[infinispan-dev] Infinispan EC2 demo firewall issue without locked down FD_SOCK start_port
Manik Surtani
manik at jboss.org
Tue Jun 29 11:56:36 EDT 2010
Well, that's just iptables. There is also Amazon's own fwall (security groups, I think they call it) which is disabled by default but people can be pretty restrictive about it. So for this case, we should still be explicit about port numbers.
On 15 Jun 2010, at 13:56, Galder Zamarreno wrote:
> Brutal, but effective :)
>
> ----- "Bela Ban" <bban at redhat.com> wrote:
>
>> for my demo, I did the following:
>> iptables -F ; chkconfig --del iptables ; ip6tables -F ; chkconfig
>> --del
>> ip6tables
>>
>> This helped (maybe not recommended for production :-))...
>>
>> Vladimir Blagojevic wrote:
>>> Bela worked recently in similar environment. Maybe he can provide
>> you with a sample jgroups config that is EC2 friendly.
>>> On 2010-06-14, at 12:45 AM, Noel O'Connor wrote:
>>>
>>>
>>>> Hi Galder,
>>>> Thanks for this, I'll take a look and fix it. I didn't notice it in
>> the logs but I'll check it out.
>>>>
>>>> cheers
>>>> Noel
>>>>
>>>> On 14/06/2010, at 7:44 AM, galder at redhat.com wrote:
>>>>
>>>>
>>>>> Hi Noel,
>>>>>
>>>>> First of all, thanks a million for writing
>> http://infinispan.blogspot.com/2010/05/infinispan-ec2-demo.html. I
>> think the work you did there is excellent.
>>>>>
>>>>> I had a question for you though. In your jgroups-* files, you use
>> FD_SOCK without a start_port which by default binds to random port
>> (http://community.jboss.org/wiki/JGroupsFDSOCK). Given Amazon rules, I
>> don't think clustering is working as expected in your case, cos
>> without locking this port and opening it in the firewall, you'll see
>> WARN messages like this in the logs and the cluster view will not
>> form:
>>>>>
>>>>> 2010-06-13 16:50:54,478 WARN [org.jgroups.protocols.FD_SOCK]
>> (OOB-1,infinispan-cluster,ip-10-194-230-242-27003) I
>> (ip-10-194-230-242-27003) was suspected by
>> domU-12-31-38-00-9C-52-25127; ignoring the SUSPECT message
>>>>>
>>>>> To get around the issue do the following:
>>>>>
>>>>> - Lock your FD_SOCK start_port values, i.e. <FD_SOCK
>> start_port="9777"/>
>>>>> - Open TCP port 9777 in your security group.
>>>>>
>>>>> I'd suggest you verify your demo expectations bearing in mind this
>> information and once you've done so, update the blog post :)
>>>>>
>>>>> Cheers,
>>>>> --
>>>>> Galder Zamarreño
>>>>> Sr. Software Engineer
>>>>> Infinispan, JBoss Cache
>>>>>
>>>>> _______________________________________________
>>>>> infinispan-dev mailing list
>>>>> infinispan-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>>>>>
>>>> _______________________________________________
>>>> infinispan-dev mailing list
>>>> infinispan-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>>>>
>>>
>>> --
>>> Vladimir Blagojevic
>>> JBoss Clustering Team
>>> JBoss by Red Hat
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> Bela Ban
>> Lead JGroups / Clustering Team
>> JBoss
>>
>> _______________________________________________
>> infinispan-dev mailing list
>> infinispan-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Manik Surtani
manik at jboss.org
Lead, Infinispan
Lead, JBoss Cache
http://www.infinispan.org
http://www.jbosscache.org
More information about the infinispan-dev
mailing list