Review Board 1.7.22


Minor change to Runbook (iptables rules for NFS example)

Review Request #5965 - Created July 15, 2012 and submitted

Joe Brockmeier
Reviewers
cloudstack
ke4qqq
cloudstack-git
Changing iptables rules to filter for source so NFS is not wide-open.

 

Diff revision 2 (Latest)

1 2
1 2

  1. docs/runbook/en-US/Environment.xml: Loading...
docs/runbook/en-US/Environment.xml
Revision 9048e1a New Change
[20] 65 lines
[+20]
66
        Unfortunately, this configuration will not permit you to connect to the network,
66
        Unfortunately, this configuration will not permit you to connect to the network,
67
        and is also unsuitable for our purposes with CloudStack. We want to 
67
        and is also unsuitable for our purposes with CloudStack. We want to 
68
	configure that file so that it specifies the IP address, netmask, etc., as shown
68
	configure that file so that it specifies the IP address, netmask, etc., as shown
69
	in the following example:
69
	in the following example:
70
      </para>
70
      </para>

    
   
71
      <important>

    
   
72
        <title>Hardware Addresses</title>

    
   
73
	<para>You should not use the hardware address (aka MAC address) from our example

    
   
74
	    for your configuration. It is network interface specific, so you should keep the 

    
   
75
	    address already provided in the HWADDR directive.

    
   
76
        </para>

    
   
77
      </important>
71
      <screen>
78
      <screen>
72
DEVICE=eth0
79
DEVICE=eth0
73
HWADDR=52:54:00:B9:A6:C0
80
HWADDR=52:54:00:B9:A6:C0
74
NM_CONTROLLED=no
81
NM_CONTROLLED=no
75
ONBOOT=yes
82
ONBOOT=yes
76
BOOTPROTO=none
83
BOOTPROTO=none
77
IPADDR=172.16.10.2
84
IPADDR=172.16.10.2
78
NETMASK=255.255.255.0
85
NETMASK=255.255.255.0
79
GATEWAY=172.16.10.1
86
GATEWAY=172.16.10.1

    
   
87
DNS1=8.8.8.8

    
   
88
DNS2=8.8.4.4
80
      </screen>
89
      </screen>
81
      <note>
90
      <note>
82
        <title>IP Addressing</title>
91
        <title>IP Addressing</title>
83
        <para>Throughout this document we are assuming that you will
92
        <para>Throughout this document we are assuming that you will
84
        have a /24 network for your CloudStack implementation. This can be any
93
        have a /24 network for your CloudStack implementation. This can be any
85
        RFC 1918 network. However, we are assuming that you will match the 
94
        RFC 1918 network. However, we are assuming that you will match the 
86
        machine address that we are using. Thus we may use 
95
        machine address that we are using. Thus we may use 
87
        <userinput><replaceable>172.16.10</replaceable>.2</userinput> and because
96
        <userinput><replaceable>172.16.10</replaceable>.2</userinput> and because
88
        you might be using the 192.168.55.0/24 network you would use 
97
        you might be using the 192.168.55.0/24 network you would use 
89
        <userinput><replaceable>192.168.55</replaceable>.2</userinput>
98
        <userinput><replaceable>192.168.55</replaceable>.2</userinput>
90
        </para>
99
        </para>
91
      </note>
100
      </note>
92
      <important>

   
93
        <title>Hardware Addresses</title>

   
94
	<para>You should not use the hardware address (aka MAC address) from our example

   
95
	    for your configuration. It is network interface specific, so you should keep the 

   
96
	    address already provided in the HWADDR directive.

   
97
        </para>

   
98
      </important>

   
99
      <para> Now that we have the configuration files properly set up, we need to run a
101
      <para> Now that we have the configuration files properly set up, we need to run a
100
      few commands to start up the network</para>
102
      few commands to start up the network</para>
101
      <screen><prompt># </prompt><userinput><command>chkconfig</command> network on</userinput></screen>
103
      <screen><prompt># </prompt><userinput><command>chkconfig</command> network on</userinput></screen>
102
      <screen><prompt># </prompt><userinput><command>service</command> network start</userinput></screen>
104
      <screen><prompt># </prompt><userinput><command>service</command> network start</userinput></screen>
103
      <para>This should bring the network up successfully, but we now need to enable name resolution.

   
104
      To do that we will edit <filename>/etc/resolv.conf</filename>. These instructions will add

   
105
      one of the nameservers from Google, though you are free to add a local nameserver if you wish. 

