Installed Standalone HBase using the Quick Start Guide, but I need to bind all ports to a particular interface, so I set various *bindAddress properties in conf/hbase-site.xml and ran bin/start-hbase.sh, but the zookeeper clientPort is still bound to :::2181:
# netstat -antop | grep LISTEN | grep 4232/java
tcp6 0 0 :::2181 :::* LISTEN 4232/java
tcp6 0 0 10.134.6.221:41474 :::* LISTEN 4232/java
tcp6 0 0 10.134.6.221:16010 :::* LISTEN 4232/java
tcp6 0 0 127.0.0.1:34212 :::* LISTEN 4232/java
tcp6 0 0 127.0.0.1:34636 :::* LISTEN 4232/java
The bundled version of zookeeper appears to be 3.4.6
# ls lib/zookeeper-*
lib/zookeeper-3.4.6.jar
This should have the clientPortAddress option:
clientPortAddress
New in 3.3.0: the address (ipv4, ipv6 or hostname) to listen for client connections; that is, the address that clients attempt to connect to. This is optional, by default we bind in such a way that any connection to the clientPort for any address/interface/nic on the server will be accepted.
But specifying that option like so in conf/hbase-site.xml doesn't work:
<configuration>
<property><name>hbase.rootdir</name><value>file:///root/hbase</value></property>
<property><name>hbase.zookeeper.property.dataDir</name><value>/root/zookeeper</value></property>
<property><name>hbase.zookeeper.property.clientPortAddress</name><value>10.134.6.221</value></property>
<property><name>hbase.master.info.bindAddress</name><value>10.134.6.221</value></property>
<property><name>hbase.regionserver.info.bindAddress</name><value>10.134.6.221</value></property>
</configuration>
I tried to create a zoo.cfg file with clientPortAddress and put it in various directories and HBASE_CLASSPATH, but HBase didn't seem to pick it up.
Related
I am helping an IT department update their current Drupal website and assisting in updating their RedHat webserver. My Linux user account does not have many permissions outside of editing my home folder and the Apache docroot. I have been asked to help patch their current instance of Varnish 4.0.3 by following the instructions in this patch https://varnish-cache.org/security/VSV00001.html#vsv00001. I have to ask their sysadmin to do most things on the server since my account does not have access to most commands.
I asked the sysadmin to set the vcc_allow_inline parameter to true using the instructions in the patch doucmentation. Here is the full command they ran
/opt/rh/rh-varnish4/root/usr/sbin/varnishd -pvcc_allow_inline_c=true -b www-test-cms:80
and now the website is not resolving correctly. Prior to touching varnish Drupal was running with Varnish on port 81
127.0.0.1:81
Here is the current module settings look like
Drupal Varnish module IP settings
And here is an output of Netstat before and after
Before
[root#www-test-cms ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 1775/zabbix_agentd
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1786/php-fpm: maste
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 1762/memcached
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 117531/varnishd
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1794/httpd
tcp 0 0 127.0.0.1:81 0.0.0.0:* LISTEN 117530/varnishd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1772/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2302/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1794/httpd
tcp6 0 0 :::10050 :::* LISTEN 1775/zabbix_agentd
tcp6 0 0 :::33060 :::* LISTEN 2096/mysqld
tcp6 0 0 :::3306 :::* LISTEN 2096/mysqld
tcp6 0 0 :::11211 :::* LISTEN 1762/memcached
tcp6 0 0 :::80 :::* LISTEN 117531/varnishd
tcp6 0 0 :::6556 :::* LISTEN 1763/xinetd
After
[root#www-test-cms ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 1761/php-fpm: maste
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 1777/memcached
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6004/varnishd
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1779/httpd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1780/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2292/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1779/httpd
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 1767/zabbix_agentd
tcp 0 0 127.0.0.1:35588 0.0.0.0:* LISTEN 6003/varnishd
tcp6 0 0 :::3306 :::* LISTEN 2031/mysqld
tcp6 0 0 :::11211 :::* LISTEN 1777/memcached
tcp6 0 0 :::80 :::* LISTEN 6004/varnishd
tcp6 0 0 :::6556 :::* LISTEN 1774/xinetd
tcp6 0 0 :::10050 :::* LISTEN 1767/zabbix_agentd
tcp6 0 0 :::33060 :::* LISTEN 2031/mysqld
So obviously this is a port issue. The sysadmin does not know a lot about webservers and I do not know a lot about much outside of the webfolder and we are having a hard time connecting the two! I would love a little more explanation as to what is going on here. Thank you in advance.
