You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ambari.apache.org by Ravindranath Akila <ra...@gmail.com> on 2013/08/05 05:22:29 UTC
Re: Workaround for disabling iptables and SELinux?
Just came down to also suggest the following for security :
Use hosts.allow and hosts.deny command in Linux.
R. A.
BTW, there is a website called Thank God it's Friday!
It tells you fun things to do in your area over the weekend.
See here: http://www.ThankGodItIsFriday.com
On 8 Apr 2013 16:50, "Ravindranath Akila" <ra...@gmail.com>
wrote:
> There's more to do (just in case someone concludes the configs are final).
> I'm working on multicast packets right now. I'll let you guys know if I
> manage to get everything working.
>
> I'm curious though, how do you guys handle the security concerns on the
> cloud?
>
> Thanks!
>
>
> On Mon, Apr 1, 2013 at 5:13 AM, Mahadev Konar <ma...@hortonworks.com>wrote:
>
>> Nice work Ravindra.
>> Yes, DB ports need to be open as well.
>>
>>
>> thanks
>> mahadev
>>
>>
>> On Fri, Mar 29, 2013 at 6:29 AM, Ravindranath Akila <
>> ravindranathakila@gmail.com> wrote:
>>
>>> Hey Paulo,
>>> Thanks your response helped me a lot. So what I did is, enabled
>>> firewall logs and checked what requests were getting rejected and dropped.
>>> Later I figured it is too much of configuration(so many ports!). So what I
>>> did was, allowed all machines on the cluster to communicate with each other
>>> without interference and reject all outside traffic. The following rules on
>>> the /etc/sysconfig/iptables worked:
>>>
>>>
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [0:0]
>>>
>>> -A INPUT -s <IP1> -j ACCEPT
>>> -A INPUT -s <IP2> -j ACCEPT
>>> -A INPUT -s <IP3> -j ACCEPT
>>> ....
>>> -A INPUT -s <IPN> -j ACCEPT
>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> -P INPUT DROP
>>> -P FORWARD DROP
>>>
>>>
>>> COMMIT
>>>
>>> where <IP1> <IP2> <IP3> <IPN> are the ips of the machines in the cluster.
>>>
>>> However, the node which contains ambari-server, and nothing else, does
>>> not like this. So part of the security concerns is taken cared of, as all
>>> the rest of the cluster nodes is open only to each other. But how I goes
>>> about with the ambari-server node, I need to figure out. Any idea why this
>>> might be the case? DB Port needs to be open maybe?
>>>
>>>
>>>
>>>
>>> On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital <
>>> pvital@linux.vnet.ibm.com> wrote:
>>>
>>>> Hello Ravindranath,
>>>>
>>>> About what I could understand of Ambari's design, iptables can block
>>>> some ports used between server and a client (agent nodes) during the
>>>> client's registration step, as well the heartbeat communication during the
>>>> execution of cluster. Also, there is the port of the web UI provided by
>>>> ambari-web on server, and there are some portds (I never remember the
>>>> numbers) that Nagios uses to provide some components' web UI on clients.
>>>>
>>>> I guess you can create iptables rules for all these ports on both
>>>> server and client sides. May be the ambari-server and ambari-agent can
>>>> check the iptables rules and create them if not running. I was talking with
>>>> a friend yesterday regarding this "missing feature" - my intention is not
>>>> create a flame here guys :-D !!!
>>>>
>>>> Now, regarding the SELinux I don't know the restriction it imposes on
>>>> Ambari, so I can't help you on this - I must study this part :-D.
>>>>
>>>> I hope this help you!
>>>> Regards, Paulo.
>>>>
>>>>
>>>> On 03/27/2013 12:18 AM, Ravindranath Akila wrote:
>>>>
>>>>> Actually, how does iptables and SELinux interfere with Ambari? If I
>>>>> know
>>>>> that, maybe I can look for a workaround. Thanks in advance.
>>>>>
>>>>> Yours,
>>>>> Ravindranath Akila...
>>>>>
>>>>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila
>>>>> <ravindranathakila@gmail.com <ma...@gmail.com>>>
>>>>> wrote:
>>>>>
>>>>> I am tempted to do that or go for a physical firewall on Rackspace
>>>>> for 25k per month :-)
>>>>> My exposure to shell scripting is bad :-( Where can I grab the
>>>>> code?
>>>>>
>>>>> Thanks!
>>>>>
>>>>> R. A.
>>>>>
>>>>> On 26 Mar 2013 01:44, "Mahadev Konar" <mahadev@hortonworks.com
>>>>> <mailto:mahadev@hortonworks.**com <ma...@hortonworks.com>>>
>>>>> wrote:
>>>>>
>>>>> Hi Ravindra,
>>>>> Currently there isnt but it should be a minor change to the
>>>>> scripts. Do you want to file a jira and maybe upload a patch?
>>>>> :)
>>>>> We could switch it off with a flag option.
>>>>>
>>>>> thanks
>>>>> mahadev
>>>>>
>>>>> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila
>>>>> <ravindranathakila@gmail.com
>>>>> <ma...@gmail.com>>>
>>>>> wrote:
>>>>>
>>>>> Hello,
>>>>> Is there a workaround for disabling iptables and
>>>>> SELinux?
>>>>> I'm exploring the options of securing the cluster in the
>>>>> cloud without a physical firewall. Any suggestions would be
>>>>> great!
>>>>>
>>>>> Thanks in advance :-)
>>>>>
>>>>> Yours,
>>>>> Ravindranath Akila...
>>>>>
>>>>> --
>>>>> <http://www.ILikePlaces.com>
>>>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>>>> *http://www.ILikePlaces.com*
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> <http://www.ILikePlaces.com>
>>>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>>>> *http://www.ILikePlaces.com*
>>>>>
>>>>
>>>>
>>>> --
>>>> Paulo Ricardo Paz Vital, Staff Software Engineer
>>>> Linux Technology Center, IBM Systems & Technology Group
>>>> ------------------------------**-------------------------
>>>> IBM
>>>> Rodovia SP101, km9 - ZIP: 13186-900
>>>> Hortolândia, SP - Brazil
>>>> Phone: +55-19-2132-2336
>>>> e-mail: pvital@linux.vnet.ibm.com
>>>> http://www.ibm.com/linux/ltc
>>>>
>>>>
>>>
>>>
>>> --
>>> <http://www.ILikePlaces.com>
>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>>>
>>
>>
>
>
> --
> <http://www.ILikePlaces.com>
> *Find out on I Like Places* <http://www.ILikePlaces.com>
> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>