Jeff Vance created AMBARI-4236:
----------------------------------
Summary: improve firewall detection in ambari
Key: AMBARI-4236
URL: https://issues.apache.org/jira/browse/AMBARI-4236
Project: Ambari
Issue Type: Improvement
Components: agent
Environment: Ambari 1.4.3, RHEL 6.4
Reporter: Jeff Vance
The agent code, HostInfo.py, calls checkIptables() which does a "service
iptables status". If the returncode is 0 it equates that to a potential
firewall issue and reports the error (or warning) which can be disconcerting to
first-time users.
If you enter "service iptables stop" followed by "service iptables status" then
$? == 3 and the agent code will consider iptables disabled. However, if you
reboot the host (*even* if "chkconfig iptables off" has been executed prior to
the reboot), then "service iptables status" returns 0, there are no firewall
rules in effect, all ip traffic is allowed, but ambari complains that the
iptables may prevent access. On RHEL, iptables is a "fake" service, as far as I
know, it is really a kernel module, and this module is loaded on reboot.
Therefore, even if there are no firewall rules, "service iptables status" will
return 0 and confuse ambari.
Possible solutions:
1) improve firewall checking in the ambari agent to look deeper than just the
high-level returncode. Example, the output of iptables -S could be parsed to
see if there are any rules which will block ambari. Or, examine
/etc/sysconfig/iptables to see if there are any blocking rules.
2) document precisely which protocols and which ports need to be opened in
corporate firewalls. In our opinion, enterprise customers in general do NOT
want to disable their firewalls, so it would be better to append rules specific
to ambari's needs.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
