Bug #52906
closedcephadm rm-daemon is not closing any tcp ports that were opened for the daemon during the removal process
0%
Description
Deploying a daemon handles opening a port to make the daemon accessing, but when you remove a daemon the port that it was using is not removed from the firewall configuration and remains open.
Perhaps since the service has the port defined, when the orchestrator invokes the rm-daemon it could pass the port(s) to close as a parameter to the rm-daemon primitive?
Updated by Redouane Kachach Elhichou almost 2 years ago
I can't reproduce this BUG. Please, can you provide more information about which daemon(s) that suffer from this issue.
Updated by Paul Cuzner almost 2 years ago
Maybe things have changed over the passed 7 months :)
However, all I did was to deploy normally with cephadm with monitoring. Monitoring deploys the node-exporter service and opens port 9100/tcp in the firewall. Now when you do an orch rm node-exporter, the daemon is removed by the 9100/tcp entry is still there in firewalld
eg.
[ceph: root@ceph-mstr-aio /]# ceph orch ls NAME PORTS RUNNING REFRESHED AGE PLACEMENT alertmanager ?:9093,9094 1/1 4m ago 13d count:1 container.ceph_exporter 1/1 4m ago 13d * crash 1/1 4m ago 13d * grafana ?:3000 1/1 4m ago 13d count:1 mgr 2/2 4m ago 13d count:2 mon 1/5 4m ago 13d count:5 node-exporter ?:9100 1/1 4m ago 13d * osd.all-available-devices 3 4m ago 13d * prometheus ?:9095 1/1 4m ago 13d count:1
this has the following firewall config - note 9100/tcp which is node-exporters port
[root@ceph-mstr-aio ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: ceph ceph-mon cockpit dhcpv6-client ssh ports: 9283/tcp 9093/tcp 9094/tcp 3000/tcp 9100/tcp 9095/tcp 9085/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
rm the service and then list the firewall state again
[ceph: root@ceph-mstr-aio /]# ceph orch rm node-exporter Removed service node-exporter [ceph: root@ceph-mstr-aio /]# ceph orch ps --refresh NAME HOST PORTS STATUS REFRESHED AGE MEM USE MEM LIM VERSION IMAGE ID CONTAINER ID alertmanager.ceph-mstr-aio ceph-mstr-aio *:9093,9094 running (13d) 6m ago 13d 26.7M - ba2b418f427c 598f54772c26 container.ceph_exporter.ceph-mstr-aio ceph-mstr-aio *:9085,9085 running (13d) 6m ago 13d 5829k - <unknown> 2873817247e6 df85a1c2de31 crash.ceph-mstr-aio ceph-mstr-aio running (13d) 6m ago 13d 7004k - 17.0.0-11522-g07a4e9eb db54b809ca02 678e178b5e94 grafana.ceph-mstr-aio ceph-mstr-aio *:3000 running (13d) 6m ago 13d 77.2M - 8.3.5 dad864ee21e9 bbff978f69ff mgr.ceph-mstr-aio.bwbbho ceph-mstr-aio *:9283 running (13d) 6m ago 13d 691M - 17.0.0-11522-g07a4e9eb db54b809ca02 01c369ae12f8 mgr.ceph-mstr-aio.iiqopd ceph-mstr-aio running (13d) 6m ago 13d 429M - 17.0.0-11522-g07a4e9eb db54b809ca02 3db767235bfe mon.ceph-mstr-aio ceph-mstr-aio running (13d) 6m ago 13d 458M 2048M 17.0.0-11522-g07a4e9eb db54b809ca02 bf3febe2ac23 osd.0 ceph-mstr-aio running (13d) 6m ago 13d 148M 4096M 17.0.0-11522-g07a4e9eb db54b809ca02 31918703ba68 osd.1 ceph-mstr-aio running (13d) 6m ago 13d 151M 4096M 17.0.0-11522-g07a4e9eb db54b809ca02 4e35df6a9000 osd.2 ceph-mstr-aio running (13d) 6m ago 13d 147M 4096M 17.0.0-11522-g07a4e9eb db54b809ca02 6ac7b9095fbd prometheus.ceph-mstr-aio ceph-mstr-aio *:9095 starting - - - - <unknown> <unknown> <unknown> [root@ceph-mstr-aio ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens192 sources: services: ceph ceph-mon cockpit dhcpv6-client ssh ports: 9283/tcp 9093/tcp 9094/tcp 3000/tcp 9100/tcp 9095/tcp 9085/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
As you can see 9100 is still present.
I don't think the cephadm rm_daemon function does anything with the port(s) defined in the unit.meta file.
Updated by Redouane Kachach Elhichou almost 2 years ago
- Assignee set to Redouane Kachach Elhichou
Updated by Redouane Kachach Elhichou almost 2 years ago
- Status changed from New to In Progress
Updated by Redouane Kachach Elhichou almost 2 years ago
- Status changed from In Progress to Fix Under Review
- Pull request ID set to 46035
Updated by Redouane Kachach Elhichou almost 2 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Redouane Kachach Elhichou almost 2 years ago
- Backport changed from pacific to pacific,quincy
Updated by Backport Bot almost 2 years ago
- Copied to Backport #55962: quincy: cephadm rm-daemon is not closing any tcp ports that were opened for the daemon during the removal process added
Updated by Backport Bot almost 2 years ago
- Copied to Backport #55963: pacific: cephadm rm-daemon is not closing any tcp ports that were opened for the daemon during the removal process added
Updated by Redouane Kachach Elhichou almost 2 years ago
- Status changed from Pending Backport to Closed
Updated by Redouane Kachach Elhichou almost 2 years ago
- Status changed from Closed to Resolved