Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1759079

Summary: pacemaker resource bundle in network mode host will listen on all IP addresses and cannot limit the listening socket to a specific IP/port address pair
Product: Red Hat Enterprise Linux 7 Reporter: Andreas Karis <akaris>
Component: pacemakerAssignee: Ken Gaillot <kgaillot>
Status: CLOSED DUPLICATE QA Contact: cluster-qe <cluster-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: abeekhof, cluster-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-07 13:38:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andreas Karis 2019-10-07 11:33:24 UTC 
Description of problem:
pacemaker resource bundle in network mode host will listen on all IP addresses and cannot limit the listening socket to a specific IP/port address pair

When using pacemaker remote bundles and configuring network=host, we can only specify the listening port of the container with: Network: control-port=<port>

However, this is insecure. We need to be able to specify a or various tuples, limiting the listening socket to specific IP addresses. Otherwise, we expose critical ports to the outside world. The below example is from a Red Hat OpenStack Platform 13 cluster.

Version-Release number of selected component (if applicable):
oot@controller-0 ~]# rpm -qa | grep pacemaker
pacemaker-remote-1.1.20-5.el7_7.1.x86_64
pacemaker-1.1.20-5.el7_7.1.x86_64
ansible-pacemaker-1.0.4-0.20180220234310.0e4d7c0.el7ost.noarch
pacemaker-libs-1.1.20-5.el7_7.1.x86_64
pacemaker-cluster-libs-1.1.20-5.el7_7.1.x86_64
pacemaker-cli-1.1.20-5.el7_7.1.x86_64
puppet-pacemaker-0.7.2-0.20180423212257.el7ost.noarch


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

pacemaker-remote bundle control-port:
https://clusterlabs.org/pacemaker/doc/en-US/Pacemaker/1.1/html/Pacemaker_Explained/_bundle_primitive.html

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/high_availability_add-on_reference/s1-containers-haar
~~~
 control-port
	
3121
	
If the bundle contains a Pacemaker resource, the cluster will use this integer TCP port for communication with Pacemaker Remote inside the container. Changing this is useful when the container is unable to listen on the default port, which could happen when the container uses the host’s network rather than ip-range-start (in which case replicas-per-host must be 1), or when the bundle may run on a Pacemaker Remote node that is already listening on the default port. Any PCMK_remote_port environment variable set on the host or in the container is ignored for bundle connections.
When a Pacemaker bundle configuration uses the control-port parameter, then if the bundle has its own IP address the port needs to be open on that IP address on and from all full cluster nodes running corosync. If, instead, the bundle has set the network="host" container parameter, the port needs to be open on each cluster node's IP address from all cluster nodes. 
~~~

~~~
[root@controller-0 ~]# pcs resource show rabbitmq-bundle | grep host
  Docker: image=registry.access.redhat.com/rhosp13/openstack-rabbitmq:pcmklatest network=host options="--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS" replicas=3 run-command="/bin/bash /usr/local/bin/kolla_start"
   options=ro source-dir=/etc/hosts target-dir=/etc/hosts (rabbitmq-hosts)
   Meta Attrs: container-attribute-target=host notify=true
~~~

~~~
[root@controller-0 ~]# pcs resource show rabbitmq-bundle | grep control-port
  Network: control-port=3122
~~~

Looking at the container in particular:
~~~
[root@controller-0 ~]# docker inspect rabbitmq-bundle-docker-0 | grep 3122
                "PCMK_remote_port=3122",
[root@controller-0 ~]# docker inspect rabbitmq-bundle-docker-0 | grep network
[root@controller-0 ~]# docker inspect rabbitmq-bundle-docker-0 | grep network -i
            "NetworkMode": "host",
        "NetworkSettings": {
            "Networks": {
                    "NetworkID": "8aa1bd558e3dc822f1b00389dbce833f64723be2af39d195392684c7c84a5ea5",
~~~

~~~
()[root@controller-0 /]# ss -lntp | grep 3122
LISTEN     0      10        [::]:3122                  [::]:*                   users:(("pacemaker_remot",pid=14,fd=8))
()[root@controller-0 /]# ps aux | grep 14
root          14  0.1  0.0 100756  4736 ?        Ss   10:24   0:06 /usr/sbin/pacemaker_remoted
root        1028  0.0  0.0  11688  1444 ?        S    10:25   0:00 /bin/sh /usr/sbin/rabbitmq-server
rabbitmq    1497  0.0  0.0  11592   452 ?        Ss   10:25   0:00 inet_gethost 4
rabbitmq    1498  0.0  0.0  13716   696 ?        S    10:25   0:00 inet_gethost 4
root       84344  0.0  0.0   9092   664 ?        S+   11:22   0:00 grep --color=auto 14
~~~

