AnsweredAssumed Answered

Molecule cluster network/firewall configuration

Question asked by robin.garner788978 on Aug 22, 2018

I'm setting up a molecule on RedHat RHEL7, and having difficulty configuring the local firewall.  Both nodes are on the same subnet.

 

According to the Molecule System Requirements doco, you need port 45588 (UDP, although the doco isn't clear) and that's it.  So once I opened this port using firewall-cmd, started both nodes in the molecule, they had the dreaded MULTIPLE_HEAD_NODES error.  

 

tcpdump shows that there is traffic on this port, eg

13:35:15.311925 IP 10.91.48.101.45588 > 228.10.10.10.45588: UDP, length 77
13:35:15.401139 IP 10.91.48.100.45588 > 228.10.10.10.45588: UDP, length 77

but no cluster.  Turned the firewall off, restarted the atoms and the cluster has formed correctly and elected a head node.  netstat shows that the atom process on node 1 is also listening on port 59958, and on node 2 it's listening on port 55143, and this seems to change every time the atom is restarted.  I'm thinking that each atom is also opening a dynamic UDP port, and that while advertisements are sent on port 45588, this dynamic port is used for subsequent communications.  Can anyone confirm ?

 

I can see documentation about how to change the main multicast port (45588), but is there a way to change/fix the other port ?  Or a documented range of ports ?  

 

I don't particularly want to switch to unicast, but I'd really like to turn firewalld (iptables) back on, and preferably with the smallest possible whitelist.

 

Thanks in advance,

Robin

Outcomes