search

StackStorm / st2

StackStorm (aka "IFTTT for Ops") is event-driven automation for auto-remediation, incident responses, troubleshooting, deployments, and more for DevOps and SREs. Includes rules engine, workflow, 160 integration packs with 6000+ actions (see https://exchange.stackstorm.org) and ChatOps. Installer at https://docs.stackstorm.com/install/index.html
https://stackstorm.com/
Apache License 2.0
6.08k stars 747 forks source link

st2api and st2auth always binds to 127.0.0.1 #2676

Open saahn opened 8 years ago

saahn commented 8 years ago

I've set the host param in st2.conf for auth and api to 0.0.0.0, but the config is ignored and the gunicorn process binds to 127.0.0.1:

[root@base-stackstorm2-138-onint ~]# ps -ef | grep gunicorn
st2      20711     1  9 22:50 ?        00:00:00 /opt/stackstorm/st2/bin/python /opt/stackstorm/st2/bin/gunicorn_pecan /opt/stackstorm/st2/lib/python2.7/site-packages/st2api/gunicorn_config.py -k eventlet -b 127.0.0.1:9101 --workers 1 --threads 1 --graceful-timeout 10 --timeout 30
st2      20723     1  9 22:50 ?        00:00:00 /opt/stackstorm/st2/bin/python /opt/stackstorm/st2/bin/gunicorn_pecan /opt/stackstorm/st2/lib/python2.7/site-packages/st2stream/gunicorn_config.py -k eventlet -b 127.0.0.1:9102 --workers 1 --threads 10 --graceful-timeout 10 --timeout 30
st2      20735     1  9 22:50 ?        00:00:00 /opt/stackstorm/st2/bin/python /opt/stackstorm/st2/bin/gunicorn_pecan /opt/stackstorm/st2/lib/python2.7/site-packages/st2auth/gunicorn_config.py -k eventlet -b 127.0.0.1:9100 --workers 1 --threads 1 --graceful-timeout 10 --timeout 30
...

I've tried modifying the hard-coded local addresses in both https://github.com/StackStorm/st2/blob/master/st2api/st2api/gunicorn_config.py#L29 and https://github.com/StackStorm/st2/blob/master/st2auth/st2auth/gunicorn_config.py#L29

as well as the init scripts /etc/init.d/st2api, /etc/init.d/st2auth, which was hard-coding the bind address in the DAEMON_ARGS variable: DAEMON_ARGS="-k eventlet -b 127.0.0.1:9101 --workers 1 --threads 1 --graceful-timeout 10 --timeout 30 --pid ${PIDFILE}".

However, the auth and api endpoints are still binding to 127.0.0.1 after restarting the st2 processes.

I'm using st2 v1.4, and my environment was set up by following the documentation.

My st2.conf looks like:

[exporter]
logging = /etc/st2/logging.exporter.conf

[garbagecollector]
logging = /etc/st2/logging.garbagecollector.conf

[auth]
host = 0.0.0.0
port = 9100
use_ssl = False
debug = True
enable = True
logging = /etc/st2/logging.auth.conf
mode = standalone

# Note: Settings bellow are only used in "standalone" mode
backend = flat_file
backend_kwargs = {"file_path": "/etc/st2/.htpasswd"}

# Base URL to the API endpoint excluding the version (e.g. http://myhost.net:9101/)
api_url = 

[system]
base_path = /opt/stackstorm

[syslog]
host = 127.0.0.1
port = 514
facility = local7
protocol = udp

[log]
excludes = requests,paramiko
redirect_stderr = False
mask_secrets = True

[system_user]
user = stanley
ssh_key_file = /home/stanley/.ssh/stanley_rsa

[messaging]
url = amqp://guest:guest@127.0.0.1:5672/

[ssh_runner]
remote_dir = /tmp
use_paramiko_ssh_runner = True

Perhaps I am missing other hard-coded overrides?

Kami commented 8 years ago

Which distribution you are running?

If you are running Ubuntu, you also need to edit upstart job files, since upstart is used on Ubuntu (IIRC, those files are in /etc/init/*.conf).

It's also worth noting that we explicitly bind those services to localhost since they are running behind a proxy (nginx) and aren't directly exposed to the internet.

Kami commented 8 years ago

@manasdk @lakshmi-kannan We discussed this before but we need to decide what to do with those listen directives in the config when using packages and gunicorn.

One option is to utilize those values instead of the CLI arguments which are passed to gunicorn process (then we need to be careful we ship a correct default config with the packages). Another one is to simply document this behavior and let user know they need to edit service manager files if they want to change listen ip and / or port.

