search

goss-org / goss

Quick and Easy server testing/validation
https://goss.rocks
Apache License 2.0
5.5k stars 470 forks source link

Unable to detect `php-fpm` service with `port` resource #847

Closed loliee closed 9 months ago

loliee commented 9 months ago

Describe the bug

I have an issue when trying to ensure that a php-fpm service is listening with port resource.

How To Reproduce

I have the issue on a compute instance but it's seems to be reproductible in a docker container…

Start a docker container with php:8.2-fpm and take a shell in it:

docker run -d --rm -it --name goss-test php:8.2-fpm
docker exec -it goss-test bash

Install netcat & goss:

apt-get update
apt-get install netcat-openbsd
curl -L https://github.com/goss-org/goss/releases/latest/download/goss-linux-amd64 -o /usr/local/bin/goss

Ensure service is listening with netcat: 

nc -z -v 127.0.0.1 9000
Connection to 127.0.0.1 9000 port [tcp/*] succeeded!

I ran goss with the following spec file:

# goss.yaml
port:
  tcp:9000:
    listening: true
goss validate
F

Failures/Skipped:

Port: tcp:9000: listening:
Expected
    false
to equal
    true

Total Duration: 0.000s
Count: 1, Failed: 1, Skipped: 0

Expected Behavior

Detect port as listening: true.

Actual Behavior

Running the add port command doesn't help:

goss add port 9000
Adding Port to './goss.yaml':

tcp:9000:
  listening: false
  ip: []

Environment:

loliee commented 9 months ago

ℹ️ I didn't have any issues to validate many other services: sshd, postgresql, nginx, redis and other http servers…

aelsabbahy commented 9 months ago

Does tcp6:9000 work? If it does, the doc explains it a bit.

loliee commented 9 months ago

Yes it works !

My apologies, I didn't check well my server state, may be this could help someone else, if no IP is defined in the php-fpm listen option, it will bind the IPV6 interface:

; /etc/php/8.2/fpm/pool.d/www.conf
listen = "9082"
listen.allowed_clients = 127.0.0.1 # This IPV4 address confused me
sudo sockstat -l
USER     PROCESS              PID      PROTO  SOURCE ADDRESS            FOREIGN ADDRESS           STATE
root     php-fpm8.2           37132    tcp6   :::9082                   :::*                      LISTEN

Adding the IPV4 loopback IP force it on tcp4:

; /etc/php/8.2/fpm/pool.d/www.conf
- listen = "9082"
+ listen = "127.0.0.1:9082"
listen.allowed_clients = 127.0.0.1 # This IPV4 address confused me
sudo sockstat -l
USER     PROCESS              PID      PROTO  SOURCE ADDRESS            FOREIGN ADDRESS           STATE
root     php-fpm8.2           41486    tcp4   127.0.0.1:9082            *:*                       LISTEN

As a goss user the confusing point for me was this note in the documentation:

Note: Goss might consider your port to be listening on tcp6 rather than tcp, try running goss add port .. to see how goss detects it. (https://github.com/goss-org/goss/issues/149)

Because goss didn't detect my service as listening on tcp6!.

🎉 Also as a goss user I really love this proposal because it makes the most common use case really simple and allow more finest checks tcp4/tcp6 as well.

Thanks for your help @aelsabbahy ! I also would like to congratulate you for this product, the alternative to testinfra, serverspec I was looking for.