Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 2417683

Summary: [cephadm] cephadm doesn't open default HTTPS port (443) when mgmt-gateway is deployed using defaults and firewalld is active
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Redouane Kachach Elhichou <rkachach>
Component: CephadmAssignee: Redouane Kachach Elhichou <rkachach>
Status: CLOSED UPSTREAM QA Contact: Vinayak Papnoi <vpapnoi>
Severity: medium Docs Contact: Rivka Pollack <rpollack>
Priority: unspecified    
Version: 9.1CC: cephqe-warriors, rpollack
Target Milestone: ---   
Target Release: 9.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.Management gateway does not open HTTPS port during deployment When the management gateway (`mgmt-gateway`) is deployed with default settings and `firewalld` is active, the default HTTPS port (443) is not opened in `firewalld`. The gateway listens on port 443 and is reachable locally, but remote access to the dashboard fails until the firewall is manually adjusted. As a workaround, use one of the following options: * Explicitly configure a port for `mgmt-gateway` by using the `--port` option or setting `spec.port`. This ensures that cephadm opens the correct port in `firewalld`. * Manually open HTTPS (443) in `firewalld`. For example, ---- firewall-cmd --add-service=https firewall-cmd --add-port=443/tcp ----
 Story Points: ---
Clone Of: Environment:
Last Closed: 2026-03-04 09:57:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2388233    

Description Redouane Kachach Elhichou 2025-11-28 09:26:30 UTC 
Description of problem:

When deploying the mgmt-gateway service with cephadm and not specifying a port explicitly (neither via --port nor via the service spec), the gateway listens on the default HTTPS port (443) as expected, but cephadm does not open this port in firewalld. As a result, the dashboard is only accessible locally on the gateway node while firewalld is running. Remote access works only if firewalld is stopped or manually configured (e.g. firewall-cmd --add-service=https).


Version-Release number of selected component (if applicable):
All releases are affected

How reproducible:
Always, when mgmt-gateway is deployed without an explicit port and firewalld is active and not pre-configured for HTTPS.

Steps to Reproduce:
1. Deploy a cephadm-managed cluster and enable firewalld on the host where mgmt-gateway will run (no https service / port 443 opened yet).
2. Deploy the mgmt-gateway service without specifying a port: no --port argument and no port field in the MgmtGatewaySpec.
3. From the gateway node, run curl -k https://<mgmt-gateway-ip> (this request must succeed)
4. From a different node or a remote machine, run the same curl -k https://<mgmt-gateway-ip> and observe that this request fails while firewalld is running.
5. Stop firewalld or manually run firewall-cmd --add-service=https and retry from the remote host (request now succeeds.)

Actual results:
1. mgmt-gateway listens on HTTPS and is reachable locally on the gateway node.
2. 443 port is not open in the firewalld service


Expected results:
cephadm must open the 443 HTTPS when mgmt-gateway is deployed using defaults (without an explicit port) in a node where firewalld service is active.

Additional info:
Comment 1 Red Hat Bugzilla 2026-03-04 09:57:43 UTC 
This product has been discontinued or is no longer tracked in Red Hat Bugzilla.