CERN Accelerating science

Please note: MGM to require password-protected QuarkDB instances from next eos release

Dear all,

The next EOS release will require that any QuarkDB instances it’s communicating with be password protected. The MGM will not start if the QuarkDB cluster it’s pointed to is not configured with a password.

Please check how to enable password authentication in QDB here. The EOS config will need changes too, the relevant options in MGM configuration are mgmofs.qdbpassword_file, and mgmofs.qdbpassword. (mqofs.*, fstofs.* for MQ and FST, respectively)

The current documentation guides people towards an insecure deployment, and we apologize for the confusion – the eos-docs page will be updated shortly. Please feel free to post your questions on eos-community in the meantime.

This follows an incident where some malicious bot wiped out all contents of a QDB cluster that was accidentally left open to the internet – thankfully, this was just a test deployment. The bot apparently thought it was talking to official redis, and (unsuccessfully) attempted an exploit to launch cryptominer malware which involves running FLUSHALL as one of the steps.

Please secure your QuarkDB instances – don’t wait until the next releases. You can setup password authentication right now, and additionally firewall off the relevant ports to only allow connections from your trusted internal network.