You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ambari.apache.org by Ravindranath Akila <ra...@gmail.com> on 2013/03/25 14:18:44 UTC
Workaround for disabling iptables and SELinux?
Hello,
Is there a workaround for disabling iptables and SELinux? I'm exploring
the options of securing the cluster in the cloud without a physical
firewall. Any suggestions would be great!
Thanks in advance :-)
Yours,
Ravindranath Akila...
--
<http://www.ILikePlaces.com>
*Find out on I Like Places* <http://www.ILikePlaces.com>
*http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
Re: Workaround for disabling iptables and SELinux?
Posted by Ravindranath Akila <ra...@gmail.com>.
Worked for the ambari-server node:
80 to ssh, 8080 since we need to access the web interface, and lo based
rules to allow local communication within the node.
Unlike the rest of the nodes in the cluster, since this node is open to www
(port 22, 8080), it also needs the DoS and other rules I guess, which are
missing below.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s <IP1> -j ACCEPT
-A INPUT -s <IP2> -j ACCEPT
-A INPUT -s <IP3> -j ACCEPT
....
-A INPUT -s <IPN> -j ACCEPT
*-A INPUT -p tcp --dport 22 -j ACCEPT*
*-A INPUT -p tcp --dport 8080 -j ACCEPT*
*-A INPUT -i lo -j ACCEPT*
*-A OUTPUT -o lo -j ACCEPT*
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-P INPUT DROP
-P FORWARD DROP
COMMIT
R. A.
On Fri, Mar 29, 2013 at 9:29 PM, Ravindranath Akila <
ravindranathakila@gmail.com> wrote:
> Hey Paulo,
> Thanks your response helped me a lot. So what I did is, enabled firewall
> logs and checked what requests were getting rejected and dropped. Later I
> figured it is too much of configuration(so many ports!). So what I did was,
> allowed all machines on the cluster to communicate with each other without
> interference and reject all outside traffic. The following rules on the
> /etc/sysconfig/iptables worked:
>
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
>
> -A INPUT -s <IP1> -j ACCEPT
> -A INPUT -s <IP2> -j ACCEPT
> -A INPUT -s <IP3> -j ACCEPT
> ....
> -A INPUT -s <IPN> -j ACCEPT
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -P INPUT DROP
> -P FORWARD DROP
>
>
> COMMIT
>
> where <IP1> <IP2> <IP3> <IPN> are the ips of the machines in the cluster.
>
> However, the node which contains ambari-server, and nothing else, does not
> like this. So part of the security concerns is taken cared of, as all the
> rest of the cluster nodes is open only to each other. But how I goes about
> with the ambari-server node, I need to figure out. Any idea why this might
> be the case? DB Port needs to be open maybe?
>
>
>
>
> On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital <
> pvital@linux.vnet.ibm.com> wrote:
>
>> Hello Ravindranath,
>>
>> About what I could understand of Ambari's design, iptables can block some
>> ports used between server and a client (agent nodes) during the client's
>> registration step, as well the heartbeat communication during the execution
>> of cluster. Also, there is the port of the web UI provided by ambari-web on
>> server, and there are some portds (I never remember the numbers) that
>> Nagios uses to provide some components' web UI on clients.
>>
>> I guess you can create iptables rules for all these ports on both server
>> and client sides. May be the ambari-server and ambari-agent can check the
>> iptables rules and create them if not running. I was talking with a friend
>> yesterday regarding this "missing feature" - my intention is not create a
>> flame here guys :-D !!!
>>
>> Now, regarding the SELinux I don't know the restriction it imposes on
>> Ambari, so I can't help you on this - I must study this part :-D.
>>
>> I hope this help you!
>> Regards, Paulo.
>>
>>
>> On 03/27/2013 12:18 AM, Ravindranath Akila wrote:
>>
>>> Actually, how does iptables and SELinux interfere with Ambari? If I know
>>> that, maybe I can look for a workaround. Thanks in advance.
>>>
>>> Yours,
>>> Ravindranath Akila...
>>>
>>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila
>>> <ravindranathakila@gmail.com <ma...@gmail.com>>>
>>> wrote:
>>>
>>> I am tempted to do that or go for a physical firewall on Rackspace
>>> for 25k per month :-)
>>> My exposure to shell scripting is bad :-( Where can I grab the code?
>>>
>>> Thanks!
>>>
>>> R. A.
