Restricting Cassandra to localhost only - cassandra

I installed cassandra as a service on Ubuntu. Test Cluster is accessible on 127.0.0.1:9042. I want to restrict everything related to cassandra to localhost only, nothing open to internet. Currently, this is what I see on netstat -tulpen:
udp 0 0 130.159.223.50:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp6 0 0 fe80::215:5dff:fcdf:123 :::*
udp6 0 0 ::1:123 :::*
udp6 0 0 :::123 :::*

Disclaimer: What you want to achieve can be done through configuration, but for a production cluster, it should be done using a firewall.
You need to modify a number of settings in cassanra.yaml to listen only for the loopback address (127.0.0.1)
listen_address: 127.0.0.1
rpc_address: 127.0.0.1
# make sure the broadcast address is commented out
# broadcast_address: 1.2.3.4
When running nodetool you should see the node's ip as the loopback interface ip
$ nodetool status
Datacenter: datacenter1
=======================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
-- Address Load Tokens Owns Host ID Rack
UN 127.0.0.1 60.62 TB 256 ? e7060cda-f99b-495c-ad55-2d380b4d452e rack1
Note: Non-system keyspaces don't have the same replication settings, effective ownership
information is meaningless
You can then verify that cassandra is innacessable over the public or private ip but only on the loopback ip with telnet:
core:cassandra core$ telnet <external ip> 9042
Trying 134.103.x.x...
telnet: connect to address 134.103.x.x: Connection refused
telnet: Unable to connect to remote host
core:cassandra core$ telnet <internal ip> 9042
Trying 10.17.x.x...
telnet: connect to address 10.17.x.x: Connection refused
telnet: Unable to connect to remote host
core:cassandra core$ telnet 127.0.0.1 9042
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> Connection closed.

Related

Cannot Connect Cassandra Client on Public IP

Hello I am trying to set up a three node Cassandra Cluster on Azure linux VMs and connect to it from an external machine using the C# datastax client. However I am having trouble connecting via a VMs public IP from outside the network. Any help would be greatly appreciated as I am about lost now.
Here is the Java Version the machines are running.
openjdk version "1.8.0_191"
OpenJDK Runtime Environment (build 1.8.0_191-8u191-b12-0ubuntu0.18.04.1-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
My cassandra version is
3.11.3
When I run the nodetool status I can see the machines on the cluster however it is shown the local ip addresses on the Azure VNetwork not their public IP addresses. I am unsure if this is correct?
Datacenter: dc1europe
=====================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
-- Address Load Tokens Owns (effective) Host ID Rack
DN 10.1.0.7 101.37 KiB 256 32.8% 617d3f87-cb04-4c29-9e0c-e2c712487ad5 rack1europe
UN 10.1.0.6 158.26 KiB 256 33.1% b79a1aa0-a049-46f2-8efc-679d10a097e2 rack1europe
DN 10.1.0.9 101.36 KiB 256 34.2% 58a101e5-51f2-491e-833f-cc5c49a8740a rack1europe
I can use cqlsh Internal IP Address to connect to any of the machines but when I use the cqlsh Public IP Address I get the following error:
Connection error: ('Unable to connect to any servers', {'XX.XXX.XXX.XXX': error(None, "Tried connecting to [('XX.XXX.XXX.XXX', 9042)]. Last error: timed out")})
When I run netstat -vatn it shows me that my machine is in fact listening on port 9042 but again I am unsure if this is correct:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:9042 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 10.1.0.6:7000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:42271 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:7199 0.0.0.0:* LISTEN
tcp 0 64 10.1.0.6:22 109.76.85.23:51728 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
I can telnet using the public IP address of the machine I am currently logged into on the cluster but when I try to telnet using the public IP address of another machine on the cluster I get the following:
Trying XX.XXX.XXX.XXX...
But a connection is never established.
Here are the relevant settings from my cassandra.yaml file which I have edited for all three nodes on the cluster
seed_provider:
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
parameters:
- seeds: "10.1.0.6, 10.1.0.7"
listen_address:
# broadcast_address: 1.2.3.4
start_rpc: false
rpc_address: 0.0.0.0
broadcast_rpc_address: <PUBLIC IP OF CURRENT NODE>
I have edited the NSG in azure to allow all the required inbound ports including 7000, 7001, 7199, 9042, 9160, 9142 so this should not be a problem.
I'm unsure whether the problem is with my Azure VM/Network configuration or my Cassandra Setup. Any pointers or help would be great!
Thanks.
My setup.
Windows VM as Webserver
Ubuntu as Cassandra node.
Both in same subscription and different resource group and VNETs.
For connection from Windows machine to Cassandra.
Followed these steps and it worked :)
1) Peer VNet. This has to be done on both vnets. Initially I was not able to ping Ubuntu VM from Windows VM, after peering I was able to ping.
2) Open port 9042 on Cassandra VM you can add restriction for address range of Webserver.
3) In Ubuntu VM edit etc/cassandra/cassandra.yaml and change following settings.
IP is private ip address of Ubuntu VM
1) rpc_address: 10.0.1.5
2) listen_address: 10.0.1.5
3) seeds: "10.0.1.5"
4) Now try any test application to connect to cassandra from Webserver.
e.g
var cluster = Cluster.Builder()
.AddContactPoints("10.0.1.5")
.WithPort(9042)
.WithAuthProvider(new PlainTextAuthProvider("cassandra", "cassandra"))
.Build();
ISession session = cluster.Connect();
You should be able connect and run statements.
Cheers,
Hemant
From you description, it sounds like Nat Forwarding/Endpoint. I assume its a classic deployment so below is information to look at Endpoints.
https://learn.microsoft.com/en-us/azure/virtual-machines/linux/classic/setup-endpoints

