All geek questions in one place

Elasticsearch clustering behind the UFW firewall

I have an Elasticsearch cluster running on two different Digital Ocean droplets. They are both configured for private networks, I have a set of Mongo DB replicas that works fine with UFW rules that are configured only to accept connections on the corresponding ports from specific (private) IP addresses of drops.

However, I cannot get the green health of the Elasticsearch cluster using the same method, only yellow. This means that nodes cannot connect to each other.

In elasaticsearch.yml (on both machines), I disabled multicast and I use unicast to connect to the drop's IP addresses. When I configure the firewall to accept all connections on port 9300 (ufw allow 9300), this works fine and the cluster status is reported as green. However, when I restrict the rule to allow only from actual IP addresses, as well as with the Mongo DB replica set, it does not work. I tried with both public and private addresses, as well as IPv4 and IPv6.

What am I missing here?

+5
source share
2 answers

IPV6 is preferred by default. You can change this behavior by setting the java.net.preferIPv4Stack system property to true .
You should also see that by default the ES is bound to anyLocalAddress (usually 0.0.0.0 or ::0 ). You can change this by setting network.bind_host with the correct IP address.

Link [1.3] "Modules" Network Settings

Update:

Firstly, I recommend disabling ipv6 in SO, you can do this by following these steps:

In /etc/sysctl.conf :

 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1

To disable on a running system:

 echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6

or

 sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1

After that, you should change the value of network.bind_host in elasticsearch.yml in both nodes with their respective IP addresses

 # Elasticsearch, by default, binds itself to the 0.0.0.0 address, and listens # on port [9200-9300] for HTTP traffic and on port [9300-9400] for node-to-node # communication. (the range means that if the port is busy, it will automatically # try the next port). # Set the bind address specifically (IPv4 or IPv6): # network.bind_host: 10.0.0.1 # Set the address other nodes will use to communicate with this node. If not # set, it is automatically derived. It must point to an actual IP address. # network.publish_host: 10.0.0.1

Or install

 # Set both 'bind_host' and 'publish_host': # network.host: 10.0.0.1

Finally, you should check the configuration of the network adapters, both must be correctly configured using the IP address that you used earlier.

Hope this helps

+2
source

if you check the document below, it says that by default the ES transport uses ports 9300-9400. I would try to open this range and then see if you can block it further.

http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/modules-transport.html

0
source

Source: https://habr.com/ru/post/1203736/

More articles:


All Articles