Smart-proxy or Capsule listen port 9090 only listens on 127.0.0.1

Solution Verified - Updated -

Environment

  • Red Hat Satellite or Proxy 6.1

Issue

  • After publishing a Content view the following error pops up.
([Errno::ECONNREFUSED]): Connection refused - connect (2) for Proxy https://satellite.fqdn:9090/puppet
  • Smart-proxy service is listening on 127.0.0.1 localhost address on port 9090
tcp        0      0 127.0.0.1:9090          0.0.0.0:*               LISTEN      990        26014      2761/ruby            off (0.00/0/0)
tcp6       0      0 ::1:9090                :::*                    LISTEN      990        26013      2761/ruby            off (0.00/0/0)

Resolution

  • A temporal workarround to apply on this situation will be:
- add export RACK_ENV='production' to init script

or

- add proxy FQDN to hosts entry for 127.0.0.1

This assumes the foreman is on the same machine. This allows foreman to connect and import classes/environments
  • For solving this behaviour downgrade rubygem-rack and rubygem-rack-protection versions as shown below:
# rpm -Uvh --oldpackage --replacepkgs rubygem-rack-1.4.1-13.el7sat.noarch.rpm
# rpm -Uvh --oldpackage --replacepkgs rubygem-rack-protection-1.5.0-7.el7sat.noarch.rpm

Note these versions (or their el6sat counterparts) are the only officially released version in Satellite6 product. It is recommended to use these and not newer.

Root Cause

  • New packages of rubygem-rack and rubygem-rack-protection were installed on the server. There was a modification on the code on the libreries lib/sinatra/base.rb and lib/sinatra/main.rb (http://projects.theforeman.org/issues/9989) in order to bind the service on localhost for security reasons. Please read below the Disclaimer.
##################################################################################################################################
Disclaimer:
Default host to localhost when in development mode.
Running Rack apps on 0.0.0.0 in development mode will allow malicious users on the local network (ex: Coffee Shop) to abuse or potentially exploit the app. Safer to default host to localhost when in development mode.
##################################################################################################################################
  • The modified lines are:
2  lib/sinatra/base.rb
 @@ -1690,7 +1690,7 @@ class << self
     set :run, false                       # start server via at-exit hook?
     set :running, false                   # is the built-in server running now?
     set :server, %w[http webrick]
-    set :bind, '0.0.0.0'
+    set :bind, Proc.new { development? ? 'localhost' : '0.0.0.0' }
     set :port, Integer(ENV['PORT'] || 4567)

     ruby_engine = defined?(RUBY_ENGINE) && RUBY_ENGINE

2 lib/sinatra/main.rb
 @@ -14,7 +14,7 @@ class Application < Base
       require 'optparse'
       OptionParser.new { |op|
         op.on('-p port',   'set the port (default is 4567)')                { |val| set :port, Integer(val) }
-        op.on('-o addr',   'set the host (default is 0.0.0.0)')             { |val| set :bind, val }
+        op.on('-o addr',   "set the host (default is #{bind})")             { |val| set :bind, val }
         op.on('-e env',    'set the environment (default is development)')  { |val| set :environment, val.to_sym }
         op.on('-s server', 'specify rack server/handler (default is thin)') { |val| set :server, val }
         op.on('-x',        'turn on the mutex lock (default is off)')       {       set :lock, true }

Diagnostic Steps

  • Check if there are versions of the rubygem-rack and rubygem-rack-protection (and other packages) from a third party repositories.
rubygem-netrc-0.7.7-3.el7.noarch                            Fri Jun  3 10:23:44 2016    1464960224  Fedora Project  buildvm-27.phx2.fedoraproject.org
rubygem-rack-1.6.4-2.el7.noarch                             Fri Jun  3 11:49:55 2016    1464965395  Fedora Project  buildppc-02.phx2.fedoraproject.org
rubygem-rack-protection-1.5.3-3.el7.noarch                  Fri Jun  3 10:23:58 2016    1464960238  Fedora Project  buildvm-11-nfs.phx2.fedoraproject.org
rubygem-rest-client-1.6.7-4.el7.noarch                      Fri Jun  3 10:23:49 2016    1464960229  Fedora Project  buildvm-13.phx2.fedoraproject.org
rubygem-rkerberos-0.1.3-5.el7.x86_64                        Fri Jun  3 10:23:58 2016    1464960238  Fedora Project  buildhw-12.phx2.fedoraproject.org
  • Version of packages that Red Hat Satellite installs:
rubygem-rack-1.4.1-13.el7sat.noarch
rubygem-rack-protection-1.5.0-7.el7sat.noarch
  • Check of ports 8443 and/or 9090 are listening on localhost ip address only
tcp        0      0 127.0.0.1:9090          0.0.0.0:*               LISTEN      990        26014      2761/ruby            off (0.00/0/0)
tcp6       0      0 ::1:9090                :::*                    LISTEN      990        26013      2761/ruby            off (0.00/0/0)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments