What are the core foreman service and port should get monitored?

bharat19th · January 16, 2021, 1:55pm

HI Guys,
I am looking for foreman’s core service which I need to monitor and after googling found that it is 443 | 80 | 8140 but when I run the netstat –tunlp I can see below output-
Where all ports are listening on IPv6 (tcp6 ) but I can open the foreman page over IPv4. Then how foreman is working which port I should monitor over IPv4 along with Service name.
Except the service name—foreman | foreman-proxy | httpd

Can someone please help to get me the correct details. If I am missing something.

Output of the running foreman Server:

[root@foreman ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      1431/redis-server 1
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1421/sshd
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      1/systemd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1776/master
tcp        0      0 0.0.0.0:8443            0.0.0.0:*               LISTEN      3308/ruby
tcp6       0      0 :::8140                 :::*                    LISTEN      2034/java
tcp6       0      0 :::80                   :::*                    LISTEN      3339/httpd
tcp6       0      0 :::22                   :::*                    LISTEN      1421/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1776/master
tcp6       0      0 :::443                  :::*                    LISTEN      3339/httpd
tcp6       0      0 :::8443                 :::*                    LISTEN      3308/ruby
udp        0      0 127.0.0.1:323           0.0.0.0:*                           800/chronyd
udp6       0      0 ::1:323                 :::*                                800/chronyd
[root@foreman ~]#

gvde · January 17, 2021, 10:16am

For status check the foreman-maintain command with subcommands health and service.

# foreman-maintain health list
# foreman-maintain health check
# foreman-maintain service 
# foreman-maintain service status

Unless the application specifically handles IPv4 and IPv6 separately or specifically uses an IPv4 address for listen, an application listening on IPv6 to :: (unspecified address) by default is listening for IPv4 and IPv6 connections on any available IPv4 and IPv6 of the bound interface.

Thus httpd listening on :::80 and :::443 means it accepts any ipv4 and ipv6 connection. This should be th default for applications using the dual IP stack of the operating system.

sshd uses a specific IPv4 listen on 0.0.0.0:22 and is also listening on a separate socket to IPv6 :::22 (thus there probably accepting IPv4 as well). Why they do that separately and don’t let the OS handle that I can’t tell. Maybe historically, they have “added” IPv6 support and for that they used separate code which still persists until now and hasn’t been merged into handling that together like Apache httpd.

Either way: a listen on IPv6 :: means it’s listening on IPv4 and IPv6 addresses at the same time.

However, bear in mind that IPv4 and IPv6 still uses separate iptables/ip6tables. If you use iptables directly you would have to open ports for ipv4 and ipv6 to get incoming connections through. firewalld would usually handle both transparently.

bharat19th · January 27, 2021, 1:05pm

Thanks gvde let me check this out.

ekohl · January 27, 2021, 1:51pm

You can also monitor https://foreman.example.com/status which checks the basics. There is also https://foreman.example.com/api/ping which also checks backend systems.

I’d also urge you to take a look at the manual:

https://theforeman.org/manuals/2.3/index.html#3.1.5FirewallConfiguration