gnmi: restrict --noTLS mode to localhost binding#26893
Draft
xq9mend wants to merge 9 commits intosonic-net:masterfrom
Draft
gnmi: restrict --noTLS mode to localhost binding#26893xq9mend wants to merge 9 commits intosonic-net:masterfrom
xq9mend wants to merge 9 commits intosonic-net:masterfrom
Conversation
When no certs are configured, telemetry falls back to --noTLS (cleartext gRPC). Add --bind_address 127.0.0.1 to the fallback so the cleartext endpoint is only reachable from localhost, not from the network. This is a security hardening change: remote clients without certs can no longer reach the cleartext gNMI endpoint over the network. Local tools and test utilities connecting via loopback are unaffected. Production deployments with certs use TLS and are unaffected. Requires sonic-gnmi change adding --bind_address flag support. Signed-off-by: xq9mend <xq9mend@users.noreply.github.com>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Use rebased branch that applies only to the current submodule pointer, avoiding pulling in unrelated upstream commits. Signed-off-by: xq9mend <xq9mend@users.noreply.github.com>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Rebase fix/gnmi-notls-bind-localhost on latest upstream master to resolve merge conflicts before merging. Signed-off-by: xq9mend <xq9mend@users.noreply.github.com>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: xq9mend <xq9mend@users.noreply.github.com>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: xq9mend <xq9mend@users.noreply.github.com>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: xq9mend <xq9mend@users.noreply.github.com>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: xq9mend <xq9mend@users.noreply.github.com>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: xq9mend <xq9mend@users.noreply.github.com>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: xq9mend <xq9mend@users.noreply.github.com>
Collaborator
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When no certs are configured, telemetry falls back to
--noTLS(cleartext gRPC). This change adds--bind_address 127.0.0.1to the fallback so the cleartext endpoint is only reachable from localhost, not from the network.Changes:
dockers/docker-sonic-gnmi/gnmi-native.sh: add--bind_address 127.0.0.1to--noTLSfallbackdockers/docker-sonic-telemetry/telemetry.sh: samesrc/sonic-gnmi: update submodule to include--bind_addressflag supportProduction deployments with certs use TLS and are unaffected. Local tools connecting via loopback are unaffected.