Return-Path: X-Original-To: apmail-incubator-ambari-user-archive@minotaur.apache.org Delivered-To: apmail-incubator-ambari-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D6128FA52 for ; Fri, 29 Mar 2013 14:23:04 +0000 (UTC) Received: (qmail 41620 invoked by uid 500); 29 Mar 2013 13:57:03 -0000 Delivered-To: apmail-incubator-ambari-user-archive@incubator.apache.org Received: (qmail 41419 invoked by uid 500); 29 Mar 2013 13:56:52 -0000 Mailing-List: contact ambari-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: ambari-user@incubator.apache.org Delivered-To: mailing list ambari-user@incubator.apache.org Received: (qmail 41000 invoked by uid 99); 29 Mar 2013 13:56:38 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Mar 2013 13:56:38 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,T_REMOTE_IMAGE X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of ravindranathakila@gmail.com designates 209.85.216.41 as permitted sender) Received: from [209.85.216.41] (HELO mail-qa0-f41.google.com) (209.85.216.41) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Mar 2013 13:56:32 +0000 Received: by mail-qa0-f41.google.com with SMTP id bs12so2088468qab.0 for ; Fri, 29 Mar 2013 06:56:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=kM2jZLHspFgu9d/zroY7LGuwBsjAXXjk+qTTd9XD0wE=; b=LDhcm7pF7mAiZnNcIeN72cpJVbpWo/RKiMITaF6rpYwevc4DYm3+PGM0hjkT3B/wRb Vg99NufWcUGe41FWSyGbO5uYO3MGQ1vswIjNBNMYkVlqj8tBK862O9vkhRJh3pS8dgJV +BNzFrFi5L8bwhScrDNrLNW17mM6WUCom4OrxvjcrAnLKsmXGd2hd0Cwmu1C5gBe2nGT UUyzPI239dhpn42Li52Ik+3Fv4wNI2VT6ZVLfo83Z/7E9gp/xtkykMm06S+/p7p+Gwzk zuuMIHXlLsRHdcW6vOL2BQuZWQNM3oCsBMAxsGbK8fUk3xgq2NPzuVu5hQ97h2cJGxBE clIA== X-Received: by 10.229.193.141 with SMTP id du13mr1349326qcb.72.1364565371296; Fri, 29 Mar 2013 06:56:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.49.73.3 with HTTP; Fri, 29 Mar 2013 06:55:40 -0700 (PDT) In-Reply-To: References: <5152D03A.30807@linux.vnet.ibm.com> From: Ravindranath Akila Date: Fri, 29 Mar 2013 21:55:40 +0800 Message-ID: Subject: Re: Workaround for disabling iptables and SELinux? To: ambari-user@incubator.apache.org, Paulo Ricardo Paz Vital Content-Type: multipart/alternative; boundary=0016e68ee1463aa58504d910a256 X-Virus-Checked: Checked by ClamAV on apache.org --0016e68ee1463aa58504d910a256 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Worked for the ambari-server node: 80 to ssh, 8080 since we need to access the web interface, and lo based rules to allow local communication within the node. Unlike the rest of the nodes in the cluster, since this node is open to www (port 22, 8080), it also needs the DoS and other rules I guess, which are missing below. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -s -j ACCEPT -A INPUT -s -j ACCEPT -A INPUT -s -j ACCEPT .... -A INPUT -s -j ACCEPT *-A INPUT -p tcp --dport 22 -j ACCEPT* *-A INPUT -p tcp --dport 8080 -j ACCEPT* *-A INPUT -i lo -j ACCEPT* *-A OUTPUT -o lo -j ACCEPT* -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -P INPUT DROP -P FORWARD DROP COMMIT R. A. On Fri, Mar 29, 2013 at 9:29 PM, Ravindranath Akila < ravindranathakila@gmail.com> wrote: > Hey Paulo, > Thanks your response helped me a lot. So what I did is, enabled firewal= l > logs and checked what requests were getting rejected and dropped. Later I > figured it is too much of configuration(so many ports!). So what I did wa= s, > allowed all machines on the cluster to communicate with each other withou= t > interference and reject all outside traffic. The following rules on the > /etc/sysconfig/iptables worked: > > > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > > -A INPUT -s -j ACCEPT > -A INPUT -s -j ACCEPT > -A INPUT -s -j ACCEPT > .... > -A INPUT -s -j ACCEPT > -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -P INPUT DROP > -P FORWARD DROP > > > COMMIT > > where are the ips of the machines in the cluster. > > However, the node which contains ambari-server, and nothing else, does no= t > like this. So part of the security concerns is taken cared of, as all the > rest of the cluster nodes is open only to each other. But how I goes abou= t > with the ambari-server node, I need to figure out. Any idea why this migh= t > be the case? DB Port needs to be open maybe? > > > > > On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital < > pvital@linux.vnet.ibm.com> wrote: > >> Hello Ravindranath, >> >> About what I could understand of Ambari's design, iptables can block som= e >> ports used between server and a client (agent nodes) during the client's >> registration step, as well the heartbeat communication during the execut= ion >> of cluster. Also, there is the port of the web UI provided by ambari-web= on >> server, and there are some portds (I never remember the numbers) that >> Nagios uses to provide some components' web UI on clients. >> >> I guess you can create iptables rules for all these ports on both server >> and client sides. May be the ambari-server and ambari-agent can check th= e >> iptables rules and create them if not running. I was talking with a frie= nd >> yesterday regarding this "missing feature" - my intention is not create = a >> flame here guys :-D !!! >> >> Now, regarding the SELinux I don't know the restriction it imposes on >> Ambari, so I can't help you on this - I must study this part :-D. >> >> I hope this help you! >> Regards, Paulo. >> >> >> On 03/27/2013 12:18 AM, Ravindranath Akila wrote: >> >>> Actually, how does iptables and SELinux interfere with Ambari? If I kno= w >>> that, maybe I can look for a workaround. Thanks in advance. >>> >>> Yours, >>> Ravindranath Akila... >>> >>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila >>> >> >>> wrote: >>> >>> I am tempted to do that or go for a physical firewall on Rackspace >>> for 25k per month :-) >>> My exposure to shell scripting is bad :-( Where can I grab the code= ? >>> >>> Thanks! >>> >>> R. A. >>> >>> On 26 Mar 2013 01:44, "Mahadev Konar" >> >> wrote= : >>> >>> Hi Ravindra, >>> Currently there isnt but it should be a minor change to the >>> scripts. Do you want to file a jira and maybe upload a patch? := ) >>> We could switch it off with a flag option. >>> >>> thanks >>> mahadev >>> >>> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila >>> >> >> >>> wrote: >>> >>> Hello, >>> Is there a workaround for disabling iptables and SELinux= ? >>> I'm exploring the options of securing the cluster in the >>> cloud without a physical firewall. Any suggestions would be >>> great! >>> >>> Thanks in advance :-) >>> >>> Yours, >>> Ravindranath Akila... >>> >>> -- >>> >>> *Find out on I Like Places* >>> *http://www.ILikePlaces.com* >>> >>> >>> >>> >>> >>> -- >>> >>> *Find out on I Like Places* >>> *http://www.ILikePlaces.com* >>> >> >> >> -- >> Paulo Ricardo Paz Vital, Staff Software Engineer >> Linux Technology Center, IBM Systems & Technology Group >> ------------------------------**------------------------- >> IBM >> Rodovia SP101, km9 - ZIP: 13186-900 >> Hortol=E2ndia, SP - Brazil >> Phone: +55-19-2132-2336 >> e-mail: pvital@linux.vnet.ibm.com >> http://www.ibm.com/linux/ltc >> >> > > > -- > > *Find out on I Like Places* > *http://www.ILikePlaces.com* > --=20 *Find out on I Like Places* *http://www.ILikePlaces.com* --0016e68ee1463aa58504d910a256 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Worked fo= r=A0the ambar= i-server node:
80 to ssh, 8080 since we need to access the web interface, and lo based ru= les to allow local communication within the node.

