Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1743373

Summary:	[RFE] Be able to limit which interfaces every pacemaker component listens to
Product:	Red Hat Enterprise Linux 7	Reporter:	Michele Baldessari <michele>
Component:	pacemaker	Assignee:	Ken Gaillot <kgaillot>
Status:	CLOSED ERRATA	QA Contact:	cluster-qe <cluster-qe>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	7.7	CC:	akaris, cfeist, cluster-maint, cswanson, ctowsley, phagara, pkomarov
Target Milestone:	pre-dev-freeze	Keywords:	FutureFeature
Target Release:	7.9
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	pacemaker-1.1.22-1.el7	Doc Type:	Enhancement
Doc Text:	Feature: Pacemaker now allows configuration of the address to which the Pacemaker Remote server binds, via the PCMK_remote_address option in /etc/sysconfig/pacemaker, and additionally now allows a file with environment variables to be passed to bundles, by mapping the file on the host into the container as /etc/pacemaker/pcmk-init.env. Reason: Some environments do not want Pacemaker Remote to bind to all addresses for security reasons. Result: Users may restrict Pacemaker Remote to listening on a single IP address.	Story Points:	---
Clone Of:
Clones:	1743377 (view as bug list)		Environment:
Last Closed:	2020-09-29 20:03:57 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1743377
Bug Blocks:	1740626

Description Michele Baldessari 2019-08-19 18:32:55 UTC

Description of problem:
This is partially taken from https://bugzilla.redhat.com/show_bug.cgi?id=1727280#c8 and from https://bugzilla.redhat.com/show_bug.cgi?id=1740626 (OSP related BZs)

In short: we'd love to have a mechanism (option in /etc/sysconfig/pacemaker or else) that allows us to limit a bit on which interfaces/ip_addresses pacemaker listens on (mainly remote, but worth checking that other pcmk components, if there are any, follow the same option, except corosync of course)

For example today we see that pcmk-remote listens to all IPs:
[root@controller-1 pacemaker]# ss -tunlp |grep pacemaker
tcp    LISTEN     0      10       :::3122                 :::*                   users:(("pacemaker_remot",pid=992835,fd=8))
tcp    LISTEN     0      10       :::3123                 :::*                   users:(("pacemaker_remot",pid=992765,fd=8))
tcp    LISTEN     0      10       :::3124                 :::*                   users:(("pacemaker_remot",pid=992810,fd=8))

Comment 3 Ken Gaillot 2019-08-19 18:51:14 UTC

We'll primarily target RHEL 8 for this (via Bug 1743377). Once that's ready, we can see how feasible it would be to backport to RHEL 7 and whether it would be allowed at that stage of the life cycle.

Comment 4 Ken Gaillot 2019-09-26 15:46:49 UTC

Fixed in upstream 1.1 branch by commits 86079a2a and 9ae6903e

The ability is enabled via a new environment variable:

# If the Pacemaker Remote service is run on the local node, it will listen
# for connections on this address. The value may be a resolvable hostname or an
# IPv4 or IPv6 numeric address. When resolving names or using the default
# wildcard address (i.e. listen on all available addresses), IPv6 will be
# preferred if available. When listening on an IPv6 address, IPv4 clients will
# be supported (via IPv4-mapped IPv6 addresses).
# PCMK_remote_address="192.0.2.1"

The environment variable can be specified in /etc/sysconfig/pacemaker for cluster nodes and Pacemaker Remote nodes. For bundles, any sysconfig-like file on the host can be mapped into the container as /etc/pacemaker/pcmk-init.env (using pcs's existing storage-map option for bundles), and Pacemaker Remote inside the bundle will load the environment variables from it.

