Bug 2187877 - HAProxy stats page port 1993/tcp is not allowed
Summary: HAProxy stats page port 1993/tcp is not allowed
Keywords:
Status: MODIFIED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 17.0 (Wallaby)
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: z2
: 17.1
Assignee: OSP Team
QA Contact: Joe H. Rahme
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-04-19 02:37 UTC by yatanaka
Modified: 2023-08-14 06:51 UTC (History)
4 users (show)

Fixed In Version: openstack-tripleo-heat-templates-14.3.1-17.1.20230813011053.2bcb0ca.el9osttrunk
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 880787 0 None MERGED Allow 1993 port for HAProxy stats page 2023-08-12 05:56:38 UTC
Red Hat Issue Tracker OSP-24350 0 None None None 2023-04-19 02:37:36 UTC

Description yatanaka 2023-04-19 02:37:11 UTC
Description of problem:

In Controller nodes, HAProxy stats page listens on 1993/tcp port.

~~~
</var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg>
listen haproxy.stats
  bind 192.168.24.17:1993 transparent
  bind 192.168.24.22:1993 transparent
  mode http
  stats enable
  stats uri /
  stats auth admin:wwqZw1lHyD7Y7jL6xhBxNoK3g

[root@central-controller-1 ~]# netstat -aneopt|grep 1993
tcp        0      0 192.168.24.22:1993      0.0.0.0:*               LISTEN      0          59524      7320/haproxy         off (0.00/0/0)
tcp        0      0 192.168.24.17:1993      0.0.0.0:*               LISTEN      0          59523      7320/haproxy         off (0.00/0/0)
~~~

However, in RHOPS 17.0, this port is not allowed by default.

~~~
[root@central-controller-1 ~]# iptables -nvL |grep 1993
[root@central-controller-1 ~]# 

[stack@undercloud ~]$ curl 192.168.24.17:1993
curl: (28) Failed to connect to 192.168.24.17 port 1993: Connection timed out
~~~

RHOSP 16.2 or earlier allow 1993 port as below.

~~~
[root@overcloud-controller-1 ~]# cat /etc/rhosp-release 
Red Hat OpenStack Platform release 16.2.4 (Train)
[root@overcloud-controller-1 ~]# iptables -nvL |grep 1993
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1993 state NEW /* 107 haproxy stats ipv4 */
~~~


Version-Release number of selected component (if applicable):
RHOSP 17.0

How reproducible:
Deploy overcloud normally.

Actual results:
1993 port is not allowed

Expected results:
1993 port is allowed

Comment 1 yatanaka 2023-04-19 03:20:05 UTC
I've made a merge request below.

https://review.opendev.org/c/openstack/tripleo-heat-templates/+/880787

Comment 2 Luca Miccini 2023-04-20 10:27:02 UTC
thanks for the report and for the patch.
workaround: custom firewall rule using the documented steps: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.0/html-single/security_and_hardening_guide/index#proc_adding-services-to-the-overcloud-firewall_security-enhancements

Comment 5 Luca Miccini 2023-08-10 13:39:51 UTC
moved by mistake


Note You need to log in before you can comment on or make changes to this bug.