[SOLVED] pveproxy only listens to v6 loopback address

[Beventi]

Proxmox web-ui stopped listening to v4 addresses at some point, and are currently only listening to v6 loopback:

root@pve1:~# netstat -ln|grep 8006
tcp6       0      0 :::8006                 :::*                    LISTEN   
root@pve1:~# sysctl -a|grep bind
sysctl: reading key "kernel.spl.hostid"
net.ipv4.ip_autobind_reuse = 0
net.ipv4.ip_nonlocal_bind = 0
net.ipv6.bindv6only = 0
net.ipv6.ip_nonlocal_bind = 0
root@pve1:~# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
10.0.1.21 pve1.domain.tld pve1

# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

From reading this thread https://forum.proxmox.com/threads/port-8006-doesnt-answer-anymore-after-upgrade.88406/ I've gathered that it's probably down to the details in my hosts file, but I can't figure out what would cause it.

When I start pveproxy in debug mode, it seems to be receiving traffic on v4 nonetheless, but are failing to forward (?):

root@pve1:~# pveproxy start -debug
worker[5421]: PVE::APIServer::AnyEvent +1691: (eval): ACCEPT FH10 CONN1
worker[5421]: PVE::APIServer::AnyEvent +1741: client_do_disconnect: close connection AnyEvent::Handle=HASH(0x56389b420418)
worker[5421]: PVE::APIServer::AnyEvent +1741: client_do_disconnect: CLOSE FH10 CONN0

Ideas?

 

[Stoiko Ivanov]

netstat -ln|grep 8006

What's the output of `ss -tlnp |grep 8006` (netstat is a bit dated and displays the information a bit differently)

Do requests on IPv4 work?

see: https://pve.proxmox.com/pve-docs/pveproxy.8.html (the part about LISTENING IP)

there was a change (introduced orignally with PVE 6.4) - the listening socket now usually binds to :: (but has ipv4 mapped ipv6 support enabled) - this normally works in most situations.
https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_6.4

I hope this helps!

 

[Beventi]

Thank you so much! Should probably have found it out from the documentation, but didn't..

Putting
LISTEN_IP="0.0.0.0"
into /etc/default/pveproxy solved it after restarting the service.

Sorry for the late follow up, been away from the system over the last few weeks - it's stable at least

 

[Stoiko Ivanov]

Glad that worked for your use-case

Please mark the thread as 'SOLVED' - this helps others who run into similar issues.
Thanks!

 

[gabriel-joy]

for beginners: chown www-data:www-data /etc/default/pveproxy

 

[Stoiko Ivanov]

for beginners: chown www-data:www-data /etc/default/pveproxy

no - this should not be needed in general - www-data needs to read the file - but not write it.
as long as the mode is 0644 the file can (and should) belong to root

I hope this helps!

 

[gabriel-joy]

Thank you, owner restored and permissions updated.
Why root?

 

[Stoiko Ivanov]

Why root?

that way only the root-user can edit it - if a local-user (www-data) gets compromised on your system, that does not mean that the root-user got compromised (if the root user gets compromised the whole system is compromised)

I try to keep files root-editable only if sensibly possible