incubator-ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ravindranath Akila <ravindranathak...@gmail.com>
Subject Re: Workaround for disabling iptables and SELinux?
Date Mon, 08 Apr 2013 08:50:14 GMT
There's more to do (just in case someone concludes the configs are final).
I'm working on multicast packets right now. I'll let you guys know if I
manage to get everything working.

I'm curious though, how do you guys handle the security concerns on the
cloud?

Thanks!


On Mon, Apr 1, 2013 at 5:13 AM, Mahadev Konar <mahadev@hortonworks.com>wrote:

> Nice work Ravindra.
> Yes, DB ports need to be open as well.
>
>
> thanks
> mahadev
>
>
> On Fri, Mar 29, 2013 at 6:29 AM, Ravindranath Akila <
> ravindranathakila@gmail.com> wrote:
>
>> Hey Paulo,
>>   Thanks your response helped me a lot. So what I did is, enabled
>> firewall logs and checked what requests were getting rejected and dropped.
>> Later I figured it is too much of configuration(so many ports!). So what I
>> did was, allowed all machines on the cluster to communicate with each other
>> without interference and reject all outside traffic. The following rules on
>> the /etc/sysconfig/iptables worked:
>>
>>
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>>
>> -A INPUT -s <IP1> -j ACCEPT
>> -A INPUT -s <IP2> -j ACCEPT
>> -A INPUT -s <IP3> -j ACCEPT
>> ....
>> -A INPUT -s <IPN> -j ACCEPT
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -P INPUT DROP
>> -P FORWARD DROP
>>
>>
>> COMMIT
>>
>> where <IP1> <IP2> <IP3> <IPN> are the ips of the machines
in the cluster.
>>
>> However, the node which contains ambari-server, and nothing else, does
>> not like this. So part of the security concerns is taken cared of, as all
>> the rest of the cluster nodes is open only to each other. But how I goes
>> about with the ambari-server node, I need to figure out. Any idea why this
>> might be the case? DB Port needs to be open maybe?
>>
>>
>>
>>
>> On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital <
>> pvital@linux.vnet.ibm.com> wrote:
>>
>>> Hello Ravindranath,
>>>
>>> About what I could understand of Ambari's design, iptables can block
>>> some ports used between server and a client (agent nodes) during the
>>> client's registration step, as well the heartbeat communication during the
>>> execution of cluster. Also, there is the port of the web UI provided by
>>> ambari-web on server, and there are some portds (I never remember the
>>> numbers) that Nagios uses to provide some components' web UI on clients.
>>>
>>> I guess you can create iptables rules for all these ports on both server
>>> and client sides. May be the ambari-server and ambari-agent can check the
>>> iptables rules and create them if not running. I was talking with a friend
>>> yesterday regarding this "missing feature" - my intention is not create a
>>> flame here guys :-D !!!
>>>
>>> Now, regarding the SELinux I don't know the restriction it imposes on
>>> Ambari, so I can't help you on this - I must study this part :-D.
>>>
>>> I hope this help you!
>>> Regards, Paulo.
>>>
>>>
>>> On 03/27/2013 12:18 AM, Ravindranath Akila wrote:
>>>
>>>> Actually, how does iptables and SELinux interfere with Ambari? If I know
>>>> that, maybe I can look for a workaround. Thanks in advance.
>>>>
>>>> Yours,
>>>>    Ravindranath Akila...
>>>>
>>>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila
>>>> <ravindranathakila@gmail.com <mailto:ravindranathakila@**gmail.com<ravindranathakila@gmail.com>>>
>>>> wrote:
>>>>
>>>>     I am tempted to do that or go for a physical firewall on Rackspace
>>>>     for 25k per month :-)
>>>>     My exposure to shell scripting is bad :-( Where can I grab the code?
>>>>
>>>>     Thanks!
>>>>
>>>>     R. A.
>>>>
>>>>     On 26 Mar 2013 01:44, "Mahadev Konar" <mahadev@hortonworks.com
>>>>     <mailto:mahadev@hortonworks.**com <mahadev@hortonworks.com>>>
>>>> wrote:
>>>>
>>>>         Hi Ravindra,
>>>>           Currently there isnt but it should be a minor change to the
>>>>         scripts. Do you want to file a jira and maybe upload a patch? :)
>>>>         We could switch it off with a flag option.
>>>>
>>>>         thanks
>>>>         mahadev
>>>>
>>>>         On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila
>>>>         <ravindranathakila@gmail.com
>>>>         <mailto:ravindranathakila@**gmail.com<ravindranathakila@gmail.com>>>
>>>> wrote:
>>>>
>>>>             Hello,
>>>>                Is there a workaround for disabling iptables and SELinux?
>>>>             I'm exploring the options of securing the cluster in the
>>>>             cloud without a physical firewall. Any suggestions would be
>>>>             great!
>>>>
>>>>             Thanks in advance :-)
>>>>
>>>>             Yours,
>>>>                Ravindranath Akila...
>>>>
>>>>             --
>>>>             <http://www.ILikePlaces.com>
>>>>             *Find out on I Like Places* <http://www.ILikePlaces.com>
>>>>             *http://www.ILikePlaces.com*
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> <http://www.ILikePlaces.com>
>>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>>> *http://www.ILikePlaces.com*
>>>>
>>>
>>>
>>> --
>>> Paulo Ricardo Paz Vital, Staff Software Engineer
>>> Linux Technology Center, IBM Systems & Technology Group
>>> ------------------------------**-------------------------
>>> IBM
>>> Rodovia SP101, km9 - ZIP: 13186-900
>>> Hortolândia, SP - Brazil
>>> Phone: +55-19-2132-2336
>>> e-mail: pvital@linux.vnet.ibm.com
>>> http://www.ibm.com/linux/ltc
>>>
>>>
>>
>>
>> --
>> <http://www.ILikePlaces.com>
>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>>
>
>


-- 
<http://www.ILikePlaces.com>
*Find out on I Like Places* <http://www.ILikePlaces.com>
*http://www.ILikePlaces.com* <http://www.ILikePlaces.com>

Mime
View raw message