Connect remote scylla db server shows error

I have installed scylla-db in google cloud servers.
Steps i have followed:
sudo yum install epel-release
sudo curl -o /etc/yum.repos.d/scylla.repo -L http://repositories.scylladb.com/scylla/repo/a2a0ba89d456770dfdc1cd70325e3291/centos/scylladb-2.0.repo
sudo yum install scylla
sudo scylla_setup
(Given yes to "verify supportable version" , " verify packages" , "core dump", " fstim ssd "
For remaining : Given NO)
IN file :/etc/scylla.d/io.conf
SEASTAR_IO="--max-io-requests=12 --num-io-queues=1"
( edited this file manually )
sudo systemctl start scylla-server
It shows: Cannot able to read yaml file. Then google it and downgraded the yaml-cpp version to 0.5.1 from 0.5.3 version.
then
scylla-server started running .
[root#scylla ~]# nodetool status
Datacenter: datacenter1
=======================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
-- Address Load Tokens Owns Host ID Rack
UN 127.0.0.1 208.69 KB 256 ? 888e91da-9385-4c61-8417-dd59c1a979b8 rack1
Note: Non-system keyspaces don't have the same replication settings, effective ownership information is meaningless
[root#scylla ~]# cat /etc/scylla/scylla.yaml | grep seeds:
- seeds: "127.0.0.1"
[root#scylla ~]# cat /etc/scylla/scylla.yaml | grep rpc_address:
rpc_address: localhost
#broadcast_rpc_address:
[root#scylla ~]# cat /etc/scylla/scylla.yaml | grep listen_address:
listen_address: localhost
[root#scylla ~]# cqlsh
Connected to Test Cluster at 127.0.0.1:9042.
[cqlsh 5.0.1 | Cassandra 3.0.8 | CQL spec 3.3.1 | Native protocol v4]
Use HELP for help.
cqlsh> exit
[root#scylla ~]# netstat -tupln | grep LISTEN
tcp 0 0 127.0.0.1:10000 0.0.0.0:* LISTEN 6387/scylla
tcp 0 0 127.0.0.1:9042 0.0.0.0:* LISTEN 6387/scylla
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1105/sshd
tcp 0 0 127.0.0.1:7000 0.0.0.0:* LISTEN 6387/scylla
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1119/master
tcp 0 0 0.0.0.0:9180 0.0.0.0:* LISTEN 6387/scylla
tcp 0 0 127.0.0.1:9160 0.0.0.0:* LISTEN 6387/scylla
tcp6 0 0 :::80 :::* LISTEN 5217/httpd
tcp6 0 0 :::22 :::* LISTEN 1105/sshd
tcp6 0 0 :::35063 :::* LISTEN 6412/scylla-jmx
tcp6 0 0 ::1:25 :::* LISTEN 1119/master
tcp6 0 0 127.0.0.1:7199 :::* LISTEN 6412/scylla-jmx
scylla-server is running.
Same setup was done another server
Server Name scylla-db-1
I need to connect to the server scylla ( IP: xx.xx.xxx) from this server.
when i execute the below :
[root#scylla-db-1 ~]# cqlsh xx.xx.xxx
Connection error: ('Unable to connect to any servers', {'xx.xx.xxx': error(111, "Tried connecting to [('xx.xx.xxx', 9042)]. Last error: Connection refused")})
How to connect the remote server from this server?
Also
while checking the http://xx.xx.xxx:10000 and http://xx.xx.xxx:10000/ui in the browser , I m getting problem loading page.
Note :
I have done editing the /etc/scylla.d/io.conf file for assigning the
max-io-requests manually
Port 10000 is the rest api for scylla and is usually left bounded to the 127.0.0.1 - thats why you can not access it
To gain access via cql you need to edit the /etc/scylla/scylla.yaml file and set the rpc_address
Please follow the instructions for configuring scylla for a cluster deployment: single dc http://docs.scylladb.com/procedures/create_cluster/ or multi dc http://docs.scylladb.com/procedures/create_cluster_multidc/.
You need set rpc_address on scylla.yaml and while connecting through cql give your rpc_address as well cqlsh xx.xxx.xxx.xx with user/pass if enabled.

