keystone listens on ephemeral TCP port which breaks if other programs use that port for ephemeral stuff

The keystone daemon (or WSGI) listens on TCP/35357 by default.

This port will be given as src port to any tcp client program by the kernel. So if some program opens a remote connection it may block this port and keystone will not be able to listen on that port anymore.

Apache may fail like this:
$ /etc/init.d/apache2 start
 * Starting web server apache2 (98)Address already in use: AH00072: make_sock: could not bind to address X.X.X.X:35357
no listening sockets available, shutting down
AH00015: Unable to open logs
Action 'start' failed.
The Apache error log may have more information.

$ lsof -n -i|grep 21619|grep 35357
java 21619 quobyte 162u IPv6 67824 0t0 TCP X.X.X.X:35357->Y.Y.Y.Y:7861 (ESTABLISHED)

$ cat /proc/sys/net/ipv4/ip_local_port_range
32768 61000

The solution would be to configure another admin_port which is not in the ephemeral range https://en.wikipedia.org/wiki/Ephemeral_port). The default should configuration be changed to avoid this situation.

I mark this as security bug, because the availbilty (https://en.wikipedia.org/?title=Information_security#Availability) of the keystone service cannot be guaranteed (like it did happen to us).

Regards,
  Stefan