Avoiding MPI All-Zero Listening

The port of the background mpirun and Ascend DMI processes started by MPI initialization is not authenticated, which may lead to attacks.

Workaround: After MPI is started, add firewall rules to prevent external networks from connecting to the listening ports of mpirun, orted (internal components of MPI), and Ascend DMI. After MPI ends execution, clear the firewall rules.

Adding firewall rules

```shell
iptables -D INPUT -p tcp -j ${Rule name}
iptables -F ${Rule name}
iptables -X ${Rule name}
iptables -t filter -N ${Rule name}
iptables -I INPUT -p tcp -j ${Rule name}
iptables -t filter -I ${Rule name} -i ${NIC to be restricted} -p tcp --dport ${Port to be restricted} -j DROP
```

Clearing firewall rules

```shell
iptables -D INPUT -p tcp -j ${Rule name}
iptables -F ${Rule name}
iptables -X ${Rule name}

The default MPI configuration item listens to the 0.0.0.0 address once the SuperPoD P2P bandwidth test starts.
Workaround: Locate the etc folder in the MPI configuration path and add the following configuration to the end of the openmpi-mca-params.conf file. This configuration specifies the NIC used for MPI communication. The NIC must be the same as that in the firewall rule.
1
btl_tcp_if_include = lo
You are advised to use MPI only in containers and isolate it by network namespaces. This ensures that no all-zero listening exists on the host and other users of the host cannot connect to the unauthenticated OpenMPI ports.

Parent topic: Hardening OS Security