Starting with CSO 5.1, RabbitMQ message queuing service through 5672 TCP port (AMQP) is blocked due to access/security concern.

With the new configuration of the NGINX micro-service from 5.1.1, it does not implement 5672 service by default.

User can no longer subscribe with third party systems to the CSO RMQ service via TCP 5672 port from CSO 5.1.1 version.

5672 TCP port is no longer exposed by CSO to the outside (through HAPROXY > NGINX now)

Concerns:

• RBAC for RMQ is not available 
• RABBITMQ_NODE_PORT '5672' is an important connection port and any issues with it can affect message system of the server.

Usage:

• CSO and NSC use a message bus scheme (RabbitMQ) to publish notifications about system events.​
• Users can use a direct connection to CSO RabbitMQ service to subscribe to relevant topics in order to produce their own monitoring, supervision and data services.

Enable 5672 TCP service via w.a

Take the following steps to list port 5672 in open state:

1. ssh to your startup server (execute ./get_vm_details.sh to find the startup server ip):

   from the CSO host server

   root@startupserver1: ssh <startupserver​ IP>

2. Change the dir to /opt/charts/nginx-ingress:

   ~# cd /opt/charts/nginx-ingress

3. Edit the file values.yaml and add '5672' to "infra/rabbitmq-ha:5672":

   vi values.yaml → Add 5672

   Example:

   tcp: {7804: "regional/csp-device-init-conn:7804", 9090: "infra/swift-svc:9090", 2514: "central/csp-secmgt-jingest-syslog:8082", 2379: "infra/etcd-etcd:2379", 2216: "regional/csp-telemetry-converter:8082",9200: "infra/elasticsearch:9200", 5000: "infra/jkeystone:5000",35357:"infra/jkeystone:35357", 15672: "infra/rabbitmq-ha:15672",5672: "infra/rabbitmq-ha:5672",8529: "infra/arangodb-cluster-ea:8529",2181:"infra/zookeeper-zookeeper:2181",8060: "regional/csp-as-regional-phs:8083"}
   ---------

   Then save and exit the file values.yaml​

4. Execute the following command:

   root@startupserver1:/opt/charts/nginx-ingress# helm upgrade nginx-ingress .       (Do not miss the .)

5. Now, you should be able to see 5672 available for NGINX connection. Tto verify, run the following command:

   # kubectl get svc -n infra | grep nginx | grep 5672
    
   Example:

   -----
   nginx-ingress-controller          LoadBalancer   10.100.228.160   192.168.10.16   80:32086/TCP,443:31269/TCP,15672:31575/TCP,2181:32474/TCP,2216:31006/TCP,2379:32749/TCP,2514:32081/TCP,35357:30525/TCP,5000:31709/TCP,5672:30368/TCP,7804:31106/TCP,8060:30472/TCP,8529:32112/TCP,9090:32439/TCP,9200:32718/TCP   4d
   -----

6. Add a NAT rule to forward the traffic to NGINX IP with port 5672. 

   a) Exit from startupserver 

   b) Change the dir to:

     # cd /root/Contrail_Service_Orchestration_5.1.1/ci_cd      (e.g. from 5.1.1 installation)

   c) Edit the setup_NAT_rule.sh

   ​# vi ​setup_NAT_rule.sh

    add a rule with 5672 below the line shown in e.g. 

   'iptables -t nat -A PREROUTING -d $IP_ADDRESS_MANAGEMENT_INTERFACE/32 -p tcp -m tcp --dport 5672 -j DNAT --to-destination $NGINX_IP:5672​'

   Example:

   iptables -t nat -A PREROUTING -d $IP_ADDRESS_MANAGEMENT_INTERFACE/32 -p tcp -m tcp --dport 15672 -j DNAT --to-destination $NGINX_IP:15672
   iptables -t nat -A PREROUTING -d $IP_ADDRESS_MANAGEMENT_INTERFACE/32 -p tcp -m tcp --dport 15672 -j DNAT --to-destination $NGINX_IP:15672

   d) Save and exit the file setup_NAT_rule.sh​

7. Run the setup_NAT_rule.sh from the same dir. 

   ./setup_NAT_rule.sh

8. Check the port status:

   Example:

   iptables -t nat -L | grep :5672
        target.      prot opt source.               destination
        DNAT       tcp  --  anywhere             <Host Server>  tcp dpt:amqp to:192.168.10.16:5672

Note: The above is used as a workaround purpose to access 5672 through NGINX.