Re: [gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI

Fri, 19 Nov 2021 08:46:50 -0800 

Has any progress been made here at all?

I have the same problem as the user who opened this thread. I run xCAT on the 
server where I want to run the GUI. I’ve attempted to limit the xCAT IP 
addresses (changing httpd.conf and ssl.conf), but as you note, the 
UPDATE_IPTABLES setting causes this not to work right, as the GUI wants all 
interfaces. I could turn that off, but it’s not clear to me what rules I’d need 
to manually create.

What I /really/ would like to do is limit the GPFS GUI to a single interface. I 
guess the only issue with that would be that maybe the remote 
machines/performance monitors might contact the machine on its main IP with 
data.

Modifying the ports as I described elsewhere in the thread did work pretty 
well, but there were some lingering GUI update problems and lots of connections 
on 443 to "/scalemgmt/v2/info” and “/CommonEventServlet" that I never was able 
to track down). Now, I’ve tried disabling xCAT’s httpd server, reinstalled the 
gpfs.gui RPM, and started the GUI and it doesn’t seem to have gotten any 
better, so maybe this wasn’t a real problem and I’ll go back to modifying the 
ports, but I’d really like to do this “the right way” without having to provide 
another machine in order to do it.

--
#BlackLivesMatter
____
|| \\UTGERS,     |---------------------------*O*---------------------------
||_// the State  |         Ryan Novosielski - novos...@rutgers.edu
|| \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus
||  \\    of NJ  | Office of Advanced Research Computing - MSB C630, Newark
     `'

