This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.
Bug 2417683 - [cephadm] cephadm doesn't open default HTTPS port (443) when mgmt-gateway is deployed using defaults and firewalld is active
Summary: [cephadm] cephadm doesn't open default HTTPS port (443) when mgmt-gateway is ...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat Storage
Component: Cephadm
Version: 9.1
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 9.1
Assignee: Redouane Kachach Elhichou
QA Contact: Vinayak Papnoi
Rivka Pollack
URL:
Whiteboard:
Depends On:
Blocks: 2388233
TreeView+ depends on / blocked
 
Reported: 2025-11-28 09:26 UTC by Redouane Kachach Elhichou
Modified: 2025-11-30 12:53 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.Management gateway does not open HTTPS port during deployment When the management gateway (`mgmt-gateway`) is deployed with default settings and `firewalld` is active, the default HTTPS port (443) is not opened in `firewalld`. The gateway listens on port 443 and is reachable locally, but remote access to the dashboard fails until the firewall is manually adjusted. As a workaround, use one of the following options: * Explicitly configure a port for `mgmt-gateway` by using the `--port` option or setting `spec.port`. This ensures that cephadm opens the correct port in `firewalld`. * Manually open HTTPS (443) in `firewalld`. For example, ---- firewall-cmd --add-service=https firewall-cmd --add-port=443/tcp ----
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Redouane Kachach Elhichou 2025-11-28 09:26:30 UTC 
Description of problem:

When deploying the mgmt-gateway service with cephadm and not specifying a port explicitly (neither via --port nor via the service spec), the gateway listens on the default HTTPS port (443) as expected, but cephadm does not open this port in firewalld. As a result, the dashboard is only accessible locally on the gateway node while firewalld is running. Remote access works only if firewalld is stopped or manually configured (e.g. firewall-cmd --add-service=https).


Version-Release number of selected component (if applicable):
All releases are affected

How reproducible:
Always, when mgmt-gateway is deployed without an explicit port and firewalld is active and not pre-configured for HTTPS.

Steps to Reproduce:
1. Deploy a cephadm-managed cluster and enable firewalld on the host where mgmt-gateway will run (no https service / port 443 opened yet).
2. Deploy the mgmt-gateway service without specifying a port: no --port argument and no port field in the MgmtGatewaySpec.
3. From the gateway node, run curl -k https://<mgmt-gateway-ip> (this request must succeed)
4. From a different node or a remote machine, run the same curl -k https://<mgmt-gateway-ip> and observe that this request fails while firewalld is running.
5. Stop firewalld or manually run firewall-cmd --add-service=https and retry from the remote host (request now succeeds.)

Actual results:
1. mgmt-gateway listens on HTTPS and is reachable locally on the gateway node.
2. 443 port is not open in the firewalld service


Expected results:
cephadm must open the 443 HTTPS when mgmt-gateway is deployed using defaults (without an explicit port) in a node where firewalld service is active.

Additional info:
Note You need to log in before you can comment on or make changes to this bug.