2187877 – HAProxy stats page port 1993/tcp is not allowed

Bug 2187877 - HAProxy stats page port 1993/tcp is not allowed

Summary: HAProxy stats page port 1993/tcp is not allowed

Keywords:
Status:	MODIFIED
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	z2
Target Release:	17.1
Assignee:	OSP Team
QA Contact:	Joe H. Rahme
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-19 02:37 UTC by yatanaka
Modified:	2023-08-14 06:51 UTC (History)
CC List:	4 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-17.1.20230813011053.2bcb0ca.el9osttrunk
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	880787	0	None	MERGED	Allow 1993 port for HAProxy stats page	2023-08-12 05:56:38 UTC
Red Hat Issue Tracker	OSP-24350	0	None	None	None	2023-04-19 02:37:36 UTC

Description yatanaka 2023-04-19 02:37:11 UTC

Description of problem:

In Controller nodes, HAProxy stats page listens on 1993/tcp port.

~~~
</var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg>
listen haproxy.stats
  bind 192.168.24.17:1993 transparent
  bind 192.168.24.22:1993 transparent
  mode http
  stats enable
  stats uri /
  stats auth admin:wwqZw1lHyD7Y7jL6xhBxNoK3g

[root@central-controller-1 ~]# netstat -aneopt|grep 1993
tcp        0      0 192.168.24.22:1993      0.0.0.0:*               LISTEN      0          59524      7320/haproxy         off (0.00/0/0)
tcp        0      0 192.168.24.17:1993      0.0.0.0:*               LISTEN      0          59523      7320/haproxy         off (0.00/0/0)
~~~

However, in RHOPS 17.0, this port is not allowed by default.

~~~
[root@central-controller-1 ~]# iptables -nvL |grep 1993
[root@central-controller-1 ~]# 

[stack@undercloud ~]$ curl 192.168.24.17:1993
curl: (28) Failed to connect to 192.168.24.17 port 1993: Connection timed out
~~~

RHOSP 16.2 or earlier allow 1993 port as below.

~~~
[root@overcloud-controller-1 ~]# cat /etc/rhosp-release 
Red Hat OpenStack Platform release 16.2.4 (Train)
[root@overcloud-controller-1 ~]# iptables -nvL |grep 1993
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1993 state NEW /* 107 haproxy stats ipv4 */
~~~


Version-Release number of selected component (if applicable):
RHOSP 17.0

How reproducible:
Deploy overcloud normally.

Actual results:
1993 port is not allowed

Expected results:
1993 port is allowed

Comment 1 yatanaka 2023-04-19 03:20:05 UTC

I've made a merge request below.

https://review.opendev.org/c/openstack/tripleo-heat-templates/+/880787

Comment 2 Luca Miccini 2023-04-20 10:27:02 UTC

thanks for the report and for the patch.
workaround: custom firewall rule using the documented steps: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.0/html-single/security_and_hardening_guide/index#proc_adding-services-to-the-overcloud-firewall_security-enhancements

Comment 5 Luca Miccini 2023-08-10 13:39:51 UTC

moved by mistake

Note You need to log in before you can comment on or make changes to this bug.