OpenStack Nova Cloud Controller Charm

Custom console access port breaks nova-spiceproxy

Bug #2065064 reported by Natalia Litvinova on 2024-05-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Nova Cloud Controller Charm	Triaged	Wishlist	Unassigned

Bug Description

Hi team,

I enabled the option of console-access-port=443 and after this nova-spiceproxy fails to start. Switching the port to the default one makes it start again:

ubuntu@juju-8291a9-6-lxd-9:~$ sudo systemctl status nova-spiceproxy
× nova-spiceproxy.service - OpenStack Compute Spice HTML5 Proxy
     Loaded: loaded (/lib/systemd/system/nova-spiceproxy.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Wed 2024-05-01 09:28:15 UTC; 58s ago
       Docs: man:nova-spiceproxy(1)
    Process: 232230 ExecStart=/etc/init.d/nova-spiceproxy systemd-start (code=exited, status=1/FAILURE)
   Main PID: 232230 (code=exited, status=1/FAILURE)
        CPU: 1.217s

May 01 09:28:15 juju-8291a9-6-lxd-9 systemd[1]: nova-spiceproxy.service: Scheduled restart job, restart counter is at 3.
May 01 09:28:15 juju-8291a9-6-lxd-9 systemd[1]: Stopped OpenStack Compute Spice HTML5 Proxy.
May 01 09:28:15 juju-8291a9-6-lxd-9 systemd[1]: nova-spiceproxy.service: Consumed 1.217s CPU time.
May 01 09:28:15 juju-8291a9-6-lxd-9 systemd[1]: nova-spiceproxy.service: Start request repeated too quickly.
May 01 09:28:15 juju-8291a9-6-lxd-9 systemd[1]: nova-spiceproxy.service: Failed with result 'exit-code'.
May 01 09:28:15 juju-8291a9-6-lxd-9 systemd[1]: Failed to start OpenStack Compute Spice HTML5 Proxy.

Checking the logs for it I find:
2024-05-01 09:36:30.033 275287 INFO nova.console.websocketproxy [-] WebSocket server settings:
2024-05-01 09:36:30.033 275287 INFO nova.console.websocketproxy [-] - Listen on 0.0.0.0:443
2024-05-01 09:36:30.033 275287 INFO nova.console.websocketproxy [-] - Web server (no directory listings). Web root: /usr/share/spice-html5
2024-05-01 09:36:30.033 275287 INFO nova.console.websocketproxy [-] - SSL/TLS support
2024-05-01 09:36:30.034 275287 CRITICAL nova [-] Unhandled error: PermissionError: [Errno 13] Permission denied
2024-05-01 09:36:30.034 275287 ERROR nova Traceback (most recent call last):
2024-05-01 09:36:30.034 275287 ERROR nova File "/usr/bin/nova-spicehtml5proxy", line 10, in <module>
2024-05-01 09:36:30.034 275287 ERROR nova sys.exit(main())
2024-05-01 09:36:30.034 275287 ERROR nova File "/usr/lib/python3/dist-packages/nova/cmd/spicehtml5proxy.py", line 38, in main
2024-05-01 09:36:30.034 275287 ERROR nova baseproxy.proxy(
2024-05-01 09:36:30.034 275287 ERROR nova File "/usr/lib/python3/dist-packages/nova/cmd/baseproxy.py", line 87, in proxy
2024-05-01 09:36:30.034 275287 ERROR nova ).start_server()
2024-05-01 09:36:30.034 275287 ERROR nova File "/usr/lib/python3/dist-packages/websockify/websockifyserver.py", line 704, in start_server
2024-05-01 09:36:30.034 275287 ERROR nova lsock = self.socket(self.listen_host, self.listen_port, False,
2024-05-01 09:36:30.034 275287 ERROR nova File "/usr/lib/python3/dist-packages/websockify/websockifyserver.py", line 470, in socket
2024-05-01 09:36:30.034 275287 ERROR nova sock.bind(addrs[0][4])
2024-05-01 09:36:30.034 275287 ERROR nova PermissionError: [Errno 13] Permission denied

Versions;
Openstack Yoga
Juju 3.4.2
nova-cloud-controller charm yoga/stable rev 729

See original description

Natalia Litvinova (natalytvinova) on 2024-05-07

description:

updated

Revision history for this message

Felipe Reyes (freyes) wrote on 2024-05-07:

This issue happens because 443 is a privileged port and nova-spiceproxy runs as non-root. Fixing this would probably require us to rethink how this daemon gets deployed, maybe with haproxy (or apache2) in front of it.

@Natalia, I'm marking this bug as a whishlist, if you need this to be higher priority , please share with us the use case that you are trying to satisfy by binding this daemon to the port 443.

Changed in charm-nova-cloud-controller:
status:	New → Confirmed
importance:	Undecided → Wishlist

Alex Kavanagh (ajkavanagh) on 2024-05-08

Changed in charm-nova-cloud-controller:
status:	Confirmed → Triaged

Revision history for this message

Natalia Litvinova (natalytvinova) wrote on 2024-05-10:

Hi @Felipe, I'm not sure if that makes it higher priority, but the use case is that we agreed for this custom 443 design with the customer and signed the design already

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.