>>>
>>> On 26 Mar 2013 01:44, "Mahadev Konar" <mahadev@hortonworks.com
>>> <mailto:mahadev@hortonworks.**com <ma...@hortonworks.com>>> wrote:
>>>
>>> Hi Ravindra,
>>> Currently there isnt but it should be a minor change to the
>>> scripts. Do you want to file a jira and maybe upload a patch? :)
>>> We could switch it off with a flag option.
>>>
>>> thanks
>>> mahadev
>>>
>>> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila
>>> <ravindranathakila@gmail.com
>>> <ma...@gmail.com>>>
>>> wrote:
>>>
>>> Hello,
>>> Is there a workaround for disabling iptables and SELinux?
>>> I'm exploring the options of securing the cluster in the
>>> cloud without a physical firewall. Any suggestions would be
>>> great!
>>>
>>> Thanks in advance :-)
>>>
>>> Yours,
>>> Ravindranath Akila...
>>>
>>> --
>>> <http://www.ILikePlaces.com>
>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>> *http://www.ILikePlaces.com*
>>>
>>>
>>>
>>>
>>>
>>> --
>>> <http://www.ILikePlaces.com>
>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>> *http://www.ILikePlaces.com*
>>>
>>
>>
>> --
>> Paulo Ricardo Paz Vital, Staff Software Engineer
>> Linux Technology Center, IBM Systems & Technology Group
>> ------------------------------**-------------------------
>> IBM
>> Rodovia SP101, km9 - ZIP: 13186-900
>> Hortolândia, SP - Brazil
>> Phone: +55-19-2132-2336
>> e-mail: pvital@linux.vnet.ibm.com
>> http://www.ibm.com/linux/ltc
>>
>>
>
>
> --
> <http://www.ILikePlaces.com>
> *Find out on I Like Places* <http://www.ILikePlaces.com>
> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>
--
<http://www.ILikePlaces.com>
*Find out on I Like Places* <http://www.ILikePlaces.com>
*http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
Re: Workaround for disabling iptables and SELinux?
Posted by Ravindranath Akila <ra...@gmail.com>.
Just came down to also suggest the following for security :
Use hosts.allow and hosts.deny command in Linux.
R. A.
BTW, there is a website called Thank God it's Friday!
It tells you fun things to do in your area over the weekend.
See here: http://www.ThankGodItIsFriday.com
On 8 Apr 2013 16:50, "Ravindranath Akila" <ra...@gmail.com>
wrote:
> There's more to do (just in case someone concludes the configs are final).
> I'm working on multicast packets right now. I'll let you guys know if I
> manage to get everything working.
>
> I'm curious though, how do you guys handle the security concerns on the
> cloud?
>
> Thanks!
>
>
> On Mon, Apr 1, 2013 at 5:13 AM, Mahadev Konar <ma...@hortonworks.com>wrote:
>
>> Nice work Ravindra.
>> Yes, DB ports need to be open as well.
>>
>>
>> thanks
>> mahadev
>>
>>
>> On Fri, Mar 29, 2013 at 6:29 AM, Ravindranath Akila <
>> ravindranathakila@gmail.com> wrote:
>>
>>> Hey Paulo,
>>> Thanks your response helped me a lot. So what I did is, enabled
>>> firewall logs and checked what requests were getting rejected and dropped.
>>> Later I figured it is too much of configuration(so many ports!). So what I
>>> did was, allowed all machines on the cluster to communicate with each other
>>> without interference and reject all outside traffic. The following rules on
>>> the /etc/sysconfig/iptables worked:
>>>
>>>
>>> *filter
>>> :INPUT ACCEPT [0:0]
>>> :FORWARD ACCEPT [0:0]
>>> :OUTPUT ACCEPT [0:0]
>>>
>>> -A INPUT -s <IP1> -j ACCEPT
>>> -A INPUT -s <IP2> -j ACCEPT
>>> -A INPUT -s <IP3> -j ACCEPT
>>> ....
>>> -A INPUT -s <IPN> -j ACCEPT
>>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>> -P INPUT DROP
>>> -P FORWARD DROP
>>>
>>>
>>> COMMIT
>>>
>>> where <IP1> <IP2> <IP3> <IPN> are the ips of the machines in the cluster.
