Bug 1130213 - exclude default port 35357 from the ephemeral port range
Summary: exclude default port 35357 from the ephemeral port range
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 5.0 (RHEL 7)
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: z1
: 5.0 (RHEL 7)
Assignee: Alan Pevec
QA Contact: Udi
URL:
Whiteboard:
Depends On:
Blocks: 1128799 1139355
TreeView+ depends on / blocked
 
Reported: 2014-08-14 14:37 UTC by Thom Carlin
Modified: 2018-12-06 17:45 UTC (History)
6 users (show)

Fixed In Version: openstack-keystone-2014.1.2.1-2.el7ost openstack-keystone-2014.1.2.1-3.el6ost
Doc Type: Bug Fix
Doc Text:
Identity Service listened on a port that is within the ephemeral port range. Other applications which use ephemeral ports could end up using this port before the Identity service was able to bind to it at start-up. As a result, Identity service failed to start since it's port was already in use by another application. With this update, Identity service reserves its port using the sysctl.d interface. As a result, Identity service's port will no longer be used as an ephemeral port for other application, allowing Identity service to start properly without port conflict.
Clone Of:
: 1139355 (view as bug list)
Environment:
Last Closed: 2014-09-30 17:51:43 UTC


Attachments (Terms of Use)
spec patch (2.90 KB, patch)
2014-09-08 17:35 UTC, Alan Pevec
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1347 normal SHIPPED_LIVE openstack-keystone bug fix update 2014-09-30 21:49:42 UTC

Description Thom Carlin 2014-08-14 14:37:32 UTC
Description of problem:

Keystone dies 

Version-Release number of selected component (if applicable):

RHOS 5.0 on RHEL 7

How reproducible:

Sporatically

Steps to Reproduce:
1.
2.
3.

Actual results:

openstack_auth.backend Authorization Failed: Unable to establish connection to http://10.72.0.6:5000/v2.0/tokens
2014-08-11 14:34:01,997 29824 WARNING openstack_auth.forms Login failed for user "<snip>"
systemctl status openstack-keystone.service
openstack-keystone.service - OpenStack Identity Service (code-named Keystone)
   Loaded: loaded (/usr/lib/systemd/system/openstack-keystone.service; enabled)
   Active: failed (Result: start-limit) since Mon 2014-08-11 11:00:42 EDT; 1s ago
  Process: 7442 ExecStart=/usr/bin/keystone-all (code=exited, status=1/FAILURE)
 Main PID: 7442 (code=exited, status=1/FAILURE)

Aug 11 11:00:42 oscontrol1 systemd[1]: openstack-keystone.service: main process exited, code=exited, status=1/FAILURE
Aug 11 11:00:42 oscontrol1 systemd[1]: Failed to start OpenStack Identity Service (code-named Keystone).
Aug 11 11:00:42 oscontrol1 systemd[1]: Unit openstack-keystone.service entered failed state.
Aug 11 11:00:42 oscontrol1 systemd[1]: openstack-keystone.service holdoff time over, scheduling restart.
Aug 11 11:00:42 oscontrol1 systemd[1]: Stopping OpenStack Identity Service (code-named Keystone)...
Aug 11 11:00:42 oscontrol1 systemd[1]: Starting OpenStack Identity Service (code-named Keystone)...
Aug 11 11:00:42 oscontrol1 systemd[1]: openstack-keystone.service start request repeated too quickly, refusing to start.
Aug 11 11:00:42 oscontrol1 systemd[1]: Failed to start OpenStack Identity Service (code-named Keystone).
Aug 11 11:00:42 oscontrol1 systemd[1]: Unit openstack-keystone.service entered failed state."

Expected results:

Successful authentication, keystone starting up successfully.


Additional info:

It's a conflict between Neutron and Keystone

Please backport http://pkgs.fedoraproject.org/cgit/openstack-keystone.git/commit/?id=216d357efd425c90507bae0b304dc614f9886220

Comment 2 Alan Pevec 2014-09-08 17:35:33 UTC
Created attachment 935418 [details]
spec patch

Comment 4 Udi 2014-09-11 06:50:48 UTC
This was added to /lib/sysctl.d/openstack-keystone.conf:

# By default, keystone starts a service on IANA-assigned port 35357
# http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
net.ipv4.ip_local_reserved_ports = 35357

Checked in openstack-keystone-2014.1.2.1-2.el7ost.noarch

Comment 7 errata-xmlrpc 2014-09-30 17:51:43 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1347.html


Note You need to log in before you can comment on or make changes to this bug.