There's more to do (just in case someone concludes the configs are final). I'm working on multicast packets right now. I'll let you guys know if I manage to get everything working.
I'm curious though, how do you guys handle the security concerns on the cloud? Thanks! On Mon, Apr 1, 2013 at 5:13 AM, Mahadev Konar <[email protected]>wrote: > Nice work Ravindra. > Yes, DB ports need to be open as well. > > > thanks > mahadev > > > On Fri, Mar 29, 2013 at 6:29 AM, Ravindranath Akila < > [email protected]> wrote: > >> Hey Paulo, >> Thanks your response helped me a lot. So what I did is, enabled >> firewall logs and checked what requests were getting rejected and dropped. >> Later I figured it is too much of configuration(so many ports!). So what I >> did was, allowed all machines on the cluster to communicate with each other >> without interference and reject all outside traffic. The following rules on >> the /etc/sysconfig/iptables worked: >> >> >> *filter >> :INPUT ACCEPT [0:0] >> :FORWARD ACCEPT [0:0] >> :OUTPUT ACCEPT [0:0] >> >> -A INPUT -s <IP1> -j ACCEPT >> -A INPUT -s <IP2> -j ACCEPT >> -A INPUT -s <IP3> -j ACCEPT >> .... >> -A INPUT -s <IPN> -j ACCEPT >> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> -P INPUT DROP >> -P FORWARD DROP >> >> >> COMMIT >> >> where <IP1> <IP2> <IP3> <IPN> are the ips of the machines in the cluster. >> >> However, the node which contains ambari-server, and nothing else, does >> not like this. So part of the security concerns is taken cared of, as all >> the rest of the cluster nodes is open only to each other. But how I goes >> about with the ambari-server node, I need to figure out. Any idea why this >> might be the case? DB Port needs to be open maybe? >> >> >> >> >> On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital < >> [email protected]> wrote: >> >>> Hello Ravindranath, >>> >>> About what I could understand of Ambari's design, iptables can block >>> some ports used between server and a client (agent nodes) during the >>> client's registration step, as well the heartbeat communication during the >>> execution of cluster. Also, there is the port of the web UI provided by >>> ambari-web on server, and there are some portds (I never remember the >>> numbers) that Nagios uses to provide some components' web UI on clients. >>> >>> I guess you can create iptables rules for all these ports on both server >>> and client sides. May be the ambari-server and ambari-agent can check the >>> iptables rules and create them if not running. I was talking with a friend >>> yesterday regarding this "missing feature" - my intention is not create a >>> flame here guys :-D !!! >>> >>> Now, regarding the SELinux I don't know the restriction it imposes on >>> Ambari, so I can't help you on this - I must study this part :-D. >>> >>> I hope this help you! >>> Regards, Paulo. >>> >>> >>> On 03/27/2013 12:18 AM, Ravindranath Akila wrote: >>> >>>> Actually, how does iptables and SELinux interfere with Ambari? If I know >>>> that, maybe I can look for a workaround. Thanks in advance. >>>> >>>> Yours, >>>> Ravindranath Akila... >>>> >>>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila >>>> <[email protected] >>>> <mailto:ravindranathakila@**gmail.com<[email protected]>>> >>>> wrote: >>>> >>>> I am tempted to do that or go for a physical firewall on Rackspace >>>> for 25k per month :-) >>>> My exposure to shell scripting is bad :-( Where can I grab the code? >>>> >>>> Thanks! >>>> >>>> R. A. >>>> >>>> On 26 Mar 2013 01:44, "Mahadev Konar" <[email protected] >>>> <mailto:mahadev@hortonworks.**com <[email protected]>>> >>>> wrote: >>>> >>>> Hi Ravindra, >>>> Currently there isnt but it should be a minor change to the >>>> scripts. Do you want to file a jira and maybe upload a patch? :) >>>> We could switch it off with a flag option. >>>> >>>> thanks >>>> mahadev >>>> >>>> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila >>>> <[email protected] >>>> >>>> <mailto:ravindranathakila@**gmail.com<[email protected]>>> >>>> wrote: >>>> >>>> Hello, >>>> Is there a workaround for disabling iptables and SELinux? >>>> I'm exploring the options of securing the cluster in the >>>> cloud without a physical firewall. Any suggestions would be >>>> great! >>>> >>>> Thanks in advance :-) >>>> >>>> Yours, >>>> Ravindranath Akila... >>>> >>>> -- >>>> <http://www.ILikePlaces.com> >>>> *Find out on I Like Places* <http://www.ILikePlaces.com> >>>> *http://www.ILikePlaces.com* >>>> >>>> >>>> >>>> >>>> >>>> -- >>>> <http://www.ILikePlaces.com> >>>> *Find out on I Like Places* <http://www.ILikePlaces.com> >>>> *http://www.ILikePlaces.com* >>>> >>> >>> >>> -- >>> Paulo Ricardo Paz Vital, Staff Software Engineer >>> Linux Technology Center, IBM Systems & Technology Group >>> ------------------------------**------------------------- >>> IBM >>> Rodovia SP101, km9 - ZIP: 13186-900 >>> Hortolândia, SP - Brazil >>> Phone: +55-19-2132-2336 >>> e-mail: [email protected] >>> http://www.ibm.com/linux/ltc >>> >>> >> >> >> -- >> <http://www.ILikePlaces.com> >> *Find out on I Like Places* <http://www.ILikePlaces.com> >> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com> >> > > -- <http://www.ILikePlaces.com> *Find out on I Like Places* <http://www.ILikePlaces.com> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
