本为Train
# rpm -qi openstack-nova-api
Name : openstack-nova-api
Epoch : 1
Version : 20.2.0
Release : 1.el7
Architecture: noarch
Install Date: Mon 08 Jun 2020 07:10:30 AM EDT
Group : Unspecified
Size : 5483
License : ASL 2.0
Signature : RSA/SHA1, Tue 28 Apr 2020 12:27:42 AM EDT, Key ID f9b9fee7764429e6
Source RPM : openstack-nova-20.2.0-1.el7.src.rpm
Build Date : Thu 23 Apr 2020 09:46:19 AM EDT
Build Host : c1bk.rdu2.centos.org
Relocations : (not relocatable)
Packager : CBS <cbs@centos.org>
Vendor : CentOS
URL : http://openstack.org/projects/compute/
Summary : OpenStack Nova API services
Description :
2、弱密码
2.1、memcache弱密码
memcached没有密码,11211端口,默认守护0.0.0.0,这样会对外部网络暴露无密码访问
# netstat -npl |grep 11211
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 8825/memcached
udp 0 0 0.0.0.0:11211 0.0.0.0:* 8825/memcached
解决方法:修改配置,让memcached守护localhost
旧的配置值
# cat /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="8192"
CACHESIZE="12873"
OPTIONS="-l 0.0.0.0 -U 11211 -t 40 >> /var/log/memcached.log 2>&1"
修改为
# cat /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="8192"
CACHESIZE="12873"
OPTIONS="-l 127.0.0.1 -U 11211 -t 40 >> /var/log/memcached.log 2>&1"
重启memcachd进程
# systemctl restart memcached
# netstat -npl |grep 11211
tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 8825/memcached
udp 0 0 127.0.0.1:11211 0.0.0.0:* 8825/memcached
使用memcached的应用需要适配,不是127.0.0.1的要改为127.0.0.1
# grep -r 11211 /etc
/etc/services:memcache 11211/tcp # Memory cache service
/etc/services:memcache 11211/udp # Memory cache service
/etc/sysconfig/memcached:PORT="11211"
/etc/sysconfig/memcached:OPTIONS="-l 127.0.0.1 -U 11211 -t 40 >> /var/log/memcached.log 2>&1"
/etc/nova/nova.conf:#memcache_servers=localhost:11211
/etc/keystone/keystone.conf:#memcache_servers = localhost:11211
/etc/glance/metadefs/software-databases.json: "default": 11211
/etc/neutron/metadata_agent.ini:#memcache_servers = localhost:11211
/etc/openstack-dashboard/local_settings:# 'LOCATION': '127.0.0.1:11211',
/etc/openstack-dashboard/local_settings: 'LOCATION': '127.0.0.1:11211',
/etc/swift/object-expirer.conf:memcache_servers = 127.0.0.1:11211
/etc/swift/proxy-server.conf:memcache_servers = 127.0.0.1:11211
/etc/magnum/magnum.conf:memcached_servers=127.0.0.1:11211
2.2、rsync弱密码
rsync端口为873,守护外部地址,或者0.0.0.0
# netstat -npl |grep 873
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 10525/xinetd
修改配置
# cat /etc/xinetd.d/rsync
# This file is being maintained by Puppet.
# DO NOT EDIT
service rsync
{
port = 873
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
group = root
groups = yes
server = /usr/bin/rsync
bind = 0.0.0.0
server_args = --daemon --config /etc/rsyncd.conf
instances = UNLIMITED
}
改为
# cat /etc/xinetd.d/rsync
# This file is being maintained by Puppet.
# DO NOT EDIT
service rsync
{
port = 873
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
group = root
groups = yes
server = /usr/bin/rsync
bind = 127.0.0.1
server_args = --daemon --config /etc/rsyncd.conf
instances = UNLIMITED
}
重启服务
# systemctl restart xinetd
# netstat -npl |grep 873
tcp 0 0 127.0.0.1:873 0.0.0.0:* LISTEN 10525/xinetd
2.3、虚拟机vnc无密码
目前可以修改代码,写死密码
增加这一行
dev.set("passwd", "123ASD@456")
# vi /usr/lib/python2.7/site-packages/nova/virt/libvirt/config.py
class LibvirtConfigGuestGraphics(LibvirtConfigGuestDevice):
def __init__(self, **kwargs):
super(LibvirtConfigGuestGraphics, self).__init__(root_name="graphics",
**kwargs)
self.type = "vnc"
self.autoport = True
self.keymap = None
self.listen = None
def format_dom(self):
dev = super(LibvirtConfigGuestGraphics, self).format_dom()
dev.set("type", self.type)
if self.autoport:
dev.set("autoport", "yes")
else:
dev.set("autoport", "no")
if self.keymap:
dev.set("keymap", self.keymap)
if self.listen:
dev.set("listen", self.listen)
dev.set("passwd", "123ASD@456")
return dev
重启服务
# systemctl restart openstack-nova-compute
部署好的虚机xml
# cat /etc/libvirt/qemu/instance-00000001.xml
<graphics type='vnc' port='-1' autoport='yes' listen='0.0.0.0' passwd='123ASD@456'>
<listen type='address' address='0.0.0.0'/>
</graphics>