>>>
>>> However, the node which contains ambari-server, and nothing else, does
>>> not like this. So part of the security concerns is taken cared of, as all
>>> the rest of the cluster nodes is open only to each other. But how I goes
>>> about with the ambari-server node, I need to figure out. Any idea why this
>>> might be the case? DB Port needs to be open maybe?
>>>
>>>
>>>
>>>
>>> On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital <
>>> pvital@linux.vnet.ibm.com> wrote:
>>>
>>>> Hello Ravindranath,
>>>>
>>>> About what I could understand of Ambari's design, iptables can block
>>>> some ports used between server and a client (agent nodes) during the
>>>> client's registration step, as well the heartbeat communication during the
>>>> execution of cluster. Also, there is the port of the web UI provided by
>>>> ambari-web on server, and there are some portds (I never remember the
>>>> numbers) that Nagios uses to provide some components' web UI on clients.
>>>>
>>>> I guess you can create iptables rules for all these ports on both
>>>> server and client sides. May be the ambari-server and ambari-agent can
>>>> check the iptables rules and create them if not running. I was talking with
>>>> a friend yesterday regarding this "missing feature" - my intention is not
>>>> create a flame here guys :-D !!!
>>>>
>>>> Now, regarding the SELinux I don't know the restriction it imposes on
>>>> Ambari, so I can't help you on this - I must study this part :-D.
>>>>
>>>> I hope this help you!
>>>> Regards, Paulo.
>>>>
>>>>
>>>> On 03/27/2013 12:18 AM, Ravindranath Akila wrote:
>>>>
>>>>> Actually, how does iptables and SELinux interfere with Ambari? If I
>>>>> know
>>>>> that, maybe I can look for a workaround. Thanks in advance.
>>>>>
>>>>> Yours,
>>>>> Ravindranath Akila...
>>>>>
>>>>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila
>>>>> <ravindranathakila@gmail.com <ma...@gmail.com>>>
>>>>> wrote:
>>>>>
>>>>> I am tempted to do that or go for a physical firewall on Rackspace
>>>>> for 25k per month :-)
>>>>> My exposure to shell scripting is bad :-( Where can I grab the
>>>>> code?
>>>>>
>>>>> Thanks!
>>>>>
>>>>> R. A.
>>>>>
>>>>> On 26 Mar 2013 01:44, "Mahadev Konar" <mahadev@hortonworks.com
>>>>> <mailto:mahadev@hortonworks.**com <ma...@hortonworks.com>>>
>>>>> wrote:
>>>>>
>>>>> Hi Ravindra,
>>>>> Currently there isnt but it should be a minor change to the
>>>>> scripts. Do you want to file a jira and maybe upload a patch?
>>>>> :)
>>>>> We could switch it off with a flag option.
>>>>>
>>>>> thanks
>>>>> mahadev
>>>>>
>>>>> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila
>>>>> <ravindranathakila@gmail.com
>>>>> <ma...@gmail.com>>>
>>>>> wrote:
>>>>>
>>>>> Hello,
>>>>> Is there a workaround for disabling iptables and
>>>>> SELinux?
>>>>> I'm exploring the options of securing the cluster in the
>>>>> cloud without a physical firewall. Any suggestions would be
>>>>> great!
>>>>>
>>>>> Thanks in advance :-)
>>>>>
>>>>> Yours,
>>>>> Ravindranath Akila...
>>>>>
>>>>> --
>>>>> <http://www.ILikePlaces.com>
>>>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>>>> *http://www.ILikePlaces.com*
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> <http://www.ILikePlaces.com>
>>>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>>>> *http://www.ILikePlaces.com*
>>>>>
>>>>
>>>>
>>>> --
>>>> Paulo Ricardo Paz Vital, Staff Software Engineer
>>>> Linux Technology Center, IBM Systems & Technology Group
>>>> ------------------------------**-------------------------
>>>> IBM
>>>> Rodovia SP101, km9 - ZIP: 13186-900
>>>> Hortolândia, SP - Brazil
>>>> Phone: +55-19-2132-2336
>>>> e-mail: pvital@linux.vnet.ibm.com
>>>> http://www.ibm.com/linux/ltc
>>>>
>>>>
>>>
>>>
>>> --
>>> <http://www.ILikePlaces.com>
>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>>>
>>
>>
>
>
> --
> <http://www.ILikePlaces.com>
> *Find out on I Like Places* <http://www.ILikePlaces.com>
> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>
Re: Workaround for disabling iptables and SELinux?
