Disable the Memcached listener on the UDP port

Disable the Memcached listener on the UDP port

Starting from the Q4‘18 MCP release, to reduce the attack surface and increase the product security, Memcached on the controller nodes listens on TCP only. The UDP port for Memcached is disabled by default. This section explains how to disable the UDP listeners for the existing OpenStack environments deployed on top of the earlier MCP versions.

To disable the Memcached listener on the UDP port:

  1. Log in to the Salt Master node.

  2. Update your Reclass metadata model.

  3. Verify the memcached:server pillar:

    salt ctl01* pillar.get memcached:server
    

    The memcached:server:bind:proto pillar should be available after update of the Reclass metadata model and set to False for proto:udp:enabled for all Memcached server instances.

    Example of system response:

    -- start output --
      ----------
      bind:
          ----------
          address:
              0.0.0.0
          port:
              11211
          proto:
              ----------
              tcp:
                  ----------
                  enabled:
                      True
              udp:
                  ----------
                  enabled:
                      False
          protocol:
              tcp
      enabled:
          True
      maxconn:
          8192
    -- end output --
    
  4. Run the memcached.server state to apply the changes to all memcached instances:

    salt -C 'I@memcached:server' state.sls memcached.server