The container uses full host networking:
~~~
()[root@controller-0 /]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:a9:6b:90 brd ff:ff:ff:ff:ff:ff
    inet 192.168.24.22/24 brd 192.168.24.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fea9:6b90/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:2c:b0:ad brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:fe2c:b0ad/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast master ovs-system state UP group default qlen 1000
    link/ether 52:54:00:7e:14:52 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:fe7e:1452/64 scope link 
       valid_lft forever preferred_lft forever
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master ovs-system state UP group default qlen 1000
    link/ether 52:54:00:75:16:a3 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:fe75:16a3/64 scope link 
       valid_lft forever preferred_lft forever
6: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether a6:67:68:26:c8:8b brd ff:ff:ff:ff:ff:ff
7: br-tenant: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 52:54:00:7e:14:52 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::5054:ff:fe7e:1452/64 scope link 
       valid_lft forever preferred_lft forever
8: br-external: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 4e:09:a1:d9:e7:43 brd ff:ff:ff:ff:ff:ff
    inet 172.16.0.104/24 brd 172.16.0.255 scope global br-external
       valid_lft forever preferred_lft forever
    inet6 fe80::4c09:a1ff:fed9:e743/64 scope link 
       valid_lft forever preferred_lft forever
9: vlan202: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 96:45:18:c8:49:13 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.18/24 brd 172.18.0.255 scope global vlan202
       valid_lft forever preferred_lft forever
    inet6 fe80::9445:18ff:fec8:4913/64 scope link 
       valid_lft forever preferred_lft forever
10: vlan201@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:2c:b0:ad brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.15/24 brd 172.17.0.255 scope global vlan201
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe2c:b0ad/64 scope link 
       valid_lft forever preferred_lft forever
11: vlan203@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:2c:b0:ad brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.27/24 brd 172.19.0.255 scope global vlan203
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe2c:b0ad/64 scope link 
       valid_lft forever preferred_lft forever
12: vlan204@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:2c:b0:ad brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.22/24 brd 172.20.0.255 scope global vlan204
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fe2c:b0ad/64 scope link 
       valid_lft forever preferred_lft forever
13: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:e6:de:1a:86 brd ff:ff:ff:ff:ff:ff
    inet 172.31.0.1/24 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:e6ff:fede:1a86/64 scope link 
       valid_lft forever preferred_lft forever
50: br-int: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether c6:bf:ee:5a:c2:4e brd ff:ff:ff:ff:ff:ff
51: br-tun: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether aa:28:10:8f:bb:48 brd ff:ff:ff:ff:ff:ff
52: vxlan_sys_4789: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000
    link/ether 92:4f:f9:c2:61:7b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::904f:f9ff:fec2:617b/64 scope link 
       valid_lft forever preferred_lft forever
~~~

The question is if there is a way to tell pacemaker_remote to listen only a specific tuple of IP:PORT while the container is in NetworkMode: host
~~~
[root@controller-0 ~]# pcs resource bundle update rabbitmq-bundle network control-port=3122
[root@controller-0 ~]# pcs resource bundle update rabbitmq-bundle network control-port=172.17.0.15:3122
Error: '172.17.0.15:3122' is not a valid control-port value, use a port number (1-65535)
[root@controller-0 ~]# 
~~~

This does not seem to be the case.
Comment 2 Andreas Karis 2019-10-07 13:38:04 UTC 

*** This bug has been marked as a duplicate of bug 1743373 ***