Bug 789954

Summary: Qpid daemon needs access to port 5674
Product: Red Hat Satellite Reporter: Martin Bacovsky <mbacovsk>
Component: SELinuxAssignee: Lukas Zapletal <lzap>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.0.0CC: cwelton, jlaska, mmccune
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-22 18:26:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 790005    
Bug Blocks: 761314, 798625    

Description Martin Bacovsky 2012-02-13 10:59:32 UTC 
Description of problem:
When I try to start Pulp's Qpid broker with allowed SSL connections it can't connect to the port. Defalt port for the QPIDD SSL communication is 5674.

As recommended by sealert

semanage port -a -t amqp_port_t -p tcp 5674

did the trick.

Version-Release number of selected component (if applicable):
katello-0.1.230

How reproducible:
Allways

Steps to Reproduce:
# add qpid-broker private key file to the nss db
openssl rand -base64 24 > /etc/katello/pk12_password-file
openssl pkcs12 -in /etc/pki/tls/certs/qpid-broker.crt -inkey /etc/pki/tls/private/qpid-broker.key -export -out broker.pfx -password "file:/etc/katello/pk12_password-file"
pk12util -i broker.pfx -d /etc/pki/katello/nssdb/ -w /etc/katello/pk12_password-file -k /etc/katello/nss_db_password-file

# install the missing qpid ssl packages
yum install -y qpid-cpp-client-ssl qpid-cpp-server-store qpid-cpp-server-ssl

# fix the QPID configuration
cat >> /etc/qpidd.conf <<EOF
require-encryption=yes
ssl-require-client-authentication=yes
ssl-port=5674
ssl-cert-db=/etc/pki/katello/nssdb
ssl-cert-password-file=/etc/katello/nss_db_password-file
ssl-cert-name=broker
EOF

# Make sure /etc/pki/katello/nssdb and its content and /etc/katello/nss_db_password-file is readable by qpidd user otherwise qpidd won't start

#restart qpidd
service qpidd restart

lsof -i -P |grep qpidd

Actual results:
 qpidd     20522         qpidd   11u  IPv4 1606688      0t0  TCP *:5672 (LISTEN)

Additional info:
You can get the expected results by turning selinux permissive or running 
semanage port -a -t amqp_port_t -p tcp 5674

Expected results:
 qpidd     20522         qpidd   11u  IPv4 1606688      0t0  TCP *:5672 (LISTEN)
 qpidd     20522         qpidd   14u  IPv4 1606689      0t0  TCP *:5674 (LISTEN)
Comment 1 Lukas Zapletal 2012-02-13 14:12:13 UTC 
Until the policy is delivered in Pulp, we will add semanage call into our installer.
Comment 6 Lukas Zapletal 2012-02-24 15:16:09 UTC 
No its not done yet, those are just links to the RHUI tree.
Comment 7 Lukas Zapletal 2012-02-27 12:30:58 UTC 
This bug was solved and pushed. Was also fixing this issue.

https://bugzilla.redhat.com/show_bug.cgi?id=761314
Comment 8 Corey Welton 2012-03-12 19:53:14 UTC 
QA Verified.


qpidd     1747         qpidd   10u  IPv4  13449      0t0  TCP *:5672 (LISTEN)
qpidd     1747         qpidd   13u  IPv4  13450      0t0  TCP *:5674 (LISTEN)
qpidd     1747         qpidd   15u  IPv4  13651      0t0  TCP deploy12.rdu.redhat.com:5674->deploy12.rdu.redhat.com:46447 (ESTABLISHED)
Comment 9 Corey Welton 2012-03-12 20:33:29 UTC 
rather - 


[root@deploy12 ~]# lsof -i -P |grep qpidd
qpidd     7350         qpidd   10u  IPv4  35272      0t0  TCP *:5672 (LISTEN)
qpidd     7350         qpidd   13u  IPv4  35273      0t0  TCP *:5674 (LISTEN)