Firewall Setup

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Firewall Setup

Chaoyang Ma
Hi, I installed glu zoo-keeper, console on server A. I installed glu agent on server B.

The firewall rules is very strict between server A and B.

I already open server B to server A on port 2181 so that zoo-keeper can see glu agent.

My questions:

Shall I also open server A to server B on port 12906 and 12907 so that zoo-keeper can send command to glu agent?

Are these two ports configuration serverA:2181 and serverB:12906 enough for zoo-keeper and glu agent to perform properly?

Thanks,
Reply | Threaded
Open this post in threaded view
|

Re: Firewall Setup

sodul
I think so.

Note that zookeeper does not 'see' the agents (or the console), it is the agents (and the console) that talk to zookeeper. The console get the ip address and ports of the agents from zookeeper.

The console talks to the agents through ports 12906 (http) and 12907 (https) by default, but you can override that per agent if needed.

If used in a cluster (recommended) the zookeeper instances will talk to each other through ports 2888 and 3888. These ports are purely for zookeeper's use and neither the console or the agents use them. Usually you will want 1 host for the console, 3 hosts for zookeeper, and an other host per agent.

Reply | Threaded
Open this post in threaded view
|

Re: Firewall Setup

chaoyang ma
Thanks, very useful.

I used 3 hosts for zookeeper, and use 2 host for console (primary and contingency), just in case if primary is down.
Reply | Threaded
Open this post in threaded view
|

Re: Firewall Setup

Chaoyang Ma
Hi, I still got issues when deploying after open the firewall between agent and server.

2013/09/20 15:11:22.828 WARN [ScriptManagerImpl] Error while instantiating script: /11-system-internal-inst1i1/a1: Connection timed out [[initParameters:[tags:[***], metadata:[product:***,version:10.5.0-SNAPSHOT], version:10.5.0-SNAPSHOT], mountPoint:/11-system-internal-inst1i1/a1, scriptLocation:http://server:8080/glu/repository/scripts/InstI1DeployScript.groovy]]

The firewall open port between the agent and server is configured below.

Source      Destination  port
Agent Server 2181
Server Agent        12906, 12907

I think the firewall still block the deployment as the logs shows but I am not sure what else I need to config.
Reply | Threaded
Open this post in threaded view
|

Re: Firewall Setup

sodul
The agent needs access to the host where the groovy script is, it will also need access to all the other files it will need to download.

From the log your agent needs to be able to reach: http://server:8080/glu/repository/scripts/InstI1DeployScript.groovy

I recommend that you use a dedicated system to distribute your binary dependencies. We use artifactory in my current company as the REST API allow us to access it through scripts. My previous company was on EC2 and we used S3 (solves scalability for cheap).