[gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI

Ryan Novosielski novosirj at rutgers.edu
Fri Nov 19 16:46:34 GMT 2021 

Has any progress been made here at all?

I have the same problem as the user who opened this thread. I run xCAT on the server where I want to run the GUI. I’ve attempted to limit the xCAT IP addresses (changing httpd.conf and ssl.conf), but as you note, the UPDATE_IPTABLES setting causes this not to work right, as the GUI wants all interfaces. I could turn that off, but it’s not clear to me what rules I’d need to manually create.

What I /really/ would like to do is limit the GPFS GUI to a single interface. I guess the only issue with that would be that maybe the remote machines/performance monitors might contact the machine on its main IP with data.

Modifying the ports as I described elsewhere in the thread did work pretty well, but there were some lingering GUI update problems and lots of connections on 443 to "/scalemgmt/v2/info” and “/CommonEventServlet" that I never was able to track down). Now, I’ve tried disabling xCAT’s httpd server, reinstalled the gpfs.gui RPM, and started the GUI and it doesn’t seem to have gotten any better, so maybe this wasn’t a real problem and I’ll go back to modifying the ports, but I’d really like to do this “the right way” without having to provide another machine in order to do it.

--
#BlackLivesMatter
____
|| \\UTGERS,  	 |---------------------------*O*---------------------------
||_// the State	 |         Ryan Novosielski - novosirj at rutgers.edu
|| \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus
||  \\    of NJ	 | Office of Advanced Research Computing - MSB C630, Newark
     `'

