Starting with CSO 5.1, RabbitMQ message queuing service through 5672 TCP port (AMQP) is blocked due to access/security concern.
With the new configuration of the NGINX micro-service from 5.1.1, it does not implement 5672 service by default.
User can no longer subscribe with third party systems to the CSO RMQ service via TCP 5672 port from CSO 5.1.1 version.
5672 TCP port is no longer exposed by CSO to the outside (through HAPROXY > NGINX now)
Enable 5672 TCP service via w.a
Take the following steps to list port 5672 in open state:
-
ssh to your startup server (execute ./get_vm_details.sh to find the startup server ip):
from the CSO host server
root@startupserver1: ssh <startupserver IP>
-
Change the dir to /opt/charts/nginx-ingress:
~# cd /opt/charts/nginx-ingress
-
Edit the file values.yaml and add '5672' to "infra/rabbitmq-ha:5672":
vi values.yaml → Add 5672
Example:
tcp: {7804: "regional/csp-device-init-conn:7804", 9090: "infra/swift-svc:9090", 2514: "central/csp-secmgt-jingest-syslog:8082", 2379: "infra/etcd-etcd:2379", 2216: "regional/csp-telemetry-converter:8082",9200: "infra/elasticsearch:9200", 5000: "infra/jkeystone:5000",35357:"infra/jkeystone:35357", 15672: "infra/rabbitmq-ha:15672",5672: "infra/rabbitmq-ha:5672",8529: "infra/arangodb-cluster-ea:8529",2181:"infra/zookeeper-zookeeper:2181",8060: "regional/csp-as-regional-phs:8083"}
---------
Then save and exit the file values.yaml
-
Execute the following command:
root@startupserver1:/opt/charts/nginx-ingress# helm upgrade nginx-ingress .
(Do not miss the .)
-
Now, you should be able to see 5672 available for NGINX connection. Tto verify, run the following command:
# kubectl get svc -n infra | grep nginx | grep 5672
Example:
-----
nginx-ingress-controller LoadBalancer 10.100.228.160 192.168.10.16 80:32086/TCP,443:31269/TCP,15672:31575/TCP,2181:32474/TCP,2216:31006/TCP,2379:32749/TCP,2514:32081/TCP,35357:30525/TCP,5000:31709/TCP,5672:30368/TCP,7804:31106/TCP,8060:30472/TCP,8529:32112/TCP,9090:32439/TCP,9200:32718/TCP 4d
-----
-
Add a NAT rule to forward the traffic to NGINX IP with port 5672.
a) Exit from startupserver
b) Change the dir to:
# cd /root/Contrail_Service_Orchestration_5.1.1/ci_cd
(e.g. from 5.1.1 installation)
c) Edit the setup_NAT_rule.sh
# vi setup_NAT_rule.sh
add a rule with 5672 below the line shown in e.g.
'iptables -t nat -A PREROUTING -d $IP_ADDRESS_MANAGEMENT_INTERFACE/32 -p tcp -m tcp --dport 5672 -j DNAT --to-destination $NGINX_IP:5672'
Example:
iptables -t nat -A PREROUTING -d $IP_ADDRESS_MANAGEMENT_INTERFACE/32 -p tcp -m tcp --dport 15672 -j DNAT --to-destination $NGINX_IP:15672
iptables -t nat -A PREROUTING -d $IP_ADDRESS_MANAGEMENT_INTERFACE/32 -p tcp -m tcp --dport 15672 -j DNAT --to-destination $NGINX_IP:15672
d) Save and exit the file setup_NAT_rule.sh
-
Run the setup_NAT_rule.sh from the same dir.
./setup_NAT_rule.sh
-
Check the port status:
Example:
iptables -t nat -L | grep :5672
target. prot opt source. destination
DNAT tcp -- anywhere <Host Server> tcp dpt:amqp to:192.168.10.16:5672
Note: The above is used as a workaround purpose to access 5672 through NGINX.