[gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI
Ryan Novosielski
novosirj at rutgers.edu
Fri Jul 19 17:43:03 BST 2019
Support has since pointed out to me, coincidentally, that all of the GUI callback scripts in /usr/lpp/mmfs/gui/callbacks contain a hard-coded port. I changed them this way, with PWD=/usr/lpp/mmfs/gui/callbacks:
find . -name *.sh -exec sed -i.bak 's/PORT=443/PORT=8443/g' {} \;
…as you can see, the only change was, for example:
[root at quorum02 callbacks]# diff gnr/PhysicalDiskCallback.sh.bak gnr/PhysicalDiskCallback.sh
21c21
< PORT=443
---
> PORT=8443
That caused me to look to see if port 443 is hard-coded anyplace else, and I found this other one, /usr/lpp/mmfs/gui/bin-sudo/functions_iptables.sh:
23: . /etc/sysconfig/gpfsgui
24:
25: HTTP_PORT=80
26: HTTPS_PORT=443
…this is peculiar to me because a) it works — it would seem like these two override my /etc/sysconfig/gpfsgui settings, but the web server is reachable at 8443. Also, these lines would seem to make way more sense in the reverse (eg. let the sysconfig file redefine the ports if they contain values).
Ideally, IBM would let you change those two environment variables in the sysconfig file, or somewhere else, and the callback scripts would use that value from the environment. I’ve not tried setting PORT=$HTTPS_PORT to see if those callback scripts have access to that variable.
--
____
|| \\UTGERS, |---------------------------*O*---------------------------
||_// the State | Ryan Novosielski - novosirj at rutgers.edu
|| \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus
|| \\ of NJ | Office of Advanced Research Computing - MSB C630, Newark
`'
> On Jul 18, 2019, at 5:26 PM, Ryan Novosielski <novosirj at rutgers.edu> wrote:
>
> Nope, that appears to be all of it. I also had a problem with the postgresql service, which was why the gpfsgui wouldn’t start. But once I fixed that, I can log in on https://<GUI_HOST>:8443.
>
> HTH.
>
>> On Jul 18, 2019, at 5:15 PM, Ryan Novosielski <novosirj at rutgers.edu> wrote:
>>
>> I happened across this message because I’ve already done this in the past and was trying to figure out how I did it (apparently didn’t write it down).
>>
>> Most of it appeared to be adding to /etc/sysconfig/gpfsgui the following:
>>
>> HTTP_PORT=8080
>> HTTPS_PORT=8443
>>
>> …but that hasn’t completely done it yet. Going to have a look and see what else I might need to do.
>>
>> --
>> ____
>> || \\UTGERS, |---------------------------*O*---------------------------
>> ||_// the State | Ryan Novosielski - novosirj at rutgers.edu
>> || \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus
>> || \\ of NJ | Office of Advanced Research Computing - MSB C630, Newark
>> `'
>>
>>> On Aug 23, 2018, at 7:50 AM, Markus Rohwedder <rohwedder at de.ibm.com> wrote:
>>>
>>> Hello Juri, Keith,
>>>
>>> thank you for your responses.
>>>
>>> The internal services communicate on the privileged ports, for backwards compatibility and firewall simplicity reasons. We can not just assume all nodes in the cluster are at the latest level.
>>>
>>> Running two services at the same port on different IP addresses could be an option to consider for co-existance of the GUI and another service on the same node.
>>> However we have not set up, tested nor documented such a configuration as of today.
>>>
>>> Currently the GUI service manages the iptables redirect bring up and tear down.
>>> If this would be managed externally it would be possible to bind services to specific ports based on specific IPs.
>>>
>>> In order to create custom redirect rules based on IP address it is necessary to instruct the GUI to
>>> - not check for already used ports when the GUI service tries to start up
>>> - don't create/destroy port forwarding rules during GUI service start and stop.
>>> This GUI behavior can be configured using the internal flag UPDATE_IPTABLES in the service configuration with the 5.0.1.2 GUI code level.
>>>
>>> The service configuration is not stored in the cluster configuration and may be overwritten during code upgrades, so these settings may have to be added again after an upgrade.
>>>
>>> See this KC link:
>>> https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.1/com.ibm.spectrum.scale.v5r01.doc/bl1adv_firewallforgui.htm
>>>
>>> Mit freundlichen Grüßen / Kind regards
>>>
>>> Dr. Markus Rohwedder
>>>
>>> Spectrum Scale GUI Development
>>> <ecblank.gif>
>>> Phone: +49 7034 6430190 IBM Deutschland Research & Development
>>> <17153317.gif>
>>> E-Mail: rohwedder at de.ibm.com Am Weiher 24
>>> <ecblank.gif> <ecblank.gif> 65451 Kelsterbach
>>> <ecblank.gif> <ecblank.gif> Germany
>>> <ecblank.gif>
>>>
>>> <graycol.gif>"Daniel Kidger" ---23.08.2018 12:13:36---Keith, I have another IBM customer who also wished to move Scale GUI's https ports. In their case
>>>
>>> From: "Daniel Kidger" <daniel.kidger at uk.ibm.com>
>>> To: gpfsug-discuss at spectrumscale.org
>>> Cc: gpfsug-discuss at spectrumscale.org
>>> Date: 23.08.2018 12:13
>>> Subject: Re: [gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI
>>> Sent by: gpfsug-discuss-bounces at spectrumscale.org
>>>
>>>
>>>
>>>
>>> Keith,
>>>
>>> I have another IBM customer who also wished to move Scale GUI's https ports.
