Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-48122

[Enforce-TLS] Non-availability of some services' stats

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Done
    • 7.0.2
    • 7.0.2
    • ns_server
    • Centos 7 64 bit; CB EE 7.0.2-6562

    Description

      Problem
      After enforcing TLS, some services will stop listening on their non-ssl ports, even on loopback address. As a result, prometheus fails to scrape these services' metrics and hence user will not be able to see stats on UI. Refer screenshot

      Suggestions
      I guess, if I am not wrong, there could be 3 ways to approach this:
      1. Ns-server could change the prometheus config after enforcing TLS for these services to use their tls ports, so that prometheus starts scraping their metrics
      2. Ask user to take care of changing the prometheus config after they enforce tls (requires documentation)
      3. Ask these services to listen on loopback addresses at non-ssl port

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            pvarley Patrick Varley added a comment - - edited

            Patrick Varley - the reason I've assigned tools is for backup. Isn't that the right component?

            It was never assigned to Tools and as a result was never on our radar. The component list included tools, I thought it was a mistake when looking through the 7.0.2 dashboard and removed it. I was then looking at Abhijeeth Nuthan question on MB-42840 then released they were related. There are other Services in the component list too, so to keep things simple I will keep the backup stuff with the original MB-47831

            Anyway to progress things, can you answer the question above please

            pvarley Patrick Varley added a comment - - edited Patrick Varley - the reason I've assigned tools is for backup. Isn't that the right component? It was never assigned to Tools and as a result was never on our radar. The component list included tools, I thought it was a mistake when looking through the 7.0.2 dashboard and removed it. I was then looking at Abhijeeth Nuthan question on MB-42840 then released they were related. There are other Services in the component list too, so to keep things simple I will keep the backup stuff with the original MB-47831 Anyway to progress things, can you answer the question above please

            Patrick Varley - In behalf of stats, specifically the Prometheus port, yes, the non-TLS port should be opened on localhost regardless of the encryption configuration.

            meni.hillel Meni Hillel (Inactive) added a comment - Patrick Varley  - In behalf of stats, specifically the Prometheus port, yes, the non-TLS port should be opened on localhost regardless of the encryption configuration.

            Meni Hillel Thanks, I have reopened MB-47831.

            pvarley Patrick Varley added a comment - Meni Hillel Thanks, I have reopened MB-47831 .

            Thanks Meni Hillel . Have opened separate MBs for query, fts (and Patrick has re-opened one for backup-service). Resolving this as "done" 

            sumedh.basarkod Sumedh Basarkod added a comment - Thanks Meni Hillel  . Have opened separate MBs for query, fts (and Patrick has re-opened one for backup-service). Resolving this as "done" 

            Build couchbase-server-7.1.0-1200 contains query commit 0af095f with commit message:
            MB-48122 enable localhost listeners for TLS strict mode

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.1.0-1200 contains query commit 0af095f with commit message: MB-48122 enable localhost listeners for TLS strict mode

            People

              sumedh.basarkod Sumedh Basarkod
              sumedh.basarkod Sumedh Basarkod
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty