StarlingX

On Debian barbican-api is only listening on IPv4 address resulting in unlock rejected

Bug #1974045 reported by Andy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Andy

Bug Description

Brief Description
-----------------
On IPV6 lab, barbican-api is only listening on IPV4 address after bootstrap:

[root@controller-0 sysadmin(keystone_admin)]# netstat -antp | grep 9311
tcp 0 0 0.0.0.0:9311 0.0.0.0:* LISTEN 2597941/python3

This results in connection to Barbican by internal endpoint (IPv6 URL) refused, and unlock failed.

Severity
--------
Critical

Steps to Reproduce
------------------
- On a IPv6 lab, install Debian load
- Bootstrap by ansible playbook
- After bootstrap, check Barbican listening port by "netstat -antp | grep 9311"
- curl to access Barbican internal endpoint
- unlock controller

Expected Behavior
------------------
- Barbican is listening on IPv6 network address after bootstrap
- curl to internal endpoint successful after bootstrap
- unlock successful

Actual Behavior
----------------
- Barbican is listening on IPv4 address only after bootstrap
- curl to internal endpoint refused after bootstrap
- unlock failed

Reproducibility
---------------
100% - Barbican is listening on IPv4 address only after bootstrap
100% - curl to internal endpoint refused after bootstrap
Seen once - unlock failed

System Configuration
--------------------
AIO-SX IPv6

Branch/Pull Time/Commit
-----------------------
STX master latest

Last Pass
---------
Unknown

Timestamp/Logs
--------------
See steps to reproduce

Test Activity
-------------
Developer Testing

Workaround
----------
Update gunicorn-config.py, and restart barbican-api:

[root@controller-0 sysadmin(keystone_admin)]# diff /etc/barbican/gunicorn-config.py_org /etc/barbican/gunicorn-config.py

3c3
< bind = ':9311'

> bind = '[::]:9311'

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/stx-puppet/+/842373

Changed in starlingx:
status: New → In Progress
Andy (andy.wrs)
Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.7.0 stx.config stx.debian stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/c/starlingx/stx-puppet/+/842373
Committed: https://opendev.org/starlingx/stx-puppet/commit/b903155a91e5e758d8215d1ac2e750d031cdaf19
Submitter: "Zuul (22348)"
Branch: master

commit b903155a91e5e758d8215d1ac2e750d031cdaf19
Author: Andy Ning <email address hidden>
Date: Wed May 18 10:29:16 2022 -0400

    Set Barbican api to listen on the right IP address

    Currently barbican-api will be listening on IPv4 address after
    bootstrap even for IPv6 labs. This will result in connection to
    barbican service internal endpoint refused, and unlock controller
    failed on IPv6 labs.

    This commit updated barbican puppet manifest so that
    gunicorn-config.py get updated to have the right bind IP address
    when started.

    Test Plan for Debian:
    PASS: package build, image build, installation on IPv6 lab
    PASS: after boostrap, observe barbican-api is listening on mgmt
          IPv6 address
    PASS: after boostrap, curl to barbicna-api internal endpoint is
          successful
    PASS: controller unlock successfully

    Closes-Bug: 1974045
    Signed-off-by: Andy Ning <email address hidden>
    Change-Id: I4743df52e50fde7ffc55f909e9c79b7b2fd2bbab

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.