awx icon indicating copy to clipboard operation
awx copied to clipboard
verified publisher icon ansible

Wrong nginx upstream configuration on IPv4-only daemons

Open a-haurylau opened this issue 1 year ago • 1 comments

Please confirm the following

  • [X] I agree to follow this project's code of conduct.
  • [X] I have checked the current issues for duplicates.
  • [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.
  • [X] I am NOT reporting a (potential) security vulnerability. (These should be emailed to [email protected] instead.)

Bug Summary

In default configuration we have following nginx.conf in tools/docker-compose/_sources/nginx.conf:

    upstream uwsgi {
        server localhost:8050;
    }

    upstream runserver {
        server localhost:8052;
    }

    upstream daphne {
        server localhost:8051;
    }

inside container following /etc/hosts is used:

bash-5.1# cat /etc/hosts
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.28.0.5      awx_1

So localhost is resolved on IPv4/IPv6 dual stack. But daphne and uwsgi endpoint listening only on IPv4:

 nsenter -t 257902 -n netstat -nlep
tcp        0      0 127.0.0.1:8051          0.0.0.0:*               LISTEN      0          3429118    258362/python3.9
tcp        0      0 127.0.0.1:8050          0.0.0.0:*               LISTEN      0          3432861    258395/uwsgi

So all connection to them fails with following in /var/log/nginx/error.log inside tools_awx_1:

2024/03/22 10:58:46 [error] 405#405: *9070 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.5.194, server: _, request: "GET /websocket/ HTTP/1.1", upstream: "http://[::1]:8051/websocket/", host: "****"
2024/03/22 10:58:44 [error] 405#405: *9067 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.5.194, server: _, request: "GET /api/v2/dashboard/graphs/jobs/?job_type=all&period=month HTTP/1.1", upstream: "uwsgi://[::1]:8050", host: "***", referrer: "https://***/"

After replacing localhost with 127.0.0.1 no error in nginx.

AWX version

24.0.0

Select the relevant components

  • [ ] UI
  • [ ] UI (tech preview)
  • [X] API
  • [ ] Docs
  • [ ] Collection
  • [ ] CLI
  • [ ] Other

Installation method

docker development environment

Modifications

no

Ansible version

No response

Operating system

Ubuntu 22.04.4

Web browser

No response

Steps to reproduce

Just perform clean install and look through container nginx error.log file

Expected results

No errors

Actual results

Tons of errors

Additional information

No response

a-haurylau avatar Mar 22 '24 11:03 a-haurylau

Disabling ipv6 for the docker network would be a quick fix, if we don't have an ipv6 requirement.

Something along the lines of

docker network create --ipv6=false disable_ipv6 docker run --network disable_ipv6 docker build --network disable_ipv6

dmzoneill avatar Mar 29 '24 14:03 dmzoneill