Posted by Ravindranath Akila <ra...@gmail.com>.
There's more to do (just in case someone concludes the configs are final).
I'm working on multicast packets right now. I'll let you guys know if I
manage to get everything working.
I'm curious though, how do you guys handle the security concerns on the
cloud?
Thanks!
On Mon, Apr 1, 2013 at 5:13 AM, Mahadev Konar <ma...@hortonworks.com>wrote:
> Nice work Ravindra.
> Yes, DB ports need to be open as well.
>
>
> thanks
> mahadev
>
>
> On Fri, Mar 29, 2013 at 6:29 AM, Ravindranath Akila <
> ravindranathakila@gmail.com> wrote:
>
>> Hey Paulo,
>> Thanks your response helped me a lot. So what I did is, enabled
>> firewall logs and checked what requests were getting rejected and dropped.
>> Later I figured it is too much of configuration(so many ports!). So what I
>> did was, allowed all machines on the cluster to communicate with each other
>> without interference and reject all outside traffic. The following rules on
>> the /etc/sysconfig/iptables worked:
>>
>>
>> *filter
>> :INPUT ACCEPT [0:0]
>> :FORWARD ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>>
>> -A INPUT -s <IP1> -j ACCEPT
>> -A INPUT -s <IP2> -j ACCEPT
>> -A INPUT -s <IP3> -j ACCEPT
>> ....
>> -A INPUT -s <IPN> -j ACCEPT
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -P INPUT DROP
>> -P FORWARD DROP
>>
>>
>> COMMIT
>>
>> where <IP1> <IP2> <IP3> <IPN> are the ips of the machines in the cluster.
>>
>> However, the node which contains ambari-server, and nothing else, does
>> not like this. So part of the security concerns is taken cared of, as all
>> the rest of the cluster nodes is open only to each other. But how I goes
>> about with the ambari-server node, I need to figure out. Any idea why this
>> might be the case? DB Port needs to be open maybe?
>>
>>
>>
>>
>> On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital <
>> pvital@linux.vnet.ibm.com> wrote:
>>
>>> Hello Ravindranath,
>>>
>>> About what I could understand of Ambari's design, iptables can block
>>> some ports used between server and a client (agent nodes) during the
>>> client's registration step, as well the heartbeat communication during the
>>> execution of cluster. Also, there is the port of the web UI provided by
>>> ambari-web on server, and there are some portds (I never remember the
>>> numbers) that Nagios uses to provide some components' web UI on clients.
>>>
>>> I guess you can create iptables rules for all these ports on both server
>>> and client sides. May be the ambari-server and ambari-agent can check the
>>> iptables rules and create them if not running. I was talking with a friend
>>> yesterday regarding this "missing feature" - my intention is not create a
>>> flame here guys :-D !!!
>>>
>>> Now, regarding the SELinux I don't know the restriction it imposes on
>>> Ambari, so I can't help you on this - I must study this part :-D.
>>>
>>> I hope this help you!
>>> Regards, Paulo.
>>>
>>>
>>> On 03/27/2013 12:18 AM, Ravindranath Akila wrote:
>>>
>>>> Actually, how does iptables and SELinux interfere with Ambari? If I know
>>>> that, maybe I can look for a workaround. Thanks in advance.
>>>>
>>>> Yours,
>>>> Ravindranath Akila...
>>>>
>>>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila
>>>> <ravindranathakila@gmail.com <ma...@gmail.com>>>
>>>> wrote:
>>>>
>>>> I am tempted to do that or go for a physical firewall on Rackspace
>>>> for 25k per month :-)
>>>> My exposure to shell scripting is bad :-( Where can I grab the code?
>>>>
>>>> Thanks!
>>>>
>>>> R. A.
>>>>
>>>> On 26 Mar 2013 01:44, "Mahadev Konar" <mahadev@hortonworks.com
>>>> <mailto:mahadev@hortonworks.**com <ma...@hortonworks.com>>>
>>>> wrote:
>>>>
>>>> Hi Ravindra,
>>>> Currently there isnt but it should be a minor change to the
>>>> scripts. Do you want to file a jira and maybe upload a patch? :)
>>>> We could switch it off with a flag option.
