Bug 1784222 - pcsd is listening on all networks available including external networks
Summary: pcsd is listening on all networks available including external networks
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 16.0 (Train)
Hardware: x86_64
OS: Linux
urgent
urgent
Target Milestone: z1
: 16.0 (Train on RHEL 8.1)
Assignee: Michele Baldessari
QA Contact: pkomarov
URL:
Whiteboard:
: 1804721 1805604 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-17 01:09 UTC by Takashi Kajinami
Modified: 2023-03-24 16:29 UTC (History)
13 users (show)

Fixed In Version: puppet-tripleo-11.4.1-0.20200204230745.801f789.el8ost puppet-pacemaker-0.8.1-0.20200203145608.83d23b3.el8ost openstack-tripleo-heat-templates-11.3.2-0.20200204230640.7a0659c.el8ost
Doc Type: Enhancement
Doc Text:
With this update, the pcs service now restricts listening to the InternalApi network by default.
Clone Of:
Environment:
Last Closed: 2020-03-03 09:45:05 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1856626 0 None None None 2019-12-17 01:18:27 UTC
Launchpad 1861668 0 None None None 2020-02-03 13:57:20 UTC
Red Hat Issue Tracker OSP-3297 0 None None None 2022-03-25 01:34:03 UTC
Red Hat Product Errata RHBA-2020:0655 0 None None None 2020-03-03 09:45:47 UTC

Description Takashi Kajinami 2019-12-17 01:09:36 UTC 
Description of problem:

When we deploy overcloud by director, we see that pcsd is listening on all available networks,
which means that we can access to pcsd from external network connected to controller nodes.

~~~
[heat-admin@controller-0 ~]$ sudo ps aux | grep pcsd | grep -v grep
root      280462  0.0  0.1 986088 58020 ?        Ssl  Dec09   2:44 /usr/bin/ruby /usr/lib/pcsd/pcsd
[heat-admin@controller-0 ~]$ sudo netstat -anp | grep ruby
tcp        0      0 :::2224                 0.0.0.0:*               LISTEN      280462/ruby 
~~~

However, we expect that only operators can use pcsd to manage cluster services,
so it would be better to make pcsd listen on a specific internal network instead of all networks


How reproducible:
Always

Steps to Reproduce:
1. Deploy overcloud
2. See which networks pcsd listening on

Actual results:
pcsd is listening on all networks

Expected results:
pcsd is listening on a specific network


Additional info:
Comment 1 Luca Miccini 2019-12-18 09:32:49 UTC 
fixed by https://github.com/openstack/puppet-pacemaker/commit/6138c5b9f35b1bddc1ee17c08372b7bde85c264d
Comment 2 Luca Miccini 2019-12-18 10:32:29 UTC 
backpedaling as we need THT support for this to be on POST.
Comment 3 Takashi Kajinami 2019-12-20 13:55:30 UTC 
To fix the bug reported, we need the following 3 patches.
 https://review.opendev.org/#/q/topic:bug/1856626+(status:open+OR+status:merged)
I'll backport all of them to stable branches once all patches land in master.

 puppet-pacemaker      : https://review.opendev.org/#/c/697942/
 puppet-tripleo        : https://review.opendev.org/#/c/697943/
 tripleo-heat-templates: https://review.opendev.org/#/c/699318/
Comment 4 Matthias Runge 2020-01-22 10:01:06 UTC 
neither the change in puppet-pacemaker nor the tht change was backported.

the change in puppet-tripleo is included eg. in  puppet-tripleo-11.4.1-0.20200118215809.6f9bf6c.el8ost.noarch
Comment 13 Luca Miccini 2020-02-11 12:46:06 UTC 
switching version to 16.0, will clone for 13.0 eventually.
Comment 15 shreshtha joshi 2020-02-12 09:51:04 UTC 
Thanks Michele. I will add it the correct version of puppet-pacemaker in next compose.
Comment 17 Michele Baldessari 2020-02-15 14:56:29 UTC 
*** Bug 1803362 has been marked as a duplicate of this bug. ***
Comment 19 pkomarov 2020-02-18 12:31:30 UTC 
Verified , 


(overcloud) [stack@undercloud-0 ~]$ ./rpm_compare puppet-tripleo-11.4.1-0.20200204230745.801f789.el8ost puppet-pacemaker-0.8.1-0.20200203145608.83d23b3.el8ost openstack-tripleo-heat-templates-11.3.2-0.20200204230640.7a0659c.el8ost
package tested: puppet-tripleo-11.4.1-0.20200204230745.801f789.el8ost
package installed : puppet-tripleo-11.4.1-0.20200205150840.71ff36d.el8ost.noarch





[stack@undercloud-0 ~]$ ansible controller -b -mshell -a 'ss -atpln|grep pcsd'
[WARNING]: Found both group and host with same name: undercloud

controller-0 | CHANGED | rc=0 >>
LISTEN   0         128             172.17.1.94:2224             0.0.0.0:*        users:(("pcsd",pid=4206,fd=6))                                                 

controller-2 | CHANGED | rc=0 >>
LISTEN   0         128             172.17.1.44:2224             0.0.0.0:*        users:(("pcsd",pid=4181,fd=6))                                                 

controller-1 | CHANGED | rc=0 >>
LISTEN   0         128             172.17.1.59:2224             0.0.0.0:*        users:(("pcsd",pid=4173,fd=6))
Comment 20 Alex McLeod 2020-02-19 12:39:21 UTC 
If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field. The documentation team will review, edit, and approve the text.

If this bug does not require doc text, please set the 'requires_doc_text' flag to '-'.
Comment 21 Michele Baldessari 2020-02-19 15:12:35 UTC 
*** Bug 1804721 has been marked as a duplicate of this bug. ***
Comment 22 Michele Baldessari 2020-02-21 07:05:59 UTC 
*** Bug 1805604 has been marked as a duplicate of this bug. ***
Comment 24 errata-xmlrpc 2020-03-03 09:45:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0655
Note You need to log in before you can comment on or make changes to this bug.