> On Aug 23, 2018, at 7:50 AM, Markus Rohwedder <rohwed...@de.ibm.com> wrote:
> 
> Hello Juri, Keith,
> 
> thank you for your responses.
> 
> The internal services communicate on the privileged ports, for backwards 
> compatibility and firewall simplicity reasons. We can not just assume all 
> nodes in the cluster are at the latest level.
> 
> Running two services at the same port on different IP addresses could be an 
> option to consider for co-existance of the GUI and another service on the 
> same node.
> However we have not set up, tested nor documented such a configuration as of 
> today. 
> 
> Currently the GUI service manages the iptables redirect bring up and tear 
> down.
> If this would be managed externally it would be possible to bind services to 
> specific ports based on specific IPs.
> 
> In order to create custom redirect rules based on IP address it is necessary 
> to instruct the GUI to 
> - not check for already used ports when the GUI service tries to start up
> - don't create/destroy port forwarding rules during GUI service start and 
> stop.
> This GUI behavior can be configured using the internal flag UPDATE_IPTABLES 
> in the service configuration with the 5.0.1.2 GUI code level.
> 
> The service configuration is not stored in the cluster configuration and may 
> be overwritten during code upgrades, so these settings may have to be added 
> again after an upgrade.
> 
> See this KC link:
> https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.1/com.ibm.spectrum.scale.v5r01.doc/bl1adv_firewallforgui.htm
> 
> Mit freundlichen Grüßen / Kind regards
> 
> Dr. Markus Rohwedder
> 
> Spectrum Scale GUI Development
> <ecblank.gif>
> Phone:        +49 7034 6430190        IBM Deutschland Research & Development  
> <17153317.gif>
> E-Mail:       rohwed...@de.ibm.com    Am Weiher 24
> <ecblank.gif> <ecblank.gif>   65451 Kelsterbach
> <ecblank.gif> <ecblank.gif>   Germany
> <ecblank.gif>
> 
> <graycol.gif>"Daniel Kidger" ---23.08.2018 12:13:36---Keith, I have another 
> IBM customer who also wished to move Scale GUI's https ports. In their case
> 
> From:  "Daniel Kidger" <daniel.kid...@uk.ibm.com>
> To:  gpfsug-discuss@spectrumscale.org
> Cc:  gpfsug-discuss@spectrumscale.org
> Date:  23.08.2018 12:13
> Subject:  Re: [gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI
> Sent by:  gpfsug-discuss-boun...@spectrumscale.org
> 
> 
> 
> 
> Keith,
> 
> I have another IBM customer who also wished to move Scale GUI's https ports.
> In their case because they had their own web based management interface on 
> the same https port.
> Is this the same reason that you have?
> If so I wonder how many other sites have the same issue?
> 
> One workaround that was suggested at the time, was to add a second IP address 
> to the node (piggy-backing on 'eth0').
> Then run the two different GUIs, one per IP address.
> Is this an option, albeit a little ugly?
> Daniel
> 
> <17310450.gif>                                Dr Daniel Kidger
> IBM Technical Sales Specialist
> Software Defined Solution Sales
> 
> +44-(0)7818 522 266 
> daniel.kid...@uk.ibm.com
> 
> 
> 
> ----- Original message -----
> From: "Markus Rohwedder" <rohwed...@de.ibm.com>
> Sent by: gpfsug-discuss-boun...@spectrumscale.org
> To: gpfsug main discussion list <gpfsug-discuss@spectrumscale.org>
> Cc:
> Subject: Re: [gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI
> Date: Thu, Aug 23, 2018 9:51 AM
> Hello Keith,
> 
> it is not so easy.
> 
> The GUI receives events from other scale components using the currently 
> defined ports.
> Changing the GUI ports will cause breakage in the GUI stack at several places 
> (internal watchdog functions, interlock with health events, interlock with 
> CES).
> Therefore at this point there is no procedure to change this behaviour across 
> all components.
> 
> Because the GUI service does not run as root. the GUI server does not serve 
> the privileged ports 80 and 443 directly but rather 47443 and 47080.
> Tweaking the ports in the server.xml file will only change the native ports 
> that the GUI uses.
> The GUI manages IPTABLES rules to forward ports 443 and 80 to 47443 and 
> 47080. 
> If these ports are already used by another service, the GUI will not start up.
> 
> Making the GUI ports freely configurable is therefore not a strightforward 
> change, and currently no on our roadmap.
> If you want to emphasize your case as future development item, please let me 
> know.
> 
> I would also be interested in:
> > Scale version you are running
> > Do you need port 80 or 443 as well?
> > Would it work for you if the xCAT service was bound to a single IP address?
> 
> Mit freundlichen Grüßen / Kind regards
> 
> Dr. Markus Rohwedder
> 
> Spectrum Scale GUI Development
> 
> <ecblank.gif>
> Phone:        +49 7034 6430190        IBM Deutschland Research & Development  
> <17153317.gif>
> E-Mail:       rohwed...@de.ibm.com    Am Weiher 24
> <ecblank.gif> <ecblank.gif>   65451 Kelsterbach
> <ecblank.gif> <ecblank.gif>   Germany
> <ecblank.gif>
> 
> <graycol.gif>Keith Ball ---22.08.2018 21:33:25---Hello All, Does anyone know 
> how to change the HTTP ports for the Spectrum Scale GUI?
> 
> From: Keith Ball <bipc...@gmail.com>
> To: gpfsug-discuss@spectrumscale.org
> Date: 22.08.2018 21:33
> Subject: [gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI
> Sent by: gpfsug-discuss-boun...@spectrumscale.org
> 
> 
> 
> 
> Hello All,
> 
> Does anyone know how to change the HTTP ports for the Spectrum Scale GUI? Any 
> documentation or RedPaper I have found deftly avoids discussing this. The 
> most promising thing I see is in /opt/ibm/wlp/usr/servers/gpfsgui/server.xml:
> 
> <httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="47080" 
> httpsPort="47443">
> <tcpOptions soReuseAddr="true"/>
> </httpEndpoint>
> 
> but it appears that port 80 specifically is used also by the GUI's Web 
> service. I already have an HTTP server using port 80 for provisioning (xCAT), 
> so would rather change the Specturm Scale GUI configuration if I can.
> 
> Many Thanks,
> Keith
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> 
> 
> 
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> 
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number 
> 741598. 
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> 
> 
> 
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss

_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss

Reply via email to