>>>>
>>>> thanks
>>>> mahadev
>>>>
>>>> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila
>>>> <ravindranathakila@gmail.com
>>>> <ma...@gmail.com>>>
>>>> wrote:
>>>>
>>>> Hello,
>>>> Is there a workaround for disabling iptables and SELinux?
>>>> I'm exploring the options of securing the cluster in the
>>>> cloud without a physical firewall. Any suggestions would be
>>>> great!
>>>>
>>>> Thanks in advance :-)
>>>>
>>>> Yours,
>>>> Ravindranath Akila...
>>>>
>>>> --
>>>> <http://www.ILikePlaces.com>
>>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>>> *http://www.ILikePlaces.com*
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> <http://www.ILikePlaces.com>
>>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>>> *http://www.ILikePlaces.com*
>>>>
>>>
>>>
>>> --
>>> Paulo Ricardo Paz Vital, Staff Software Engineer
>>> Linux Technology Center, IBM Systems & Technology Group
>>> ------------------------------**-------------------------
>>> IBM
>>> Rodovia SP101, km9 - ZIP: 13186-900
>>> Hortolândia, SP - Brazil
>>> Phone: +55-19-2132-2336
>>> e-mail: pvital@linux.vnet.ibm.com
>>> http://www.ibm.com/linux/ltc
>>>
>>>
>>
>>
>> --
>> <http://www.ILikePlaces.com>
>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>>
>
>
--
<http://www.ILikePlaces.com>
*Find out on I Like Places* <http://www.ILikePlaces.com>
*http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
Re: Workaround for disabling iptables and SELinux?
Posted by Mahadev Konar <ma...@hortonworks.com>.
Nice work Ravindra.
Yes, DB ports need to be open as well.
thanks
mahadev
On Fri, Mar 29, 2013 at 6:29 AM, Ravindranath Akila <
ravindranathakila@gmail.com> wrote:
> Hey Paulo,
> Thanks your response helped me a lot. So what I did is, enabled firewall
> logs and checked what requests were getting rejected and dropped. Later I
> figured it is too much of configuration(so many ports!). So what I did was,
> allowed all machines on the cluster to communicate with each other without
> interference and reject all outside traffic. The following rules on the
> /etc/sysconfig/iptables worked:
>
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
>
> -A INPUT -s <IP1> -j ACCEPT
> -A INPUT -s <IP2> -j ACCEPT
> -A INPUT -s <IP3> -j ACCEPT
> ....
> -A INPUT -s <IPN> -j ACCEPT
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -P INPUT DROP
> -P FORWARD DROP
>
>
> COMMIT
>
> where <IP1> <IP2> <IP3> <IPN> are the ips of the machines in the cluster.
>
> However, the node which contains ambari-server, and nothing else, does not
> like this. So part of the security concerns is taken cared of, as all the
> rest of the cluster nodes is open only to each other. But how I goes about
> with the ambari-server node, I need to figure out. Any idea why this might
> be the case? DB Port needs to be open maybe?
>
>
>
>
> On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital <
> pvital@linux.vnet.ibm.com> wrote:
>
>> Hello Ravindranath,
>>
>> About what I could understand of Ambari's design, iptables can block some
>> ports used between server and a client (agent nodes) during the client's
>> registration step, as well the heartbeat communication during the execution
>> of cluster. Also, there is the port of the web UI provided by ambari-web on
>> server, and there are some portds (I never remember the numbers) that
>> Nagios uses to provide some components' web UI on clients.
>>
>> I guess you can create iptables rules for all these ports on both server
>> and client sides. May be the ambari-server and ambari-agent can check the
>> iptables rules and create them if not running. I was talking with a friend
>> yesterday regarding this "missing feature" - my intention is not create a
>> flame here guys :-D !!!
>>
>> Now, regarding the SELinux I don't know the restriction it imposes on
>> Ambari, so I can't help you on this - I must study this part :-D.
>>
>> I hope this help you!
>> Regards, Paulo.
>>
>>
>> On 03/27/2013 12:18 AM, Ravindranath Akila wrote:
>>
>>> Actually, how does iptables and SELinux interfere with Ambari? If I know
>>> that, maybe I can look for a workaround. Thanks in advance.
>>>
>>> Yours,
>>> Ravindranath Akila...
>>>
>>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila
>>> <ravindranathakila@gmail.com <ma...@gmail.com>>>
>>> wrote:
>>>
>>> I am tempted to do that or go for a physical firewall on Rackspace
>>> for 25k per month :-)
>>> My exposure to shell scripting is bad :-( Where can I grab the code?
