Child pages
  • Network Security with ClustrixDB

This is documentation for a previous version of ClustrixDB. Documentation for the latest version can be found here

Skip to end of metadata
Go to start of metadata

ClustrixDB requires a number of ports to allow internode communication. Depending on your specific deployment platform, you can:

  1. Open your security to allow all communication between nodes (recommended)
  2. Open the specific ports required for your cluster. 

Ports required for Internode Connectivity

There are 9 ports that are used for communication between ClustrixDB nodes. These ports are:

  1. TCP port 22 (SSH)
  2. TCP port 80 (HTTP)
  3. TCP port 2048
  4. TCP port 2424
  5. TCP port 24378
  6. TCP port 3306
  7. UDP port 24378
  8. UDP port 2424  
  9. UDP port 2048

Additional ports are required when the multiport feature is enabled (see below) 

Multiport

The multiport feature was introduced in ClustrixDB Release 7.0 and allows internode communication from any core in the cluster. This feature can greatly increase performance under heavy load, but also requires more open ports. Without multiport enabled, all messaging is handled through core 0 of each node.

Ports required for Multiport

Starting at port 24379, the cluster will use 1 port for each core/hyperthread.This involves starting at port 24379 on TCP and UDP and opening the same number of ports as total number of hyperthreads/cores in the cluster.

For example, a 3 node cluster with 16 cores/hyperthreads per node you would have a total of 48 core (3 nodes times 16 core), so you should open ports 24379 - 24427.

As you add more nodes, this port range also needs to be be expanded.

Alternatively, you can disable Multiport and only open the 9 ports listed above. (not recommended)

If you are using a firewall (like iptables) between the nodes, please open the specific ports. 

Modifying Multiport Settings

Multiport is enabled by default in v7.0 and later releases. Please see Modifying Startup Configuration Options for instructions on how to disable multiport.

Caveats for Multiport

ClustrixDB does not support mixed-mode usage of multiport; all nodes must uniformly have multiport enabled (default) or disabled, or the nodes will be unable to form a cluster. 

Passwordless Connectivity

This section describes how to enable the nodes to connect to each other without a password. This is required for:

  • Connecting via ssh between nodes
  • Usage of the clx tool which is used to collect logs, run diagnostics and perform cluster wide actions.
  • Clustrix DB Software Upgrades

The installer will set up host based authentication (ON by default) and you can easily setup key pair authentication if that is more desired.

Host Based Authentication

During the installer, choose option 11 and toggle to Yes

11 - Allow ClustrixDB to modify sshd_config and /etc/hosts: Yes

This will enable Host Based Authentication between the nodes allowing them to communicate with each other via ssh. The default for this is 'Yes'.

Key Pair Authentication

First generate the key pair. You'll want to keep the file names default as this is what clx expects. If you have an existing key pair you can either skip this first step, or rename it to something other than id_rsa.

[[email protected] ~]# ssh-keygen

You will see output like:

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
96:f6:07:ef:a7:cc:e3:0c:9a:44:c7:ed:33:fa:cf:62 [email protected]

Now you need to create/append to authorized keys and then copy the files to the other nodes in the cluster. The below example assumes there is a root password, foo specified with -R flag. If there is no root password on the nodes at the time these steps are run, the -R flag does not need to be used.

Run the following commands:

cd ~/.ssh
touch authorized_keys
chmod 600 authorized_keys
cat id_rsa.pub >> authorized_keys
clx -R foo push ~/.ssh/id_rsa ~/.ssh/id_rsa
clx -R foo push ~/.ssh/id_rsa.pub ~/.ssh/id_rsa.pub
clx -R foo push ~/.ssh/authorized_keys ~/.ssh/authorized_keys

That's it! You can test this with:

/opt/clustrix/bin/clx cmd 'date'

If dates are correctly returned, everything is working as expected.

Shared Root Password

As long as all the nodes have the same password, you can run clx with the -R command. Once clx has been run with the -R command, this will be cached and upgrades and other clx operations will function as expected.

Example:

/opt/clustrix/bin/clx -R <root_password> cmd 'date'

 

 

  • No labels