Comment 5 Andreas Karis 2019-10-07 13:38:04 UTC

*** Bug 1759079 has been marked as a duplicate of this bug. ***

Comment 6 Patrik Hagara 2020-02-21 17:46:05 UTC

qa_ack+, same repro steps as https://bugzilla.redhat.com/show_bug.cgi?id=1743377#c8

Comment 9 Patrik Hagara 2020-06-16 15:20:34 UTC

> [root@virt-164 ~]# rpm -q pacemaker pacemaker-remote
> pacemaker-1.1.23-1.el7.x86_64
> pacemaker-remote-1.1.23-1.el7.x86_64
> [root@virt-164 ~]# systemctl enable --now pacemaker_remote
> Created symlink from /etc/systemd/system/multi-user.target.wants/pacemaker_remote.service to /usr/lib/systemd/system/pacemaker_remote.service.
> [root@virt-164 ~]# ss -ltnp | grep pacemaker
> LISTEN     0      10        [::]:3121                  [::]:*                   users:(("pacemaker_remot",pid=30346,fd=8))

listening on all interfaces by default


now change the PCMK_remote_address variable to bind to specific IP:

> [root@virt-164 ~]# ip addr show dev eth0
<snip>
>     inet 10.37.167.35/22 brd 10.37.167.255 scope global noprefixroute dynamic eth0
<snip>
> [root@virt-164 ~]# grep PCMK_remote_address /etc/sysconfig/pacemaker 
> PCMK_remote_address="10.37.167.35"
> [root@virt-164 ~]# systemctl restart pacemaker_remote
> [root@virt-164 ~]# ss -ltnp | grep pacemaker
> LISTEN     0      10     10.37.167.35:3121                     *:*                   users:(("pacemaker_remot",pid=30290,fd=8))


stop and disable pacemaker_remote.service:

> [root@virt-164 ~]# systemctl disable --now pacemaker_remote


authorize to remote node IPv4 address from existing cluster:

> [root@virt-160 ~]# pcs cluster auth 10.37.167.35
> Username: hacluster
> Password: 
> 10.37.167.35: Authorized


add the remote node using the listen IP address:

> [root@virt-160 ~]# pcs cluster node add-remote 10.37.167.35 virt-164
> Sending remote node configuration files to '10.37.167.35'
> 10.37.167.35: successful distribution of the file 'pacemaker_remote authkey'
> Requesting start of service pacemaker_remote on '10.37.167.35'
> 10.37.167.35: successful run of 'pacemaker_remote enable'
> 10.37.167.35: successful run of 'pacemaker_remote start'


verify that the remote node joined the cluster:

> [root@virt-160 ~]# pcs status
> Cluster name: STSRHTS23819
> Stack: corosync
> Current DC: virt-163 (version 1.1.23-1.el7-9acf116022) - partition with quorum
> Last updated: Tue Jun 16 16:51:24 2020
> Last change: Tue Jun 16 16:51:19 2020 by root via cibadmin on virt-160
> 
> 4 nodes configured
> 5 resource instances configured
> 
> Online: [ virt-160 virt-162 virt-163 ]
> RemoteOnline: [ virt-164 ]
> 
> Full list of resources:
> 
>  fence-virt-160	(stonith:fence_xvm):	Started virt-162
>  fence-virt-162	(stonith:fence_xvm):	Started virt-163
>  fence-virt-163	(stonith:fence_xvm):	Started virt-163
>  fence-virt-164	(stonith:fence_xvm):	Started virt-160
>  virt-164	(ocf::pacemaker:remote):	Started virt-160
> 
> Daemon Status:
>   corosync: active/enabled
>   pacemaker: active/enabled
>   pcsd: active/enabled



(In reply to Ken Gaillot from comment #4)
> For bundles, any sysconfig-like
> file on the host can be mapped into the container as
> /etc/pacemaker/pcmk-init.env (using pcs's existing storage-map option for
> bundles), and Pacemaker Remote inside the bundle will load the environment
> variables from it.

@Pini: Could you please verify this also works for OpenStack (with bundles ^)? Should be similar to bz#1743377 from 8.2.0. Feel free to flip to verified afterwards.

Comment 14 errata-xmlrpc 2020-09-29 20:03:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pacemaker bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:3951