Unlike the rest of the nodes in the= cluster, since this node is open to www (port 22, 8080), it also needs the= DoS and other rules I guess, which are missing below.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -s <IP1> -j ACCEPT
-A INPUT -s <IP3> -j ACCEPT
....
-A INPUT -s <IPN> -j ACCEPT

-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 8= 080 -j ACCEPT
-A INPUT -i lo -j ACCEPT<= /font>
-A OUTPUT -o lo -= j ACCEPT
-A INPU= T -m state --state ESTABLISHED,RELATED -j ACCEPT
-P INPUT DROP
<= font face=3D"courier new, monospace">-P FORWARD DROP

COMMIT


R. A.=A0

On Fri, Mar 29, 2013 at 9:29 PM,= Ravindranath Akila <ravindranathakila@gmail.com> = wrote:
Hey Paulo,
=A0 Thanks y= our response helped me a lot. So what I did is, enabled firewall logs and c= hecked what requests were getting rejected and dropped. Later I figured it = is too much of configuration(so many ports!). So what I did was, allowed al= l machines on the cluster to communicate with each other without interferen= ce and reject all outside traffic. The following rules on the /etc/sysconfi= g/iptables worked:


*filter
:INPUT AC= CEPT [0:0]
:FORWARD = ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -s <IP1> -j ACCEPT
=
-A INPUT -s <IP2> -j ACCEPT
-A INPUT -s <IP3>= -j ACCEPT
....
-A INPUT -s <IPN> -j = ACCEPT
-A INPU= T -m state --state ESTABLISHED,RELATED -j ACCEPT
-P INPUT DROP
-P FORWARD DROP


COMMIT

where <IP1> <IP2> <IP3> <IPN> a= re the ips of the machines in the cluster.