>>>
>>> Thanks!
>>>
>>> R. A.
>>>
>>> On 26 Mar 2013 01:44, "Mahadev Konar" <mahadev@hortonworks.com
>>> <mailto:mahadev@hortonworks.**com <ma...@hortonworks.com>>> wrote:
>>>
>>> Hi Ravindra,
>>> Currently there isnt but it should be a minor change to the
>>> scripts. Do you want to file a jira and maybe upload a patch? :)
>>> We could switch it off with a flag option.
>>>
>>> thanks
>>> mahadev
>>>
>>> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila
>>> <ravindranathakila@gmail.com
>>> <ma...@gmail.com>>>
>>> wrote:
>>>
>>> Hello,
>>> Is there a workaround for disabling iptables and SELinux?
>>> I'm exploring the options of securing the cluster in the
>>> cloud without a physical firewall. Any suggestions would be
>>> great!
>>>
>>> Thanks in advance :-)
>>>
>>> Yours,
>>> Ravindranath Akila...
>>>
>>> --
>>> <http://www.ILikePlaces.com>
>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>> *http://www.ILikePlaces.com*
>>>
>>>
>>>
>>>
>>>
>>> --
>>> <http://www.ILikePlaces.com>
>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>> *http://www.ILikePlaces.com*
>>>
>>
>>
>> --
>> Paulo Ricardo Paz Vital, Staff Software Engineer
>> Linux Technology Center, IBM Systems & Technology Group
>> ------------------------------**-------------------------
>> IBM
>> Rodovia SP101, km9 - ZIP: 13186-900
>> Hortolândia, SP - Brazil
>> Phone: +55-19-2132-2336
>> e-mail: pvital@linux.vnet.ibm.com
>> http://www.ibm.com/linux/ltc
>>
>>
>
>
> --
> <http://www.ILikePlaces.com>
> *Find out on I Like Places* <http://www.ILikePlaces.com>
> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>
Re: Workaround for disabling iptables and SELinux?
Posted by Ravindranath Akila <ra...@gmail.com>.
Hey Paulo,
Thanks your response helped me a lot. So what I did is, enabled firewall
logs and checked what requests were getting rejected and dropped. Later I
figured it is too much of configuration(so many ports!). So what I did was,
allowed all machines on the cluster to communicate with each other without
interference and reject all outside traffic. The following rules on the
/etc/sysconfig/iptables worked:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s <IP1> -j ACCEPT
-A INPUT -s <IP2> -j ACCEPT
-A INPUT -s <IP3> -j ACCEPT
....
-A INPUT -s <IPN> -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-P INPUT DROP
-P FORWARD DROP
COMMIT
where <IP1> <IP2> <IP3> <IPN> are the ips of the machines in the cluster.
However, the node which contains ambari-server, and nothing else, does not
like this. So part of the security concerns is taken cared of, as all the
rest of the cluster nodes is open only to each other. But how I goes about
with the ambari-server node, I need to figure out. Any idea why this might
be the case? DB Port needs to be open maybe?
On Wed, Mar 27, 2013 at 6:55 PM, Paulo Ricardo Paz Vital <
pvital@linux.vnet.ibm.com> wrote:
> Hello Ravindranath,
>
> About what I could understand of Ambari's design, iptables can block some
> ports used between server and a client (agent nodes) during the client's
> registration step, as well the heartbeat communication during the execution
> of cluster. Also, there is the port of the web UI provided by ambari-web on
> server, and there are some portds (I never remember the numbers) that
> Nagios uses to provide some components' web UI on clients.
>
> I guess you can create iptables rules for all these ports on both server
> and client sides. May be the ambari-server and ambari-agent can check the
> iptables rules and create them if not running. I was talking with a friend
> yesterday regarding this "missing feature" - my intention is not create a
> flame here guys :-D !!!
>
> Now, regarding the SELinux I don't know the restriction it imposes on
> Ambari, so I can't help you on this - I must study this part :-D.
>
> I hope this help you!
> Regards, Paulo.
>
>
> On 03/27/2013 12:18 AM, Ravindranath Akila wrote:
>
>> Actually, how does iptables and SELinux interfere with Ambari? If I know
>> that, maybe I can look for a workaround. Thanks in advance.
>>
>> Yours,
>> Ravindranath Akila...
