From e80356e454accb2cb640b6c1bdf5ddc7175335a8 Mon Sep 17 00:00:00 2001
From: John Eckersberg <jeckersb@redhat.com>
Date: Mon, 9 Mar 2020 11:44:50 -0400
Subject: [PATCH] rabbitmq: Open ports 25673-25683 for CLI tools

Since RabbitMQ 3.7.4, the CLI tools (rabbitmqctl and friends)
parallelize the querying of information from cluster members.  In
order to receive stream data back, the cli instance binds and
registers itself on an available port (default between 35672 and
35682, inclusive).  If these ports are firewalled off, then
rabbitmqctl commands such as list_queues will hang waiting for data
from remote cluster members.

This patch does two things:

1) Reconfigures rabbitmqctl to bind to 25673-25683 instead of the
default range of 35672-35682.  This ensures the ports are not in the
ephemeral port range and avoids unintended collisions.

2) Opens the firewall on 25673-25683 to enable communication.

Resolves: rhbz#1811680

Change-Id: If5caa51cd9a3aef97d06d491dde1d5129cc1a569
(cherry picked from commit a2bc2e10b0de522a81faca62b7b620432b267fbb)
(cherry picked from commit 40a1e5ba18095692640f2c22b7fafb132912d06e)
---
 deployment/rabbitmq/rabbitmq-container-puppet.yaml             | 3 +++
 .../rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml   | 1 +
 .../rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml   | 1 +
 deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml   | 1 +
 .../rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml      | 1 +
 .../rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml      | 1 +
 6 files changed, 8 insertions(+)

diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml
index b5ace89b4a..d3506d836a 100644
--- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml
@@ -122,6 +122,7 @@ outputs:
                   - 4369
                   - 5672
                   - 25672
+                  - 25673-25683
             rabbitmq::delete_guest_user: false
             rabbitmq::wipe_db_on_cookie_change: true
             rabbitmq::port: 5672
@@ -140,6 +141,8 @@ outputs:
               RABBITMQ_NODENAME: "rabbit@%{::hostname}"
               RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true}]"'
               RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS: {get_param: RabbitAdditionalErlArgs}
+              RABBITMQ_CTL_DIST_PORT_MIN: '25673'
+              RABBITMQ_CTL_DIST_PORT_MAX: '25683'
               'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}"
             rabbitmq_kernel_variables:
               inet_dist_listen_min: '25672'
diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
index 42e1ba97bb..b01fd4c7a8 100644
--- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
@@ -110,6 +110,7 @@ outputs:
                   - 4369
                   - {get_param: NotifyPort}
                   - 25672
+                  - 25673-25683
             rabbitmq::port: {get_param: NotifyPort}
             rabbitmq::interface:
               str_replace:
diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml
index 446a1de2e0..3bae2286bb 100644
--- a/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml
@@ -114,6 +114,7 @@ outputs:
                   - 4369
                   - 5672
                   - 25672
+                  - 25673-25683
       service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
       puppet_config:
diff --git a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml
index 7612264631..dc7f0db230 100644
--- a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml
@@ -114,6 +114,7 @@ outputs:
                   - 4369
                   - 5672
                   - 25672
+                  - 25673-25683
       service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
       puppet_config:
diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
index 52de8cb9ce..47cb32e924 100644
--- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
@@ -110,6 +110,7 @@ outputs:
                   - 4369
                   - {get_param: RpcPort}
                   - 25672
+                  - 25673-25683
             rabbitmq::port: {get_param: RpcPort}
             rabbitmq::interface:
               str_replace:
diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml
index 039cc5ca8e..19d04c8900 100644
--- a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml
@@ -114,6 +114,7 @@ outputs:
                   - 4369
                   - 5672
                   - 25672
+                  - 25673-25683
       service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
       puppet_config: