tripleo

Missing a necessary firewall rule for rabbitmqctl command.

Bug #1866958 reported by Keigo Noha on 2020-03-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	John Eckersberg	tripleo ussuri-3 "tripleo ussuri-3"

Bug Description

Current T-H-T doesn't have a firewall rule for rabbitmqctl.

Recent rabbitmq requires following port listed at https://www.rabbitmq.com/networking.html#ports.
In the list, T-H-T doesn't contain the following ports.

~~~
35672-35682: used by CLI tools (Erlang distribution client ports) for communication with nodes and is allocated from a dynamic range (computed as server distribution port + 10000 through server distribution port + 10010). See networking guide for details.
~~~

Because of this, 'rabbitmqctl list_queues' command cannot get all queues' information.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-11: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/712249

Changed in tripleo:
assignee:	nobody → Keigo Noha (knoha)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-11: Change abandoned on tripleo-heat-templates (master)

Change abandoned by Emilien Macchi (<email address hidden>) on branch: master
Review: https://review.opendev.org/712249
Reason: Hi Keigo, this is taken care in https://review.opendev.org/#/c/711975/. Thanks for your patch.

Revision history for this message

Emilien Macchi (emilienm) wrote on 2020-03-11:

Taken care by https://review.opendev.org/#/c/711975/

Changed in tripleo:
milestone:	none → ussuri-3
importance:	Undecided → Medium

OpenStack Infra (hudson-openstack) on 2020-03-11

Changed in tripleo:
assignee:	Keigo Noha (knoha) → John Eckersberg (jeckersb)

Bogdan Dobrelya (bogdando) on 2020-03-11

Changed in tripleo:
importance:	Medium → High
tags:	added: train-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-03-12: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/711975
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=a2bc2e10b0de522a81faca62b7b620432b267fbb
Submitter: Zuul
Branch: master

commit a2bc2e10b0de522a81faca62b7b620432b267fbb
Author: John Eckersberg <email address hidden>
Date: Mon Mar 9 11:44:50 2020 -0400

rabbitmq: Open ports 25673-25683 for CLI tools

    Since RabbitMQ 3.7.4, the CLI tools (rabbitmqctl and friends)
    parallelize the querying of information from cluster members. In
    order to receive stream data back, the cli instance binds and
    registers itself on an available port (default between 35672 and
    35682, inclusive). If these ports are firewalled off, then
    rabbitmqctl commands such as list_queues will hang waiting for data
    from remote cluster members.

This patch does two things:

    1) Reconfigures rabbitmqctl to bind to 25673-25683 instead of the
    default range of 35672-35682. This ensures the ports are not in the
    ephemeral port range and avoids unintended collisions.

2) Opens the firewall on 25673-25683 to enable communication.

    Resolves: rhbz#1811680
    Closes-Bug: #1866958
    Change-Id: If5caa51cd9a3aef97d06d491dde1d5129cc1a569