>>
>> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila
>> <ravindranathakila@gmail.com <ma...@gmail.com>>>
>> wrote:
>>
>> I am tempted to do that or go for a physical firewall on Rackspace
>> for 25k per month :-)
>> My exposure to shell scripting is bad :-( Where can I grab the code?
>>
>> Thanks!
>>
>> R. A.
>>
>> On 26 Mar 2013 01:44, "Mahadev Konar" <mahadev@hortonworks.com
>> <mailto:mahadev@hortonworks.**com <ma...@hortonworks.com>>> wrote:
>>
>> Hi Ravindra,
>> Currently there isnt but it should be a minor change to the
>> scripts. Do you want to file a jira and maybe upload a patch? :)
>> We could switch it off with a flag option.
>>
>> thanks
>> mahadev
>>
>> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila
>> <ravindranathakila@gmail.com
>> <ma...@gmail.com>>>
>> wrote:
>>
>> Hello,
>> Is there a workaround for disabling iptables and SELinux?
>> I'm exploring the options of securing the cluster in the
>> cloud without a physical firewall. Any suggestions would be
>> great!
>>
>> Thanks in advance :-)
>>
>> Yours,
>> Ravindranath Akila...
>>
>> --
>> <http://www.ILikePlaces.com>
>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>> *http://www.ILikePlaces.com*
>>
>>
>>
>>
>>
>> --
>> <http://www.ILikePlaces.com>
>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>> *http://www.ILikePlaces.com*
>>
>
>
> --
> Paulo Ricardo Paz Vital, Staff Software Engineer
> Linux Technology Center, IBM Systems & Technology Group
> ------------------------------**-------------------------
> IBM
> Rodovia SP101, km9 - ZIP: 13186-900
> Hortolândia, SP - Brazil
> Phone: +55-19-2132-2336
> e-mail: pvital@linux.vnet.ibm.com
> http://www.ibm.com/linux/ltc
>
>
--
<http://www.ILikePlaces.com>
*Find out on I Like Places* <http://www.ILikePlaces.com>
*http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
Re: Workaround for disabling iptables and SELinux?
Posted by Paulo Ricardo Paz Vital <pv...@linux.vnet.ibm.com>.
Hello Ravindranath,
About what I could understand of Ambari's design, iptables can block
some ports used between server and a client (agent nodes) during the
client's registration step, as well the heartbeat communication during
the execution of cluster. Also, there is the port of the web UI provided
by ambari-web on server, and there are some portds (I never remember the
numbers) that Nagios uses to provide some components' web UI on clients.
I guess you can create iptables rules for all these ports on both server
and client sides. May be the ambari-server and ambari-agent can check
the iptables rules and create them if not running. I was talking with a
friend yesterday regarding this "missing feature" - my intention is not
create a flame here guys :-D !!!
Now, regarding the SELinux I don't know the restriction it imposes on
Ambari, so I can't help you on this - I must study this part :-D.
I hope this help you!
Regards, Paulo.
On 03/27/2013 12:18 AM, Ravindranath Akila wrote:
> Actually, how does iptables and SELinux interfere with Ambari? If I know
> that, maybe I can look for a workaround. Thanks in advance.
>
> Yours,
> Ravindranath Akila...
>
> On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila
> <ravindranathakila@gmail.com <ma...@gmail.com>> wrote:
>
> I am tempted to do that or go for a physical firewall on Rackspace
> for 25k per month :-)
> My exposure to shell scripting is bad :-( Where can I grab the code?
>
> Thanks!
>
> R. A.
>
> On 26 Mar 2013 01:44, "Mahadev Konar" <mahadev@hortonworks.com
> <ma...@hortonworks.com>> wrote:
>
> Hi Ravindra,
> Currently there isnt but it should be a minor change to the
> scripts. Do you want to file a jira and maybe upload a patch? :)
> We could switch it off with a flag option.
>
> thanks
> mahadev
>
> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila
> <ravindranathakila@gmail.com
> <ma...@gmail.com>> wrote:
>
> Hello,
> Is there a workaround for disabling iptables and SELinux?
> I'm exploring the options of securing the cluster in the
> cloud without a physical firewall. Any suggestions would be
> great!
>
> Thanks in advance :-)
>
> Yours,
> Ravindranath Akila...