However= , the node which contains ambari-server, and nothing else, does not like th= is. So part of the security concerns is taken cared of, as all the rest of = the cluster nodes is open only to each other. But how I goes about with the= ambari-server node, I need to figure out. Any idea why this might be the c= ase? DB Port needs to be open maybe?


<= div>

On Wed, Mar 27, 2013 at 6:55 PM, Pau= lo Ricardo Paz Vital <pvital@linux.vnet.ibm.com> wro= te:
Hello Ravindranath,

About what I could understand of Ambari's design, iptables can block so= me ports used between server and a client (agent nodes) during the client&#= 39;s registration step, as well the heartbeat communication during the exec= ution of cluster. Also, there is the port of the web UI provided by ambari-= web on server, and there are some portds (I never remember the numbers) tha= t Nagios uses to provide some components' web UI on clients.

I guess you can create iptables rules for all these ports on both server an= d client sides. May be the ambari-server and ambari-agent can check the ipt= ables rules and create them if not running. I was talking with a friend yes= terday regarding this "missing feature" - my intention is not cre= ate a flame here guys :-D !!!

Now, regarding the SELinux I don't know the restriction it imposes on A= mbari, so I can't help you on this - I must study this part :-D.

I hope this help you!
Regards, Paulo.


On 03/27/2013 12:18 AM, Ravindranath Akila wrote:
Actually, how does iptables and SELinux interfere with Ambari? If I know that, maybe I can look for a workaround. Thanks in advance.

Yours,
=A0 =A0Ravindranath Akila...

On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila
<ravind= ranathakila@gmail.com <mailto:ravindranathakila@gmail.com>> w= rote:

=A0 =A0 I am tempted to do that or go for a physical firewall on Rackspace<= br> =A0 =A0 for 25k per month :-)
=A0 =A0 My exposure to shell scripting is bad :-( Where can I grab the code= ?

=A0 =A0 Thanks!

=A0 =A0 R. A.

=A0 =A0 On 26 Mar 2013 01:44, "Mahadev Konar" <mahadev@hortonworks.com
=A0 =A0 <mailto:mahadev@hortonworks.com>> wrote:

=A0 =A0 =A0 =A0 Hi Ravindra,
=A0 =A0 =A0 =A0 =A0 Currently there isnt but it should be a minor change to= the
=A0 =A0 =A0 =A0 scripts. Do you want to file a jira and maybe upload a patc= h? :)
=A0 =A0 =A0 =A0 We could switch it off with a flag option.

=A0 =A0 =A0 =A0 thanks
=A0 =A0 =A0 =A0 mahadev

=A0 =A0 =A0 =A0 On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila
=A0 =A0 =A0 =A0 <ravindranathakila@gmail.com
=A0 =A0 =A0 =A0 <mailto:ravindranathakila@gmail.com>> wrote:

=A0 =A0 =A0 =A0 =A0 =A0 Hello,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Is there a workaround for disabling iptables= and SELinux?
=A0 =A0 =A0 =A0 =A0 =A0 I'm exploring the options of securing the clust= er in the
=A0 =A0 =A0 =A0 =A0 =A0 cloud without a physical firewall. Any suggestions = would be
=A0 =A0 =A0 =A0 =A0 =A0 great!

=A0 =A0 =A0 =A0 =A0 =A0 Thanks in advance :-)

=A0 =A0 =A0 =A0 =A0 =A0 Yours,
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0Ravindranath Akila...

=A0 =A0 =A0 =A0 =A0 =A0 --
=A0 =A0 =A0 =A0 =A0 =A0 <http://www.ILikePlaces.com>
=A0 =A0 =A0 =A0 =A0 =A0 *Find out on I Like Places* <http://www.ILikePlaces.com> =A0 =A0 =A0 =A0 =A0 =A0 *http://www.ILikePlaces.com*





--
<http://www.ILi= kePlaces.com>
*Find out on I Like Places* <http://www.ILikePlaces.com>
*http://www.ILikeP= laces.com*


--
Paulo Ricardo Paz Vital, Staff Software Engineer
Linux Technology Center, IBM Systems & Technology Group
-------------------------------------------------------
IBM
Rodovia SP101, km9 - ZIP: 13186-900
Hortol=E2ndia, SP - Brazil
Phone: +55-19-2132-2336
e-mail: pvit= al@linux.vnet.ibm.com
http://www.ibm.c= om/linux/ltc







--

--0016e68ee1463aa58504d910a256--