keystone listens on ephemeral TCP port which breaks if other programs use that port for ephemeral stuff
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
The keystone daemon (or WSGI) listens on TCP/35357 by default.
This port will be given as src port to any tcp client program by the kernel. So if some program opens a remote connection it may block this port and keystone will not be able to listen on that port anymore.
Apache may fail like this:
$ /etc/init.d/apache2 start
* Starting web server apache2 (98)Address already in use: AH00072: make_sock: could not bind to address X.X.X.X:35357
no listening sockets available, shutting down
AH00015: Unable to open logs
Action 'start' failed.
The Apache error log may have more information.
$ lsof -n -i|grep 21619|grep 35357
java 21619 quobyte 162u IPv6 67824 0t0 TCP X.X.X.X:
$ cat /proc/sys/
32768 61000
The solution would be to configure another admin_port which is not in the ephemeral range https:/
I mark this as security bug, because the availbilty (https:/
Regards,
Stefan
information type: | Private Security → Public Security |
This is a duplicate of bug 1253482.