>>> In their case because they had their own web based management interface on the same https port.
>>> Is this the same reason that you have?
>>> If so I wonder how many other sites have the same issue?
>>>
>>> One workaround that was suggested at the time, was to add a second IP address to the node (piggy-backing on 'eth0').
>>> Then run the two different GUIs, one per IP address.
>>> Is this an option, albeit a little ugly?
>>> Daniel
>>>
>>> <17310450.gif> Dr Daniel Kidger
>>> IBM Technical Sales Specialist
>>> Software Defined Solution Sales
>>>
>>> +44-(0)7818 522 266
>>> daniel.kidger at uk.ibm.com
>>>
>>>
>>>
>>> ----- Original message -----
>>> From: "Markus Rohwedder" <rohwedder at de.ibm.com>
>>> Sent by: gpfsug-discuss-bounces at spectrumscale.org
>>> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
>>> Cc:
>>> Subject: Re: [gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI
>>> Date: Thu, Aug 23, 2018 9:51 AM
>>> Hello Keith,
>>>
>>> it is not so easy.
>>>
>>> The GUI receives events from other scale components using the currently defined ports.
>>> Changing the GUI ports will cause breakage in the GUI stack at several places (internal watchdog functions, interlock with health events, interlock with CES).
>>> Therefore at this point there is no procedure to change this behaviour across all components.
>>>
>>> Because the GUI service does not run as root. the GUI server does not serve the privileged ports 80 and 443 directly but rather 47443 and 47080.
>>> Tweaking the ports in the server.xml file will only change the native ports that the GUI uses.
>>> The GUI manages IPTABLES rules to forward ports 443 and 80 to 47443 and 47080.
>>> If these ports are already used by another service, the GUI will not start up.
>>>
>>> Making the GUI ports freely configurable is therefore not a strightforward change, and currently no on our roadmap.
>>> If you want to emphasize your case as future development item, please let me know.
>>>
>>> I would also be interested in:
>>>> Scale version you are running
>>>> Do you need port 80 or 443 as well?
>>>> Would it work for you if the xCAT service was bound to a single IP address?
>>>
>>> Mit freundlichen Grüßen / Kind regards
>>>
>>> Dr. Markus Rohwedder
>>>
>>> Spectrum Scale GUI Development
>>>
>>> <ecblank.gif>
>>> Phone: +49 7034 6430190 IBM Deutschland Research & Development
>>> <17153317.gif>
>>> E-Mail: rohwedder at de.ibm.com Am Weiher 24
>>> <ecblank.gif> <ecblank.gif> 65451 Kelsterbach
>>> <ecblank.gif> <ecblank.gif> Germany
>>> <ecblank.gif>
>>>
>>> <graycol.gif>Keith Ball ---22.08.2018 21:33:25---Hello All, Does anyone know how to change the HTTP ports for the Spectrum Scale GUI?
>>>
>>> From: Keith Ball <bipcuds at gmail.com>
>>> To: gpfsug-discuss at spectrumscale.org
>>> Date: 22.08.2018 21:33
>>> Subject: [gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI
>>> Sent by: gpfsug-discuss-bounces at spectrumscale.org
>>>
>>>
>>>
>>>
>>> Hello All,
>>>
>>> Does anyone know how to change the HTTP ports for the Spectrum Scale GUI? Any documentation or RedPaper I have found deftly avoids discussing this. The most promising thing I see is in /opt/ibm/wlp/usr/servers/gpfsgui/server.xml:
>>>
>>> <httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="47080" httpsPort="47443">
>>> <tcpOptions soReuseAddr="true"/>
>>> </httpEndpoint>
>>>
>>> but it appears that port 80 specifically is used also by the GUI's Web service. I already have an HTTP server using port 80 for provisioning (xCAT), so would rather change the Specturm Scale GUI configuration if I can.
>>>
>>> Many Thanks,
>>> Keith
>>> _______________________________________________
>>> gpfsug-discuss mailing list
>>> gpfsug-discuss at spectrumscale.org
>>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>>>
>>>
>>>
>>> _______________________________________________
>>> gpfsug-discuss mailing list
>>> gpfsug-discuss at spectrumscale.org
>>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>>>
>>> Unless stated otherwise above:
>>> IBM United Kingdom Limited - Registered in England and Wales with number 741598.
>>> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>>> _______________________________________________
>>> gpfsug-discuss mailing list
>>> gpfsug-discuss at spectrumscale.org
>>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>>>
>>>
>>>
>>> _______________________________________________
>>> gpfsug-discuss mailing list
>>> gpfsug-discuss at spectrumscale.org
>>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>>
>> _______________________________________________
>> gpfsug-discuss mailing list
>> gpfsug-discuss at spectrumscale.org
>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
More information about the gpfsug-discuss
mailing list