>
> --
> <http://www.ILikePlaces.com>
> *Find out on I Like Places* <http://www.ILikePlaces.com>
> *http://www.ILikePlaces.com*
>
>
>
>
>
> --
> <http://www.ILikePlaces.com>
> *Find out on I Like Places* <http://www.ILikePlaces.com>
> *http://www.ILikePlaces.com*
--
Paulo Ricardo Paz Vital, Staff Software Engineer
Linux Technology Center, IBM Systems & Technology Group
-------------------------------------------------------
IBM
Rodovia SP101, km9 - ZIP: 13186-900
Hortolândia, SP - Brazil
Phone: +55-19-2132-2336
e-mail: pvital@linux.vnet.ibm.com
http://www.ibm.com/linux/ltc
Re: Workaround for disabling iptables and SELinux?
Posted by Ravindranath Akila <ra...@gmail.com>.
Actually, how does iptables and SELinux interfere with Ambari? If I know
that, maybe I can look for a workaround. Thanks in advance.
Yours,
Ravindranath Akila...
On Wed, Mar 27, 2013 at 1:53 AM, Ravindranath Akila <
ravindranathakila@gmail.com> wrote:
> I am tempted to do that or go for a physical firewall on Rackspace for 25k
> per month :-)
> My exposure to shell scripting is bad :-( Where can I grab the code?
>
> Thanks!
>
> R. A.
> On 26 Mar 2013 01:44, "Mahadev Konar" <ma...@hortonworks.com> wrote:
>
>> Hi Ravindra,
>> Currently there isnt but it should be a minor change to the scripts. Do
>> you want to file a jira and maybe upload a patch? :) We could switch it off
>> with a flag option.
>>
>> thanks
>> mahadev
>>
>> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila <
>> ravindranathakila@gmail.com> wrote:
>>
>>> Hello,
>>> Is there a workaround for disabling iptables and SELinux? I'm
>>> exploring the options of securing the cluster in the cloud without a
>>> physical firewall. Any suggestions would be great!
>>>
>>> Thanks in advance :-)
>>>
>>> Yours,
>>> Ravindranath Akila...
>>>
>>> --
>>> <http://www.ILikePlaces.com>
>>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>>> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>>>
>>
>>
--
<http://www.ILikePlaces.com>
*Find out on I Like Places* <http://www.ILikePlaces.com>
*http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
Re: Workaround for disabling iptables and SELinux?
Posted by Ravindranath Akila <ra...@gmail.com>.
I am tempted to do that or go for a physical firewall on Rackspace for 25k
per month :-)
My exposure to shell scripting is bad :-( Where can I grab the code?
Thanks!
R. A.
On 26 Mar 2013 01:44, "Mahadev Konar" <ma...@hortonworks.com> wrote:
> Hi Ravindra,
> Currently there isnt but it should be a minor change to the scripts. Do
> you want to file a jira and maybe upload a patch? :) We could switch it off
> with a flag option.
>
> thanks
> mahadev
>
> On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila <
> ravindranathakila@gmail.com> wrote:
>
>> Hello,
>> Is there a workaround for disabling iptables and SELinux? I'm exploring
>> the options of securing the cluster in the cloud without a physical
>> firewall. Any suggestions would be great!
>>
>> Thanks in advance :-)
>>
>> Yours,
>> Ravindranath Akila...
>>
>> --
>> <http://www.ILikePlaces.com>
>> *Find out on I Like Places* <http://www.ILikePlaces.com>
>> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>>
>
>
Re: Workaround for disabling iptables and SELinux?
Posted by Mahadev Konar <ma...@hortonworks.com>.
Hi Ravindra,
Currently there isnt but it should be a minor change to the scripts. Do
you want to file a jira and maybe upload a patch? :) We could switch it off
with a flag option.
thanks
mahadev
On Mon, Mar 25, 2013 at 6:18 AM, Ravindranath Akila <
ravindranathakila@gmail.com> wrote:
> Hello,
> Is there a workaround for disabling iptables and SELinux? I'm exploring
> the options of securing the cluster in the cloud without a physical
> firewall. Any suggestions would be great!
>
> Thanks in advance :-)
>
> Yours,
> Ravindranath Akila...
>
> --
> <http://www.ILikePlaces.com>
> *Find out on I Like Places* <http://www.ILikePlaces.com>
> *http://www.ILikePlaces.com* <http://www.ILikePlaces.com>
>