   
106
      Your <filename>/etc/resolv.conf</filename> should modified to look like:

   
107
      </para>

   
108
      <screen>

   
109
nameserver 8.8.8.8

   
110
      </screen>

   
111
    

   
112
    </section>
105
    </section>
113
    <section id="sect-Runbook-Environment-operatingsys-hostname">
106
    <section id="sect-Runbook-Environment-operatingsys-hostname">
114
      <title>Hostname</title>
107
      <title>Hostname</title>
115
      <para>
108
      <para>
116
        Cloudstack requires that the hostname be properly set. If you used the default
109
        Cloudstack requires that the hostname be properly set. If you used the default
[+20] [20] 76 lines
[+20]
193
      We'll go ahead and create those directories and set permissions appropriately on them with the following commands:
186
      We'll go ahead and create those directories and set permissions appropriately on them with the following commands:
194
    </para>
187
    </para>
195
    <screen>
188
    <screen>
196
<prompt># </prompt><userinput><command>mkdir</command> /primary</userinput>
189
<prompt># </prompt><userinput><command>mkdir</command> /primary</userinput>
197
<prompt># </prompt><userinput><command>mkdir</command> /secondary</userinput>
190
<prompt># </prompt><userinput><command>mkdir</command> /secondary</userinput>
198
<prompt># </prompt><userinput><command>chmod</command> 777 /primary</userinput>

   
199
<prompt># </prompt><userinput><command>chmod</command> 777 /secondary</userinput>

   
200
    </screen>
191
    </screen>
201
    <para>CentOS 6.x releases use NFSv4 by default. NFSv4 requires that domain setting matches on all clients. 
192
    <para>CentOS 6.x releases use NFSv4 by default. NFSv4 requires that domain setting matches on all clients. 
202
    In our case, the domain is cloud.priv, so ensure that the domain setting in <filename>/etc/idmapd.conf</filename>
193
    In our case, the domain is cloud.priv, so ensure that the domain setting in <filename>/etc/idmapd.conf</filename>
203
    is uncommented and set as follows:</para>
194
    is uncommented and set as follows:</para>
204
    <screen>Domain = cloud.priv</screen>
195
    <screen>Domain = cloud.priv</screen>
[+20] [20] 8 lines
[+20]
213
    </screen>
204
    </screen>
214
    <para> Now we need to configure the firewall to permit incoming NFS connections. 
205
    <para> Now we need to configure the firewall to permit incoming NFS connections. 
215
    Edit the file <filename>/etc/sysconfig/iptables</filename>
206
    Edit the file <filename>/etc/sysconfig/iptables</filename>
216
    </para>
207
    </para>
217
    <screen>
208
    <screen>
218
-A INPUT -m state --state NEW -p udp --dport 111 -j ACCEPT
209
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 111 -j ACCEPT
219
-A INPUT -m state --state NEW -p tcp --dport 111 -j ACCEPT
210
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 111 -j ACCEPT
220
-A INPUT -m state --state NEW -p tcp --dport 2049 -j ACCEPT
211
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 2049 -j ACCEPT
221
-A INPUT -m state --state NEW -p tcp --dport 32803 -j ACCEPT
212
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 32803 -j ACCEPT
222
-A INPUT -m state --state NEW -p udp --dport 32769 -j ACCEPT
213
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 32769 -j ACCEPT
223
-A INPUT -m state --state NEW -p tcp --dport 892 -j ACCEPT
214
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 892 -j ACCEPT
224
-A INPUT -m state --state NEW -p udp --dport 892 -j ACCEPT
215
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 892 -j ACCEPT
225
-A INPUT -m state --state NEW -p tcp --dport 875 -j ACCEPT
216
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 875 -j ACCEPT
226
-A INPUT -m state --state NEW -p udp --dport 875 -j ACCEPT
217
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 875 -j ACCEPT
227
-A INPUT -m state --state NEW -p tcp --dport 662 -j ACCEPT
218
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p tcp --dport 662 -j ACCEPT
228
-A INPUT -m state --state NEW -p udp --dport 662 -j ACCEPT
219
-A INPUT -s 172.16.10.0/24 -m state --state NEW -p udp --dport 662 -j ACCEPT
229
    </screen>
220
    </screen>
230
    <para>Now you can restart the iptables service with the following command:
221
    <para>Now you can restart the iptables service with the following command:
231
    </para>
222
    </para>
232
    <screen><prompt># </prompt><userinput><command>service</command> iptables restart</userinput></screen>
223
    <screen><prompt># </prompt><userinput><command>service</command> iptables restart</userinput></screen>
233
    <para>We now need to configure nfs service to start on boot and actually start it on the host by
224
    <para>We now need to configure nfs service to start on boot and actually start it on the host by
[+20] [20] 11 lines
  1. docs/runbook/en-US/Environment.xml: Loading...