[MB-48122] [Enforce-TLS] Non-availability of some services' stats - Couchbase database

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Done
Affects Version/s: 7.0.2
Fix Version/s: 7.0.2
Component/s: ns_server
Labels:
- ns_server
Environment:
Centos 7 64 bit; CB EE 7.0.2-6562

Triage:
Untriaged
Operating System:
Centos 64-bit
Link to Log File, atop/blg, CBCollectInfo, Core dump:

Hide
http://supportal.couchbase.com/snapshot/052fb1478bc5a247640a5e8636e4c8c5::0
s3://cb-customers-secure/tls_stats/2021-08-24/collectinfo-2021-08-24t141052-ns_1@172.23.105.215.zip
s3://cb-customers-secure/tls_stats/2021-08-24/collectinfo-2021-08-24t141052-ns_1@172.23.105.217.zip

Show
http://supportal.couchbase.com/snapshot/052fb1478bc5a247640a5e8636e4c8c5::0 s3://cb-customers-secure/tls_stats/2021-08-24/collectinfo-2021-08-24t141052-ns_1@172.23.105.215.zip s3://cb-customers-secure/tls_stats/2021-08-24/collectinfo-2021-08-24t141052-ns_1@172.23.105.217.zip
Story Points:
1
Is this a Regression?:
Unknown

Description

Problem
After enforcing TLS, some services will stop listening on their non-ssl ports, even on loopback address. As a result, prometheus fails to scrape these services' metrics and hence user will not be able to see stats on UI. Refer screenshot

Suggestions
I guess, if I am not wrong, there could be 3 ways to approach this:
1. Ns-server could change the prometheus config after enforcing TLS for these services to use their tls ports, so that prometheus starts scraping their metrics
2. Ask user to take care of changing the prometheus config after they enforce tls (requires documentation)
3. Ask these services to listen on loopback addresses at non-ssl port

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Screenshot 2021-08-24 at 7.57.07 PM.png
573 kB
24/Aug/21 7:40 AM
Screenshot 2021-08-24 at 8.14.18 PM.png
133 kB
24/Aug/21 7:44 AM

Issue Links

relates to

MB-47831 Backup service doesn't listen on localhost's non-ssl port after enforcing TLS

Closed

MB-48141 [Enforce-TLS] Query should listen at 127.0.0.1:8093

Closed

MB-48142 [Enforce-TLS] FTS should listen at 127.0.0.1:8094

Closed

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

Ascending order - Click to sort in descending order

View 6 older comments

Patrick Varley added a comment - 24/Aug/21 3:07 PM - edited

Patrick Varley - the reason I've assigned tools is for backup. Isn't that the right component?

It was never assigned to Tools and as a result was never on our radar. The component list included tools, I thought it was a mistake when looking through the 7.0.2 dashboard and removed it. I was then looking at Abhijeeth Nuthan question on ~~MB-42840~~ then released they were related. There are other Services in the component list too, so to keep things simple I will keep the backup stuff with the original ~~MB-47831~~

Anyway to progress things, can you answer the question above please

Patrick Varley added a comment - 24/Aug/21 3:07 PM - edited Patrick Varley - the reason I've assigned tools is for backup. Isn't that the right component? It was never assigned to Tools and as a result was never on our radar. The component list included tools, I thought it was a mistake when looking through the 7.0.2 dashboard and removed it. I was then looking at Abhijeeth Nuthan question on MB-42840 then released they were related. There are other Services in the component list too, so to keep things simple I will keep the backup stuff with the original MB-47831 Anyway to progress things, can you answer the question above please

Meni Hillel (Inactive) added a comment - 24/Aug/21 3:10 PM

Patrick Varley - In behalf of stats, specifically the Prometheus port, yes, the non-TLS port should be opened on localhost regardless of the encryption configuration.

Meni Hillel (Inactive) added a comment - 24/Aug/21 3:10 PM Patrick Varley - In behalf of stats, specifically the Prometheus port, yes, the non-TLS port should be opened on localhost regardless of the encryption configuration.

Patrick Varley added a comment - 24/Aug/21 3:18 PM

Meni Hillel Thanks, I have reopened ~~MB-47831~~.

Patrick Varley added a comment - 24/Aug/21 3:18 PM Meni Hillel Thanks, I have reopened MB-47831 .

Sumedh Basarkod added a comment - 24/Aug/21 9:01 PM

Thanks Meni Hillel . Have opened separate MBs for query, fts (and Patrick has re-opened one for backup-service). Resolving this as "done"

Sumedh Basarkod added a comment - 24/Aug/21 9:01 PM Thanks Meni Hillel . Have opened separate MBs for query, fts (and Patrick has re-opened one for backup-service). Resolving this as "done"

Couchbase Build Team added a comment - 25/Aug/21 1:16 PM

Build couchbase-server-7.1.0-1200 contains query commit 0af095f with commit message:
~~MB-48122~~ enable localhost listeners for TLS strict mode

Couchbase Build Team added a comment - 25/Aug/21 1:16 PM Build couchbase-server-7.1.0-1200 contains query commit 0af095f with commit message: MB-48122 enable localhost listeners for TLS strict mode

People

Assignee:: Sumedh Basarkod

Reporter:: Sumedh Basarkod

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 24/Aug/21 7:44 AM

Updated:: 30/Aug/21 8:35 PM

Resolved:: 24/Aug/21 9:01 PM

Gerrit Reviews

There are no open Gerrit changes

Show There is 1 closed Gerrit change

Hide There is 1 closed Gerrit change

MB-48122 enable localhost listeners for TLS strict mode: Gerrit Review:

PagerDuty

Couchbase Server

Details

Description

Attachments

Attachments

Issue Links

Gerrit Reviews

Activity

People

Dates

Gerrit Reviews

PagerDuty