Bug 2187877

Summary: HAProxy stats page port 1993/tcp is not allowed
Product: Red Hat OpenStack Reporter: yatanaka
Component: openstack-tripleo-heat-templatesAssignee: OSP Team <rhos-maint>
Status: MODIFIED --- QA Contact: Joe H. Rahme <jhakimra>
Severity: medium Docs Contact:
Priority: low    
Version: 17.0 (Wallaby)CC: lmiccini, mburns, rhos-maint, tkajinam
Target Milestone: z2Keywords: Triaged
Target Release: 17.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-14.3.1-17.1.20230813011053.2bcb0ca.el9osttrunk Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description yatanaka 2023-04-19 02:37:11 UTC 
Description of problem:

In Controller nodes, HAProxy stats page listens on 1993/tcp port.

~~~
</var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg>
listen haproxy.stats
  bind 192.168.24.17:1993 transparent
  bind 192.168.24.22:1993 transparent
  mode http
  stats enable
  stats uri /
  stats auth admin:wwqZw1lHyD7Y7jL6xhBxNoK3g

[root@central-controller-1 ~]# netstat -aneopt|grep 1993
tcp        0      0 192.168.24.22:1993      0.0.0.0:*               LISTEN      0          59524      7320/haproxy         off (0.00/0/0)
tcp        0      0 192.168.24.17:1993      0.0.0.0:*               LISTEN      0          59523      7320/haproxy         off (0.00/0/0)
~~~

However, in RHOPS 17.0, this port is not allowed by default.

~~~
[root@central-controller-1 ~]# iptables -nvL |grep 1993
[root@central-controller-1 ~]# 

[stack@undercloud ~]$ curl 192.168.24.17:1993
curl: (28) Failed to connect to 192.168.24.17 port 1993: Connection timed out
~~~

RHOSP 16.2 or earlier allow 1993 port as below.

~~~
[root@overcloud-controller-1 ~]# cat /etc/rhosp-release 
Red Hat OpenStack Platform release 16.2.4 (Train)
[root@overcloud-controller-1 ~]# iptables -nvL |grep 1993
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1993 state NEW /* 107 haproxy stats ipv4 */
~~~


Version-Release number of selected component (if applicable):
RHOSP 17.0

How reproducible:
Deploy overcloud normally.

Actual results:
1993 port is not allowed

Expected results:
1993 port is allowed
Comment 1 yatanaka 2023-04-19 03:20:05 UTC 
I've made a merge request below.

https://review.opendev.org/c/openstack/tripleo-heat-templates/+/880787
Comment 2 Luca Miccini 2023-04-20 10:27:02 UTC 
thanks for the report and for the patch.
workaround: custom firewall rule using the documented steps: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.0/html-single/security_and_hardening_guide/index#proc_adding-services-to-the-overcloud-firewall_security-enhancements
Comment 5 Luca Miccini 2023-08-10 13:39:51 UTC 
moved by mistake