tripleo

pcsd is listening on all networks available including external networks

Bug #1856626 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Undecided
Takashi Kajinami

Bug Description

When we deploy overcloud by director, we see that pcsd is listening on all available networks, which means that we can access to pcsd from external network connected to controller nodes.

~~~
[heat-admin@controller-0 ~]$ sudo ps aux | grep pcsd | grep -v grep
root 280462 0.0 0.1 986088 58020 ? Ssl Dec09 2:44 /usr/bin/ruby /usr/lib/pcsd/pcsd
[heat-admin@controller-0 ~]$ sudo netstat -anp | grep ruby
tcp 0 0 :::2224 0.0.0.0:* LISTEN 280462/ruby
~~~

However, we expect that only operators can use pcsd to manage cluster services, so it would be better to make pcsd listen on a specific internal network instead of all networks

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/699318

Changed in tripleo:
assignee: nobody → Takashi Kajinami (kajinamit)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/697943
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=b5ee4bacacd3b63d98b7cf37d526c460f8113dcb
Submitter: Zuul
Branch: master

commit b5ee4bacacd3b63d98b7cf37d526c460f8113dcb
Author: Takashi Kajinami <email address hidden>
Date: Mon Dec 9 12:16:31 2019 +0900

    Add support to configure pcsd bind address

    Add support to configure pcsd bind address so that we can
    make pcsd listen on specific address instead of all interfaces
    on the node.

    Related-Bug: #1856626
    Depends-on: https://review.opendev.org/#/c/697942
    Depends-On: https://review.opendev.org/700250
    Change-Id: I442b190b6fa429ee3a81fd2ea84ada6ed9bca7d2

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/699318
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=3056f25bd1763a773a1acbab0f465d0f5bf5b778
Submitter: Zuul
Branch: master

commit 3056f25bd1763a773a1acbab0f465d0f5bf5b778
Author: Takashi Kajinami <email address hidden>
Date: Mon Dec 9 12:29:06 2019 +0900

    Make pcsd listen on PacemakerNetwork/PacemakerRemoteNetwork

    Configure bind address for pcsd so that it listens on a specific
    network instead of all available networks.

    Closes-Bug: #1856626
    Depends-on: https://review.opendev.org/#/c/697942
    Depends-on: https://review.opendev.org/#/c/697943
    Change-Id: Icc78fb96b28cd7a036d958ba78b2075e7c241207

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to puppet-tripleo (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/700287

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/700288

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to puppet-tripleo (stable/train)

Reviewed: https://review.opendev.org/700287
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=95111e6ca86e80fbf0f2b5d166bc7f5b230b4154
Submitter: Zuul
Branch: stable/train

commit 95111e6ca86e80fbf0f2b5d166bc7f5b230b4154
Author: Takashi Kajinami <email address hidden>
Date: Mon Dec 9 12:16:31 2019 +0900

    Add support to configure pcsd bind address

    Add support to configure pcsd bind address so that we can
    make pcsd listen on specific address instead of all interfaces
    on the node.

    Related-Bug: #1856626
    Depends-on: https://review.opendev.org/697942
    Change-Id: I442b190b6fa429ee3a81fd2ea84ada6ed9bca7d2
    (cherry picked from commit b5ee4bacacd3b63d98b7cf37d526c460f8113dcb)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/700288
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=7ee6cdec11e11d909f62575995a56e8cb0ea6d3f
Submitter: Zuul
Branch: stable/train

commit 7ee6cdec11e11d909f62575995a56e8cb0ea6d3f
Author: Takashi Kajinami <email address hidden>
Date: Mon Dec 9 12:29:06 2019 +0900

    Make pcsd listen on PacemakerNetwork/PacemakerRemoteNetwork

    Configure bind address for pcsd so that it listens on a specific
    network instead of all available networks.

    Closes-Bug: #1856626
    Depends-on: https://review.opendev.org/#/c/700287
    Change-Id: Icc78fb96b28cd7a036d958ba78b2075e7c241207
    (cherry picked from commit 3056f25bd1763a773a1acbab0f465d0f5bf5b778)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 12.1.0

This issue was fixed in the openstack/tripleo-heat-templates 12.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 11.4.0

This issue was fixed in the openstack/tripleo-heat-templates 11.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.