In any case, it's something which caused quite a lot of confusion already so we need to come up with a solution soon.

saahn commented 8 years ago

@Kami I'm using Ubuntu 14.04. Thanks, updating the upstart job files did the trick.

lakshmi-kannan commented 8 years ago

Yeah, I think we should make config work with gunicorn. It might get nasty because of ordering issues. Anyways, that seems like the ideal solution.

hujunya commented 8 years ago

I am using v1.4 on CentOS7.1. When I run mistral-v2 workflow, the mistral-server log shows that Failed to establish a new connection to the server ip and 9101 port. Because the st2api bind to 127.0.0.1:9101 so it refused the connection to (server ip):9101. How to config the st2api to bind to 0.0.0.0:9101 ? How to config the st2api to run with nginx ?

st2      24435  0.0  0.4 245244 26728 ?        Ss   14:55   0:01 /opt/stackstorm/st2/bin/python /opt/stackstorm/st2/bin/gunicorn_pecan /opt/stackstorm/st2/lib/python2.7/site-packages/st2stream/gunicorn_config.py -k eventlet -b 127.0.0.1:9102 --workers 1 --threads 10 --graceful-timeout 10 --timeout 30
st2      24656  0.1  0.6 286236 39780 ?        S    14:55   0:02 /opt/stackstorm/st2/bin/python /opt/stackstorm/st2/bin/gunicorn_pecan /opt/stackstorm/st2/lib/python2.7/site-packages/st2stream/gunicorn_config.py -k eventlet -b 127.0.0.1:9102 --workers 1 --threads 10 --graceful-timeout 10 --timeout 30
st2      28183  0.0  0.4 245244 26732 ?        Ss   15:12   0:01 /opt/stackstorm/st2/bin/python /opt/stackstorm/st2/bin/gunicorn_pecan /opt/stackstorm/st2/lib/python2.7/site-packages/st2api/gunicorn_config.py -k eventlet -b 127.0.0.1:9101 --workers 1 --threads 1 --graceful-timeout 10 --timeout 30
st2      28195  0.1  0.7 304472 47736 ?        S    15:12   0:01 /opt/stackstorm/st2/bin/python /opt/stackstorm/st2/bin/gunicorn_pecan /opt/stackstorm/st2/lib/python2.7/site-packages/st2api/gunicorn_config.py -k eventlet -b 127.0.0.1:9101 --workers 1 --threads 1 --graceful-timeout 10 --timeout 30
manasdk commented 8 years ago

@tenyearslater The right way to do this is to update the URL for mistral to communicate with StackStorm API. In /etc/st2/st2.conf add -

[mistral]
api_url = https://${EXTERNAL_IP}/api

After updating the StackStorm config file restart StackStorm services by sudo st2ctl restart

estee-tew commented 7 years ago

https://stackstorm.slack.com/archives/community/p1492824598789091

emptywee commented 7 years ago

Not sure why it doesn't work for the author, but updating DAEMON_ARGS via /etc/sysconfig/st2api worked very well for me:

 # ps aux | grep st2api
st2      18075 25.8  0.1 232588 28156 ?        S    09:57   0:01 /opt/stackstorm/st2/bin/python /opt/stackstorm/st2/bin/gunicorn_pecan /opt/stackstorm/st2/lib/python2.7/site-packages/st2api/gunicorn_config.py -k eventlet -b 0.0.0.0:9101 --workers 1 --threads 1 --graceful-timeout 10 --timeout 30 --pid /var/run/st2/st2api.pid
st2      18110 45.0  0.2 284364 45472 ?        D    09:57   0:00 /opt/stackstorm/st2/bin/python /opt/stackstorm/st2/bin/gunicorn_pecan /opt/stackstorm/st2/lib/python2.7/site-packages/st2api/gunicorn_config.py -k eventlet -b 0.0.0.0:9101 --workers 1 --threads 1 --graceful-timeout 10 --timeout 30 --pid /var/run/st2/st2api.pid
root     18121  0.0  0.0 103312   904 pts/3    S+   09:57   0:00 grep st2api
09:57:14 j0 root@lvcops101:~
# netstat -anp | grep 9101
tcp        0      0 0.0.0.0:9101                0.0.0.0:*                   LISTEN      18075/python

# cat /etc/sysconfig/st2api
DAEMON_ARGS="-k eventlet -b 0.0.0.0:9101 --workers 1 --threads 1 --graceful-timeout 10 --timeout 30 --pid ${PIDFILE}"

This way I don't have to update the original init.d script, which can be updated during upgrade. I am on CentOS 6.8