incubator-ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ravindranath Akila <ravindranathak...@gmail.com>
Subject Re: Workaround for disabling iptables and SELinux?
Date Mon, 05 Aug 2013 03:22:29 GMT
Just came down to also suggest the following for security :

Use hosts.allow and hosts.deny command in Linux.

R. A.
BTW, there is a website called Thank God it's Friday!
It tells you fun things to do in your area over the weekend.
See here: http://www.ThankGodItIsFriday.com
On 8 Apr 2013 16:50, "Ravindranath Akila" <ravindranathakila@gmail.com>
wrote:

> There's more to do (just in case someone concludes the configs are final).
> I'm working on multicast packets right now. I'll let you guys know if I
> manage to get everything working.
>
> I'm curious though, how do you guys handle the security concerns on the
> cloud?
>
> Thanks!
>
>
> On Mon, Apr 1, 2013 at 5:13 AM, Mahadev Konar <mahadev@hortonworks.com>wrote:
>
>> Nice work Ravindra.
>> Yes, DB ports need to be open as well.
>>
>>
>> thanks
>> mahadev
>>
>>
>> On Fri, Mar 29, 2013 at 6:29 AM, Ravindranath Akila <
>> ravindranathakila@gmail.com> wrote:
>>
>>> Hey Paulo,
>>>   Thanks your response helped me a lot. So what I did is, enabled
>>> firewall logs and checked what requests were getting rejected and dropped.
>>> Later I figured it is too much of configuration(so many ports!). So what I
>>> did was, allowed all machines on the cluster to communicate with each other
>>> without interference and reject all outside traffic. The following rules on
>>> the /etc/sysconfig/iptables worked:
>>>
>>>
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [0:0]
>>>
>>> -A INPUT -s <IP1> -j ACCEPT
>>> -A INPUT -s <IP2> -j ACCEPT
>>> -A INPUT -s <IP3> -j ACCEPT
>>> ....
>>> -A INPUT -s <IPN> -j ACCEPT
>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> -P INPUT DROP
>>> -P FORWARD DROP
>>>
>>>
>>> COMMIT
>>>
>>> where <IP1> <IP2> <IP3> <IPN> are the ips of the machines
in the cluster.
>>>
>>> However, the node which contains ambari-server, and nothing else, does
>>> not like this. So part of the security concerns is taken cared of, as all
>>> the rest of the cluster nodes is open only to each other. But how I goes
>>> about with the ambari-server node, I need to figure out. Any idea why this
>>> might be the case? DB Port needs to be open maybe?
>>>
>>>
>>>
>>>
>>> On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital <
>>> pvital@linux.vnet.ibm.com> wrote:
>>>
>>>> Hello Ravindranath,
>>>>
>>>> About what I could understand of Ambari's design, iptables can block
>>>> some ports used between server and a client (agent nodes) during the
>>>> client's registration step, as well the heartbeat communication during the
>>>> execution of cluster. Also, there is the port of the web UI provided by
>>>> ambari-web on server, and there are some portds (I never remember the
>>>> numbers) that Nagios uses to provide some components' web UI on clients.
>>>>
>>>> I guess you can create iptables rules for all these ports on both
>>>> server and client sides. May be the ambari-server and ambari-agent can
>>>> check the iptables rules and create them if not running. I was talking with
>>>> a friend yesterday regarding this "missing feature" - my intention is not
>>>> create a flame here guys :-D !!!
>>>>
>>>> Now, regarding the SELinux I don't know the restriction it imposes on
>>>> Ambari, so I can't help you on this - I must study this part :-D.
>>>>
>>>> I hope this help you!
>>>> Regards, Paulo.
>>>>
>>>>
>>>> On 03/27/2013 12:18 AM, Ravindranath Akila wrote:
>>>>
>>>>> Actually, how does iptables and SELinux interfere with Ambari? If I
>>>>> know
>>>>> that, maybe I can look for a workaround. Thanks in advance.
>>>>>
>>>>> Yours,
>>>>>    Ravindranath Akila...
>>>>>
>>>>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila
>>>>> <ravindranathakila@gmail.com <mailto:ravindranathakila@**gmail.com<ravindranathakila@gmail.com>>>
>>>>> wrote:
>>>>>
>>>>>     I am tempted to do that or go for a physical firewall on Rackspace
>>>>>     for 25k per month :-)
>>>>>     My exposure to shell scripting is bad :-( Where can I grab the
>>>>> code?
>>>>>
>>>>>     Thanks!
>>>>>
>>>>>     R. A.
>>>>>
>>>>>     On 26 Mar 2013 01:44, "Mahadev Konar" <mahadev@hortonworks.com
>>>>>     <mailto:mahadev@hortonworks.**com <mahadev@hortonworks.com>>>
>>>>> wrote:
>>>>>
>>>>>         Hi Ravindra,
>>>>>           Currently there isnt but it should be a minor change to the
>>>>>         scripts. Do you want to file a jira and maybe upload a patch?
>>>>> :)
>>>>>         We could switch it off with a flag option.
>>>>>
>>>>>         thanks
>>>>>         mahadev
>>>>>
>>>>>         On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila
>>>>>         <ravindranathakila@gmail.com
>>>>>         <mailto:ravindranathakila@**gmail.com<ravindranathakila@gmail.com>>>
>>>>> wrote:
>>>>>
>>>>>             Hello,
>>>>>                Is there a workaround for disabling iptables and
>>>>> SELinux?
>>>>>             I'm exploring the options of securing the cluster in the
>>>>>             cloud without a physical firewall. Any suggestions would
be
>>>>>             great!
>>>>>
>>>>>             Thanks in advance :-)
>>>>>
>>>>>             Yours,
>>>>>                Ravindranath Akila...
>>>>>
>>>>>             --
>>>>>             <http://www.ILikePlaces.com>
>>>>>             *Find out on I Like Places* <http://www.ILikePlaces.com>
>>>>>             *http://www.ILikePlaces.com*
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> <http://www.ILikePlaces.com>
>>>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>>>> *http://www.ILikePlaces.com*
>>>>>
>>>>
>>>>
>>>> --
>>>> Paulo Ricardo Paz Vital, Staff Software Engineer
>>>> Linux Technology Center, IBM Systems & Technology Group
>>>> ------------------------------**-------------------------
>>>> IBM
>>>> Rodovia SP101, km9 - ZIP: 13186-900
>>>> Hortolândia, SP - Brazil
>>>> Phone: +55-19-2132-2336
>>>> e-mail: pvital@linux.vnet.ibm.com
>>>> http://www.ibm.com/linux/ltc
>>>>
>>>>
>>>
>>>
>>> --
>>> <http://www.ILikePlaces.com>
>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>>>
>>
>>
>
>
> --
> <http://www.ILikePlaces.com>
> *Find out on I Like Places* <http://www.ILikePlaces.com>
> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>

Mime
View raw message