Nice work Ravindra. Yes, DB ports need to be open as well.
thanks mahadev On Fri, Mar 29, 2013 at 6:29 AM, Ravindranath Akila < [email protected]> wrote: > Hey Paulo, > Thanks your response helped me a lot. So what I did is, enabled firewall > logs and checked what requests were getting rejected and dropped. Later I > figured it is too much of configuration(so many ports!). So what I did was, > allowed all machines on the cluster to communicate with each other without > interference and reject all outside traffic. The following rules on the > /etc/sysconfig/iptables worked: > > > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > > -A INPUT -s <IP1> -j ACCEPT > -A INPUT -s <IP2> -j ACCEPT > -A INPUT -s <IP3> -j ACCEPT > .... > -A INPUT -s <IPN> -j ACCEPT > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -P INPUT DROP > -P FORWARD DROP > > > COMMIT > > where <IP1> <IP2> <IP3> <IPN> are the ips of the machines in the cluster. > > However, the node which contains ambari-server, and nothing else, does not > like this. So part of the security concerns is taken cared of, as all the > rest of the cluster nodes is open only to each other. But how I goes about > with the ambari-server node, I need to figure out. Any idea why this might > be the case? DB Port needs to be open maybe? > > > > > On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital < > [email protected]> wrote: > >> Hello Ravindranath, >> >> About what I could understand of Ambari's design, iptables can block some >> ports used between server and a client (agent nodes) during the client's >> registration step, as well the heartbeat communication during the execution >> of cluster. Also, there is the port of the web UI provided by ambari-web on >> server, and there are some portds (I never remember the numbers) that >> Nagios uses to provide some components' web UI on clients. >> >> I guess you can create iptables rules for all these ports on both server >> and client sides. May be the ambari-server and ambari-agent can check the >> iptables rules and create them if not running. I was talking with a friend >> yesterday regarding this "missing feature" - my intention is not create a >> flame here guys :-D !!! >> >> Now, regarding the SELinux I don't know the restriction it imposes on >> Ambari, so I can't help you on this - I must study this part :-D. >> >> I hope this help you! >> Regards, Paulo. >> >> >> On 03/27/2013 12:18 AM, Ravindranath Akila wrote: >> >>> Actually, how does iptables and SELinux interfere with Ambari? If I know >>> that, maybe I can look for a workaround. Thanks in advance. >>> >>> Yours, >>> Ravindranath Akila... >>> >>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila >>> <[email protected] >>> <mailto:ravindranathakila@**gmail.com<[email protected]>>> >>> wrote: >>> >>> I am tempted to do that or go for a physical firewall on Rackspace >>> for 25k per month :-) >>> My exposure to shell scripting is bad :-( Where can I grab the code? >>> >>> Thanks! >>> >>> R. A. >>> >>> On 26 Mar 2013 01:44, "Mahadev Konar" <[email protected] >>> <mailto:mahadev@hortonworks.**com <[email protected]>>> wrote: >>> >>> Hi Ravindra, >>> Currently there isnt but it should be a minor change to the >>> scripts. Do you want to file a jira and maybe upload a patch? :) >>> We could switch it off with a flag option. >>> >>> thanks >>> mahadev >>> >>> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila >>> <[email protected] >>> <mailto:ravindranathakila@**gmail.com<[email protected]>>> >>> wrote: >>> >>> Hello, >>> Is there a workaround for disabling iptables and SELinux? >>> I'm exploring the options of securing the cluster in the >>> cloud without a physical firewall. Any suggestions would be >>> great! >>> >>> Thanks in advance :-) >>> >>> Yours, >>> Ravindranath Akila... >>> >>> -- >>> <http://www.ILikePlaces.com> >>> *Find out on I Like Places* <http://www.ILikePlaces.com> >>> *http://www.ILikePlaces.com* >>> >>> >>> >>> >>> >>> -- >>> <http://www.ILikePlaces.com> >>> *Find out on I Like Places* <http://www.ILikePlaces.com> >>> *http://www.ILikePlaces.com* >>> >> >> >> -- >> Paulo Ricardo Paz Vital, Staff Software Engineer >> Linux Technology Center, IBM Systems & Technology Group >> ------------------------------**------------------------- >> IBM >> Rodovia SP101, km9 - ZIP: 13186-900 >> Hortolândia, SP - Brazil >> Phone: +55-19-2132-2336 >> e-mail: [email protected] >> http://www.ibm.com/linux/ltc >> >> > > > -- > <http://www.ILikePlaces.com> > *Find out on I Like Places* <http://www.ILikePlaces.com> > *http://www.ILikePlaces.com* <http://www.ILikePlaces.com> >