Analyzing the netstat output
In your before setup Varnish was running on port 80 & 81. In your after setupt that is still the case. In your before setup the httpd process runs on ports 443 for HTTPS and 8080 for plain HTTP.
Looking at your varnishd runtime config
The only thing that looks different is the use of the -b option to configure the backend that Varnish connects to. Currently this is -b www-test-cms:80.
Based on the netstat output, the right port is 8080 instead of 80. However, I'm not a big fan of doing this via a runtime parameter, because the VCL file itself will probably also contain this information.
A better varnishd runtime config
For reference, here's the out-of-the-box systemd setup for a RHEL-based Varnish setup: https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux/#systemd-configuration.
As specified on https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux/#modifying-the-listening-port-and-cache-size, you need to set the -a property to configured listening addresses.
Here's an example that is tailored to the Varnish port setup from your netstat output:
varnishd \
-a :80 \
-a :81 \
-f /etc/varnish/default.vcl \
-s malloc,2g \
-pvcc_allow_inline_c=true
Make varnishd listen on ports 80 & 81 (I don't know why 81 is needed)
Link to the VCL file that contains the backend definition and caching rules using the -f option
Set the size of the cache to 2GB. using the -s option (tune this to your own needs)
Enable inline C by setting -pvcc_allow_inline_c=true (avoid enabling inline C unless it's absolutely necessary)
I strongly advise against this setup
While I can come up with a solution, I strongly advise against the patching process.
While it is important to fix security issues, patching this version of Varnish yourself is not a good idea.
Varnish 4 is end-of-life, so is Varnish 5 and certain versions of Varnish 6.
If you look at https://varnish-cache.org/security/index.html, you'll see that there are more VSVs. And maybe you think your version is not affected by most of them, because Varnish 4 is EOL the security issues aren't fixed for v4 anymore.
Upgrade to Varnish 6.0 LTS
I recommend that you upgrade to a more recent version of Varnish. Varnish Cache 6.0 LTS is the one I would recommend. See https://www.varnish-software.com/developers/tutorials/installing-varnish-red-hat-enterprise-linux for an install guide on RHEL.
What about VCL compatibility?
The compatibility of the VCL file cannot be guaranteed of course, however just add the vcl 4.1; version marker at the beginning of the VCL file and try to run the VCL code locally to see if it compiles when varnishd starts.
You could try copying the code from /etc/varnish/default.vcl on the server to your local system and test it in a local Docker container. See https://www.varnish-software.com/developers/tutorials/running-varnish-docker/ for more info about spinning up the official Varnish Docker image.
End result
Once you know the VCL file works on Varnish 6.0 LTS, you could go further with the upgrade of your Varnish server.
Patching an EOL version of Varnish is just a bad idea, just bite the bullet and upgrade to a modern version that is supported.
I've just installed a Nagios on Centos 7.
I followed the same procedure used for my test environment.
Only difference between test and prod is that the server was not prepared by me, but was an automatic provisioning.
Anyway, i'm failing to undestand why the Nagios web page (and the Apache standard page) is not reachable.
I've already checked with network team for ports blocked and they told me that the traffic is not blocked.
What is wrong with this server?
Here is the config.
# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1503/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 12139/httpd
tcp 0 0 127.0.0.1:50000 0.0.0.0:* LISTEN 616/oneagentwatchdo
tcp 0 0 127.0.0.1:50001 0.0.0.0:* LISTEN 616/oneagentwatchdo
tcp 0 0 127.0.0.1:50002 0.0.0.0:* LISTEN 616/oneagentwatchdo
tcp 0 0 127.0.0.1:50003 0.0.0.0:* LISTEN 616/oneagentwatchdo
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1758/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1568/master
tcp6 0 0 :::22 :::* LISTEN 1758/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1568/master
udp 0 0 0.0.0.0:68 0.0.0.0:* 837/dhclient
udp 0 0 127.0.0.1:323 0.0.0.0:* 565/chronyd
udp6 0 0 ::1:323 :::* 565/chronyd
FirewallD is "Inactive".
Even if was active the list of port and service would be:
# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http ssh
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Iptables is not installed and therefore not active
SELinux status: disabled
I'm still thinking that there is a block somewhere but i cannot identify where it could be.
I have Plesk on my server that is using both ports as:
#netstat -lnp | grep 443
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 5513/sw-cp-server:
tcp6 0 0 :::443 :::* LISTEN 32660/httpd
tcp6 0 0 :::8443 :::* LISTEN 5513/sw-cp-server:
unix 2 [ ACC ] STREAM LISTENING 110443 31339/dovecot /var/run/dovecot/stats
Best regards
Yes, you can. http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html (First Google hit, incidentally)
Alright so I installed an apache server and verified it in the firewall. It has access to ports 80 and 443. I am running Ubuntu 16.04 Desktop Edition
I ran "sudo ufw app info "Apache Full"" to verify the firewall rules.
Profile: Apache Full
Title: Web Server (HTTP,HTTPS)
Description: Apache v2 is the next generation of the omnipresent Apache web server.
Ports: 80,443/tcp
I also tried checking if any ports are open under port 80, which there is a service for apache2. I ran "sudo netstat -ltnp | grep ':80'"
tcp6 0 0 127.0.0.1:8002 :::* LISTEN 32641/java
tcp6 0 0 :::80 :::* LISTEN 28722/apache2
tcp6 0 0 :::8000 :::* LISTEN 10738/java
tcp6 0 0 127.0.0.1:8001 :::* LISTEN 1649/java
Then I tried closing the service and checked if the port is open again, by doing "sudo service apache2 stop" then "sudo netstat -ltnp | grep ':80'"
tcp6 0 0 127.0.0.1:8002 :::* LISTEN 32641/java
tcp6 0 0 :::8000 :::* LISTEN 10738/java
tcp6 0 0 127.0.0.1:8001 :::* LISTEN 1649/java
I've even went into the physical router and opened the port, the same setup works on other services just for apache.
Edit: I forgot to say, my URL isn't working. It just says
This site can’t be reached 24.221.202.149 took too long to respond.
My website is http://24.221.202.149/
I use sprint (with a static IP) as a provider. They block common web service host IP's including port 80.
I'm setting a centos 6.5 in vagrant as server.
I use private_network setting with IP: 192.168.33.20
I used ip address 192.168.33.20 to access SSH and SFTP on virtual machine.
But only I can't access website by that IP address (192.168.33.20) although I have installed httpd and httpd is running
[root#centos65 ~]# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:45525 0.0.0.0:* LISTEN 1082/rpc.statd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1208/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1285/master
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1062/rpcbind
tcp 0 0 :::22 :::* LISTEN 1208/sshd
tcp 0 0 ::1:25 :::* LISTEN 1285/master
tcp 0 0 :::34314 :::* LISTEN 1082/rpc.statd
tcp 0 0 :::111 :::* LISTEN 1062/rpcbind
tcp 0 0 :::80 :::* LISTEN 3202/httpd
checking SELinux, it is disabled
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
Changing HTTP Port
[root#centos65 ~]# sudo netstat -nltd
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:49655 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 ::1:25 :::* LISTEN
tcp 0 0 :::45389 :::* LISTEN
tcp 0 0 :::111 :::* LISTEN
tcp 0 0 :::8080 :::* LISTEN
I cannot access my Web Server from my host
Open port 80, go to and write
# vi /etc/sysconfig/iptables
Insert a new line
-A INPUT -p tcp -m state –state NEW –dport 80 -j ACCEPT
That's all to resolve the problem