API: libcrmcommon: Deprecate remote-clear-port.

clumens · clumens · commit 4c9ee7718d36 · 2026-03-04T12:51:19.000-05:00
This CIB property is deprecated in favor of remote-tls-port which is
more secure and has been supported since at least 2014.  For now, it
will still be recognized but will log a warning.  Also mark it as
deprecated in the docs and remove references to it being something that
you can use.

Ref T961
diff --git a/daemons/based/based_remote.c b/daemons/based/based_remote.c
@@ -780,8 +780,9 @@ based_remote_init(void)
     port_s = pcmk__xe_get(the_cib, PCMK_XA_REMOTE_CLEAR_PORT);
 
     if ((pcmk__scan_port(port_s, &port) == pcmk_rc_ok) && (port > 0)) {
-        pcmk__warn("Starting clear-text listener on port %d. This is insecure; "
-                   PCMK_XA_REMOTE_TLS_PORT " is recommended instead.", port);
+        pcmk__warn("Starting clear-text listener on port %d. This is insecure "
+                   "and will be removed in a future release. Use "
+                   PCMK_XA_REMOTE_TLS_PORT " instead.", port);
         remote_fd = init_remote_listener(port);
     }
 }
diff --git a/doc/sphinx/Pacemaker_Administration/configuring.rst b/doc/sphinx/Pacemaker_Administration/configuring.rst
@@ -187,11 +187,10 @@ It is possible to run configuration commands from a machine that is not part of
 the cluster.
 
 For security reasons, this capability is disabled by default. If you wish to
-allow remote access, set the ``remote-tls-port`` (encrypted) or
-``remote-clear-port`` (unencrypted) CIB properties (attributes of the ``cib``
-element). Encrypted communication can be performed keyless (which makes it
-subject to man-in-the-middle attacks), using pre-shared keys (PSK), or TLS
-certificates.
+allow remote access, set the ``remote-tls-port`` CIB property (attributes of
+the ``cib`` element). Encrypted communication can be performed keyless (which
+makes it subject to man-in-the-middle attacks), using pre-shared keys (PSK),
+or with TLS certificates.
 
 To use PSK, you simply need to generate a key and then distribute it to the
 administrator's machine as well as any cluster nodes you wish to have access
diff --git a/doc/sphinx/Pacemaker_Explained/cluster-options.rst b/doc/sphinx/Pacemaker_Explained/cluster-options.rst
@@ -247,7 +247,7 @@ holds. So the decision was made to place them in an easy-to-find location.
      - If set to a TCP port number, the CIB manager will listen for remote
        connections on this port, to allow for CIB administration from hosts not
        in the cluster. No encryption is used, so this should be used only on a
-       protected network.
+       protected network. *(deprecated since 3.0.2)*
    * - .. _cib_last_written:
 
        .. index::
diff --git a/include/crm/common/xml_names.h b/include/crm/common/xml_names.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2004-2025 the Pacemaker project contributors
+ * Copyright 2004-2026 the Pacemaker project contributors
  *
  * The version control history for this file may have further details.
  *
@@ -376,7 +376,6 @@ extern "C" {
 #define PCMK_XA_REFERENCE                   "reference"
 #define PCMK_XA_RELOADABLE                  "reloadable"
 #define PCMK_XA_REMAIN_STOPPED              "remain_stopped"
-#define PCMK_XA_REMOTE_CLEAR_PORT           "remote-clear-port"
 #define PCMK_XA_REMOTE_NODE                 "remote_node"
 #define PCMK_XA_REMOTE_TLS_PORT             "remote-tls-port"
 #define PCMK_XA_REMOVED                     "removed"
@@ -458,6 +457,9 @@ extern "C" {
 #define PCMK_XA_YEARDAYS                    "yeardays"
 #define PCMK_XA_YEARS                       "years"
 
+//! \deprecated Deprecated since 3.0.2; use \c PCMK_XA_REMOTE_TLS_PORT instead
+#define PCMK_XA_REMOTE_CLEAR_PORT           "remote-clear-port"
+
 //! \deprecated Deprecated since 3.0.2; look for \c PCMK_XA_REMOVED instead
 #define PCMK_XA_ORPHAN                      "orphan"
 
diff --git a/lib/cib/cib_remote.c b/lib/cib/cib_remote.c
@@ -421,6 +421,10 @@ cib_tls_signon(cib_t *cib, pcmk__remote_t *connection, gboolean event_channel)
             cib_tls_close(cib);
             return -1;
         }
+    } else {
+        pcmk__warn("Connecting to remote CIB without encryption. This is "
+                   "insecure and will be removed in a future release. Use "
+                   "the " PCMK_XA_REMOTE_TLS_PORT " cluster option instead.");
     }
 
     /* Now that the handshake is done, see if any client TLS certificate is
diff --git a/xml/cib-1.2.rng b/xml/cib-1.2.rng
@@ -14,6 +14,7 @@
       <attribute name="remote-tls-port"><data type="nonNegativeInteger"/></attribute>
     </optional>
     <optional>
+      <!-- @COMPAT remote-clear-port is deprecated since 3.0.2 -->
       <attribute name="remote-clear-port"><data type="nonNegativeInteger"/></attribute>
     </optional>
     <optional>

Original file line number	Diff line number	Diff line change
`@@ -780,8 +780,9 @@ based_remote_init(void)`
`780`	`780`	`port_s = pcmk__xe_get(the_cib, PCMK_XA_REMOTE_CLEAR_PORT);`
`781`	`781`
`782`	`782`	`if ((pcmk__scan_port(port_s, &port) == pcmk_rc_ok) && (port > 0)) {`
`783`		`- pcmk__warn("Starting clear-text listener on port %d. This is insecure; "`
`784`		`- PCMK_XA_REMOTE_TLS_PORT " is recommended instead.", port);`
	`783`	`+ pcmk__warn("Starting clear-text listener on port %d. This is insecure "`
	`784`	`+ "and will be removed in a future release. Use "`
	`785`	`+ PCMK_XA_REMOTE_TLS_PORT " instead.", port);`
`785`	`786`	`remote_fd = init_remote_listener(port);`
`786`	`787`	`}`
`787`	`788`	`}`
Original file line number	Diff line number	Diff line change
`@@ -421,6 +421,10 @@ cib_tls_signon(cib_t cib, pcmk__remote_t connection, gboolean event_channel)`
`421`	`421`	`cib_tls_close(cib);`
`422`	`422`	`return -1;`
`423`	`423`	`}`
	`424`	`+ } else {`
	`425`	`+ pcmk__warn("Connecting to remote CIB without encryption. This is "`
	`426`	`+ "insecure and will be removed in a future release. Use "`
	`427`	`+ "the " PCMK_XA_REMOTE_TLS_PORT " cluster option instead.");`
`424`	`428`	`}`
`425`	`429`
`426`	`430`	`/* Now that the handshake is done, see if any client TLS certificate is`