Bug 2187877
| Summary: | HAProxy stats page port 1993/tcp is not allowed | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | yatanaka |
| Component: | openstack-tripleo-heat-templates | Assignee: | OSP Team <rhos-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Joe H. Rahme <jhakimra> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 17.0 (Wallaby) | CC: | lmiccini, mburns, rhos-maint |
| Target Milestone: | z2 | Keywords: | Triaged |
| Target Release: | 17.1 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-tripleo-heat-templates-14.3.1-17.1.20231103010821.e7c7ce3.el9ost | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-01-16 14:32:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I've made a merge request below. https://review.opendev.org/c/openstack/tripleo-heat-templates/+/880787 thanks for the report and for the patch. workaround: custom firewall rule using the documented steps: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/17.0/html-single/security_and_hardening_guide/index#proc_adding-services-to-the-overcloud-firewall_security-enhancements moved by mistake [stack@undercloud-0 ~]$ cat core_puddle_version
RHOS-17.1-RHEL-9-20231110.n.1
[root@controller-0 ~]# iptables -nvL |grep 1993
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1993 ctstate NEW /* 107 haproxy stats ipv4 */
[root@controller-0 ~]# curl -k https://192.168.24.39:1993
<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Red Hat OpenStack Platform 17.1.2 bug fix and enhancement advisory), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2024:0209 |
Description of problem: In Controller nodes, HAProxy stats page listens on 1993/tcp port. ~~~ </var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg> listen haproxy.stats bind 192.168.24.17:1993 transparent bind 192.168.24.22:1993 transparent mode http stats enable stats uri / stats auth admin:wwqZw1lHyD7Y7jL6xhBxNoK3g [root@central-controller-1 ~]# netstat -aneopt|grep 1993 tcp 0 0 192.168.24.22:1993 0.0.0.0:* LISTEN 0 59524 7320/haproxy off (0.00/0/0) tcp 0 0 192.168.24.17:1993 0.0.0.0:* LISTEN 0 59523 7320/haproxy off (0.00/0/0) ~~~ However, in RHOPS 17.0, this port is not allowed by default. ~~~ [root@central-controller-1 ~]# iptables -nvL |grep 1993 [root@central-controller-1 ~]# [stack@undercloud ~]$ curl 192.168.24.17:1993 curl: (28) Failed to connect to 192.168.24.17 port 1993: Connection timed out ~~~ RHOSP 16.2 or earlier allow 1993 port as below. ~~~ [root@overcloud-controller-1 ~]# cat /etc/rhosp-release Red Hat OpenStack Platform release 16.2.4 (Train) [root@overcloud-controller-1 ~]# iptables -nvL |grep 1993 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1993 state NEW /* 107 haproxy stats ipv4 */ ~~~ Version-Release number of selected component (if applicable): RHOSP 17.0 How reproducible: Deploy overcloud normally. Actual results: 1993 port is not allowed Expected results: 1993 port is allowed