From 40a1e5ba18095692640f2c22b7fafb132912d06e Mon Sep 17 00:00:00 2001
From: John Eckersberg <jeckersb@redhat.com>
Date: Mon, 9 Mar 2020 11:44:50 -0400
Subject: [PATCH] rabbitmq: Open ports 25673-25683 for CLI tools

Since RabbitMQ 3.7.4, the CLI tools (rabbitmqctl and friends)
parallelize the querying of information from cluster members.  In
order to receive stream data back, the cli instance binds and
registers itself on an available port (default between 35672 and
35682, inclusive).  If these ports are firewalled off, then
rabbitmqctl commands such as list_queues will hang waiting for data
from remote cluster members.

This patch does two things:

1) Reconfigures rabbitmqctl to bind to 25673-25683 instead of the
default range of 35672-35682.  This ensures the ports are not in the
ephemeral port range and avoids unintended collisions.

2) Opens the firewall on 25673-25683 to enable communication.

Resolves: rhbz#1811680

Change-Id: If5caa51cd9a3aef97d06d491dde1d5129cc1a569
(cherry picked from commit a2bc2e10b0de522a81faca62b7b620432b267fbb)
---
 deployment/rabbitmq/rabbitmq-container-puppet.yaml             | 3 +++
 .../rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml   | 1 +
 .../rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml   | 1 +
 deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml   | 1 +
 .../rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml      | 1 +
 .../rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml      | 1 +
 6 files changed, 8 insertions(+)

diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml
index 49ff7eaadc..987db6fdd6 100644
--- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml
@@ -128,6 +128,7 @@ outputs:
                   - 4369
                   - 5672
                   - 25672
+                  - 25673-25683
             rabbitmq::delete_guest_user: false
             rabbitmq::wipe_db_on_cookie_change: true
             rabbitmq::port: 5672
@@ -146,6 +147,8 @@ outputs:
               RABBITMQ_NODENAME: "rabbit@%{::hostname}"
               RABBITMQ_SERVER_ERL_ARGS: '"+K true +P 1048576 -kernel inet_default_connect_options [{nodelay,true}]"'
               RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS: {get_param: RabbitAdditionalErlArgs}
+              RABBITMQ_CTL_DIST_PORT_MIN: '25673'
+              RABBITMQ_CTL_DIST_PORT_MAX: '25683'
               'export ERL_EPMD_ADDRESS': "%{hiera('rabbitmq::interface')}"
             rabbitmq_kernel_variables:
               inet_dist_listen_min: '25672'
diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
index 34d134fbcf..1e663f2991 100644
--- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
@@ -116,6 +116,7 @@ outputs:
                   - 4369
                   - {get_param: NotifyPort}
                   - 25672
+                  - 25673-25683
             rabbitmq::port: {get_param: NotifyPort}
             rabbitmq::interface:
               str_replace:
diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml
index 6a186fca69..0165a4fc5e 100644
--- a/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-notify-pacemaker-puppet.yaml
@@ -114,6 +114,7 @@ outputs:
                   - 4369
                   - 5672
                   - 25672
+                  - 25673-25683
       service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
       puppet_config:
diff --git a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml
index 960a9c6cce..8fca030aeb 100644
--- a/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-pacemaker-puppet.yaml
@@ -114,6 +114,7 @@ outputs:
                   - 4369
                   - 5672
                   - 25672
+                  - 25673-25683
       service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
       puppet_config:
diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
index 1d3e613bbb..7da63c91ae 100644
--- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
@@ -116,6 +116,7 @@ outputs:
                   - 4369
                   - {get_param: RpcPort}
                   - 25672
+                  - 25673-25683
             rabbitmq::port: {get_param: RpcPort}
             rabbitmq::interface:
               str_replace:
diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml
index 3683810f1a..a27b564daa 100644
--- a/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml
+++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-pacemaker-puppet.yaml
@@ -114,6 +114,7 @@ outputs:
                   - 4369
                   - 5672
                   - 25672
+                  - 25673-25683
       service_config_settings: {get_attr: [RabbitmqBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
       puppet_config: