From e6a51f563de943ed5033081b47279ff37d2a17d5c3402c0e4167f377f5d499cd Mon Sep 17 00:00:00 2001 From: Jordi Massaguer Date: Thu, 6 Jun 2019 08:30:52 +0000 Subject: [PATCH] Accepting request 707856 from home:jsegitz:branches:devel:CaaSP:Head:ControllerNode - Added README.security and wording in the configuration file to ensure users are aware that they need to configure etcd to require authentication OBS-URL: https://build.opensuse.org/request/show/707856 OBS-URL: https://build.opensuse.org/package/show/devel:CaaSP:Head:ControllerNode/etcd?expand=0&rev=15 --- README.security | 10 ++++++++++ etcd.changes | 7 +++++++ etcd.conf | 4 ++++ etcd.spec | 4 +++- 4 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 README.security diff --git a/README.security b/README.security new file mode 100644 index 0000000..bad04af --- /dev/null +++ b/README.security @@ -0,0 +1,10 @@ +By default etcd doesn't require authentication. If you configure etcd to be reachable +over the network, have untrustworthy local users on the system where etc runs or store +date in etcd that needs to be kept confidential please make sure to enable authentication. + +You can do that by configuring the settings under [security] in /etc/sysconfig/etcd. +For additional guidance please red +https://coreos.com/etcd/docs/latest/v2/security.html +and +https://coreos.com/etcd/docs/latest/op-guide/authentication.html +to ensure that you enforce proper access control diff --git a/etcd.changes b/etcd.changes index bcd75e1..e890953 100644 --- a/etcd.changes +++ b/etcd.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Jun 5 13:08:46 UTC 2019 - + +- Added README.security and wording in the configuration file to + ensure users are aware that they need to configure etcd to require + authentication + ------------------------------------------------------------------- Wed Jan 30 11:58:15 UTC 2019 - Panagiotis Georgiadis pgeorgiadis@suse.com diff --git a/etcd.conf b/etcd.conf index 0391f6d..8804e5e 100644 --- a/etcd.conf +++ b/etcd.conf @@ -5,6 +5,10 @@ ETCD_DATA_DIR="/var/lib/etcd/default.etcd" #ETCD_SNAPSHOT_COUNT="10000" #ETCD_HEARTBEAT_INTERVAL="100" #ETCD_ELECTION_TIMEOUT="1000" +# Before changing this setting allowing etcd to be reachable over the network +# or if you have untrustworthy local users on the system where etc runs please +# make sure to enable authentication in the [security] section below. Please +# also read README.security for this package #ETCD_LISTEN_PEER_URLS="http://localhost:2380" ETCD_LISTEN_CLIENT_URLS="http://localhost:2379" #ETCD_MAX_SNAPSHOTS="5" diff --git a/etcd.spec b/etcd.spec index a8862cb..1d5b3bb 100644 --- a/etcd.spec +++ b/etcd.spec @@ -33,6 +33,7 @@ Source1: %{name}.conf Source2: %{name}.service Source3: etcd_client_firewall Source4: etcd_server_firewall +Source5: README.security BuildRequires: golang-packaging BuildRequires: shadow BuildRequires: systemd-rpm-macros @@ -68,6 +69,7 @@ to explore an etcd cluster. %prep %setup -q +cp %{SOURCE5} . %build %{goprep} github.com/coreos/etcd @@ -111,7 +113,7 @@ getent passwd %{name} >/dev/null || %{_sbindir}/useradd -r -g %{name} -d %{_loca %files %defattr(-,root,root) -%doc CONTRIBUTING.md README.md DCO NOTICE +%doc CONTRIBUTING.md README.md DCO NOTICE README.security %license LICENSE %{_sbindir}/%{name}