[jira] [Created] (AMBARI-4236) improve firewall detection in ambari

["Jeff Vance (JIRA)" <ji...@apache.org>]

Jeff Vance created AMBARI-4236:
----------------------------------

             Summary: improve firewall detection in ambari
                 Key: AMBARI-4236
                 URL: https://issues.apache.org/jira/browse/AMBARI-4236
             Project: Ambari
          Issue Type: Improvement
          Components: agent
         Environment: Ambari 1.4.3, RHEL 6.4
            Reporter: Jeff Vance


The agent code, HostInfo.py, calls checkIptables() which does a "service iptables status". If the returncode is 0 it equates that to a potential firewall issue and reports the error (or warning) which can be disconcerting to first-time users.

If you enter "service iptables stop" followed by "service iptables status" then $? == 3 and the agent code will consider iptables disabled. However, if you reboot the host (*even* if "chkconfig iptables off" has been executed prior to the reboot), then "service iptables status" returns 0, there are no firewall rules in effect, all ip traffic is allowed, but ambari complains that the iptables may prevent access. On RHEL, iptables is a "fake" service, as far as I know, it is really a kernel module, and this module is loaded on reboot. Therefore, even if there are no firewall rules, "service iptables status" will return 0 and confuse ambari.

Possible solutions:
1) improve firewall checking in the ambari agent to look deeper than just the high-level returncode. Example, the output of iptables -S could be parsed to see if there are any rules which will block ambari. Or, examine /etc/sysconfig/iptables to see if there are any blocking rules.

2) document precisely which protocols and which ports need to be opened in corporate firewalls. In our opinion, enterprise customers in general do NOT want to disable their firewalls, so it would be better to append rules specific to ambari's needs.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)