> On Aug 23, 2018, at 7:50 AM, Markus Rohwedder <rohwedder at de.ibm.com> wrote:
> 
> Hello Juri, Keith,
> 
> thank you for your responses.
> 
> The internal services communicate on the privileged ports, for backwards compatibility and firewall simplicity reasons. We can not just assume all nodes in the cluster are at the latest level.
> 
> Running two services at the same port on different IP addresses could be an option to consider for co-existance of the GUI and another service on the same node.
> However we have not set up, tested nor documented such a configuration as of today. 
> 
> Currently the GUI service manages the iptables redirect bring up and tear down.
> If this would be managed externally it would be possible to bind services to specific ports based on specific IPs.
> 
> In order to create custom redirect rules based on IP address it is necessary to instruct the GUI to 
> - not check for already used ports when the GUI service tries to start up
> - don't create/destroy port forwarding rules during GUI service start and stop.
> This GUI behavior can be configured using the internal flag UPDATE_IPTABLES in the service configuration with the 5.0.1.2 GUI code level.
> 
> The service configuration is not stored in the cluster configuration and may be overwritten during code upgrades, so these settings may have to be added again after an upgrade.
> 
> See this KC link:
> https://www.ibm.com/support/knowledgecenter/en/STXKQY_5.0.1/com.ibm.spectrum.scale.v5r01.doc/bl1adv_firewallforgui.htm
> 
> Mit freundlichen Grüßen / Kind regards
> 
> Dr. Markus Rohwedder
> 
> Spectrum Scale GUI Development
> <ecblank.gif>
> Phone:	+49 7034 6430190	IBM Deutschland Research & Development	
> <17153317.gif>
> E-Mail:	rohwedder at de.ibm.com	Am Weiher 24
> <ecblank.gif>	<ecblank.gif>	65451 Kelsterbach
> <ecblank.gif>	<ecblank.gif>	Germany
> <ecblank.gif>
> 
> <graycol.gif>"Daniel Kidger" ---23.08.2018 12:13:36---Keith, I have another IBM customer who also wished to move Scale GUI's https ports. In their case
> 
> From:  "Daniel Kidger" <daniel.kidger at uk.ibm.com>
> To:  gpfsug-discuss at spectrumscale.org
> Cc:  gpfsug-discuss at spectrumscale.org
> Date:  23.08.2018 12:13
> Subject:  Re: [gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI
> Sent by:  gpfsug-discuss-bounces at spectrumscale.org
> 
> 
> 
> 
> Keith,
> 
> I have another IBM customer who also wished to move Scale GUI's https ports.
> In their case because they had their own web based management interface on the same https port.
> Is this the same reason that you have?
> If so I wonder how many other sites have the same issue?
> 
> One workaround that was suggested at the time, was to add a second IP address to the node (piggy-backing on 'eth0').
> Then run the two different GUIs, one per IP address.
> Is this an option, albeit a little ugly?
> Daniel
> 
> <17310450.gif>				Dr Daniel Kidger
> IBM Technical Sales Specialist
> Software Defined Solution Sales
> 
> +44-(0)7818 522 266 
> daniel.kidger at uk.ibm.com
> 
> 
> 
> ----- Original message -----
> From: "Markus Rohwedder" <rohwedder at de.ibm.com>
> Sent by: gpfsug-discuss-bounces at spectrumscale.org
> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
> Cc:
> Subject: Re: [gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI
> Date: Thu, Aug 23, 2018 9:51 AM
> Hello Keith,
> 
> it is not so easy.
> 
> The GUI receives events from other scale components using the currently defined ports.
> Changing the GUI ports will cause breakage in the GUI stack at several places (internal watchdog functions, interlock with health events, interlock with CES).
> Therefore at this point there is no procedure to change this behaviour across all components.
> 
> Because the GUI service does not run as root. the GUI server does not serve the privileged ports 80 and 443 directly but rather 47443 and 47080.
> Tweaking the ports in the server.xml file will only change the native ports that the GUI uses.
> The GUI manages IPTABLES rules to forward ports 443 and 80 to 47443 and 47080. 
> If these ports are already used by another service, the GUI will not start up.
> 
> Making the GUI ports freely configurable is therefore not a strightforward change, and currently no on our roadmap.
> If you want to emphasize your case as future development item, please let me know.
> 
> I would also be interested in:
> > Scale version you are running
> > Do you need port 80 or 443 as well?
> > Would it work for you if the xCAT service was bound to a single IP address?
> 
> Mit freundlichen Grüßen / Kind regards
> 
> Dr. Markus Rohwedder
> 
> Spectrum Scale GUI Development
> 
> <ecblank.gif>
> Phone:	+49 7034 6430190	IBM Deutschland Research & Development	
> <17153317.gif>
> E-Mail:	rohwedder at de.ibm.com	Am Weiher 24
> <ecblank.gif>	<ecblank.gif>	65451 Kelsterbach
> <ecblank.gif>	<ecblank.gif>	Germany
> <ecblank.gif>
> 
> <graycol.gif>Keith Ball ---22.08.2018 21:33:25---Hello All, Does anyone know how to change the HTTP ports for the Spectrum Scale GUI?
> 
> From: Keith Ball <bipcuds at gmail.com>
> To: gpfsug-discuss at spectrumscale.org
> Date: 22.08.2018 21:33
> Subject: [gpfsug-discuss] Changing Web ports for the Spectrum Scale GUI
> Sent by: gpfsug-discuss-bounces at spectrumscale.org
> 
> 
> 
> 
> Hello All,
> 
> Does anyone know how to change the HTTP ports for the Spectrum Scale GUI? Any documentation or RedPaper I have found deftly avoids discussing this. The most promising thing I see is in /opt/ibm/wlp/usr/servers/gpfsgui/server.xml:
> 
> <httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="47080" httpsPort="47443">
> <tcpOptions soReuseAddr="true"/>
> </httpEndpoint>
> 
> but it appears that port 80 specifically is used also by the GUI's Web service. I already have an HTTP server using port 80 for provisioning (xCAT), so would rather change the Specturm Scale GUI configuration if I can.
> 
> Many Thanks,
> Keith
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> 
> 
> 
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> 
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number 741598. 
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> 
> 
> 
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss

More information about the gpfsug-discuss mailing list