Bug 789954 - Qpid daemon needs access to port 5674
Summary: Qpid daemon needs access to port 5674
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: SELinux
Version: 6.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: Unspecified
Assignee: Lukas Zapletal
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On: 790005
Blocks: 761314 798625
TreeView+ depends on / blocked
 
Reported: 2012-02-13 10:59 UTC by Martin Bacovsky
Modified: 2019-09-26 13:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-22 18:26:32 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Martin Bacovsky 2012-02-13 10:59:32 UTC 
Description of problem:
When I try to start Pulp's Qpid broker with allowed SSL connections it can't connect to the port. Defalt port for the QPIDD SSL communication is 5674.

As recommended by sealert

semanage port -a -t amqp_port_t -p tcp 5674

did the trick.

Version-Release number of selected component (if applicable):
katello-0.1.230

How reproducible:
Allways

Steps to Reproduce:
# add qpid-broker private key file to the nss db
openssl rand -base64 24 > /etc/katello/pk12_password-file
openssl pkcs12 -in /etc/pki/tls/certs/qpid-broker.crt -inkey /etc/pki/tls/private/qpid-broker.key -export -out broker.pfx -password "file:/etc/katello/pk12_password-file"
pk12util -i broker.pfx -d /etc/pki/katello/nssdb/ -w /etc/katello/pk12_password-file -k /etc/katello/nss_db_password-file

# install the missing qpid ssl packages
yum install -y qpid-cpp-client-ssl qpid-cpp-server-store qpid-cpp-server-ssl

# fix the QPID configuration
cat >> /etc/qpidd.conf <<EOF
require-encryption=yes
ssl-require-client-authentication=yes
ssl-port=5674
ssl-cert-db=/etc/pki/katello/nssdb
ssl-cert-password-file=/etc/katello/nss_db_password-file
ssl-cert-name=broker
EOF

# Make sure /etc/pki/katello/nssdb and its content and /etc/katello/nss_db_password-file is readable by qpidd user otherwise qpidd won't start

#restart qpidd
service qpidd restart

lsof -i -P |grep qpidd

Actual results:
 qpidd     20522         qpidd   11u  IPv4 1606688      0t0  TCP *:5672 (LISTEN)

Additional info:
You can get the expected results by turning selinux permissive or running 
semanage port -a -t amqp_port_t -p tcp 5674

Expected results:
 qpidd     20522         qpidd   11u  IPv4 1606688      0t0  TCP *:5672 (LISTEN)
 qpidd     20522         qpidd   14u  IPv4 1606689      0t0  TCP *:5674 (LISTEN)
Comment 1 Lukas Zapletal 2012-02-13 14:12:13 UTC 
Until the policy is delivered in Pulp, we will add semanage call into our installer.
Comment 6 Lukas Zapletal 2012-02-24 15:16:09 UTC 
No its not done yet, those are just links to the RHUI tree.
Comment 7 Lukas Zapletal 2012-02-27 12:30:58 UTC 
This bug was solved and pushed. Was also fixing this issue.

https://bugzilla.redhat.com/show_bug.cgi?id=761314
Comment 8 Corey Welton 2012-03-12 19:53:14 UTC 
QA Verified.


qpidd     1747         qpidd   10u  IPv4  13449      0t0  TCP *:5672 (LISTEN)
qpidd     1747         qpidd   13u  IPv4  13450      0t0  TCP *:5674 (LISTEN)
qpidd     1747         qpidd   15u  IPv4  13651      0t0  TCP deploy12.rdu.redhat.com:5674->deploy12.rdu.redhat.com:46447 (ESTABLISHED)
Comment 9 Corey Welton 2012-03-12 20:33:29 UTC 
rather - 


[root@deploy12 ~]# lsof -i -P |grep qpidd
qpidd     7350         qpidd   10u  IPv4  35272      0t0  TCP *:5672 (LISTEN)
qpidd     7350         qpidd   13u  IPv4  35273      0t0  TCP *:5674 (LISTEN)
Note You need to log in before you can comment on or make changes to this bug.