Cassandra linux cannot connect from remote

I have installed cassandra but not able to connect to cassandra server from remote ip..
[root#li1632-39 ~]# cassandra -v
3.0.9
I and connecting public_ip:9042 but connection refused. When I try to validate by telnet I can see port is closed.
When I try to check the status of cassandra its running.
[root#li1636-25 ~]# nodetool status
Datacenter: singapore
=====================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
-- Address Load Tokens Owns (effective) Host ID Rack
UN 192.168.130.104 297.48 KB 256 100.0% 85bebb4d-4ce9-4144-b33a-8e9759a87e54 rack5
UN 192.168.130.59 262.73 KB 256 100.0% f79f1c04-b567-4e15-98f0-5fd1a8345f61 rack5
I have cassandra.yaml
listen_address: 192.168.130.59
rpc_address: 192.168.130.59
start_rpc: true
I have also tried with cassandra.yaml
listen_address: 0.0.0.0
rpc_address: 0.0.0.0
start_rpc: true
In this case I am getting below error.
[root#li1636-25 ~]# nodetool status
nodetool: Failed to connect to '127.0.0.1:7199' - ConnectException: 'Connection refused (Connection refused)'.
Error from the remote host on telnet.
A-MacBook-Air:~ ads$ telnet public_ip 9042
Trying 172.104.52.39...
telnet: connect to address public_ip: Connection refused
telnet: Unable to connect to remote host
Below is the result of Netstat
netstat -tulpn | grep LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3575/sshd
tcp 0 0 192.168.130.59:7000 0.0.0.0:* LISTEN 6777/java
tcp 0 0 127.0.0.1:7199 0.0.0.0:* LISTEN 6777/java
tcp 0 0 127.0.0.1:37857 0.0.0.0:* LISTEN 6777/java
tcp 0 0 192.168.130.59:9160 0.0.0.0:* LISTEN 6777/java
tcp6 0 0 192.168.130.59:9042 :::* LISTEN 6777/java
tcp6 0 0 :::22 :::* LISTEN 3575/sshd
I have stopped Firewalld also.

How to configure Cassandra on GCE then I can access it from my local java application running on Win7?

I created a CentOS on GCE and installed dsc-cassandra 3.0. Then I changed the rpc_address from localhost to the internal ip or external ip in cassandra.yaml.
On the VM, I started cassandra and use cqlsh to access cassandra successfully. But I couldn't use cqlsh internal_ip or cqlsh external_ip.
Also, I turned on tcp:9042 port for this instance.
But I still couldn't access Cassandra from my local java app with the NoHostAvailableException(Cannot connect).
By the way, I did the same thing of my local VM running with VM VistualBox. I could access it.
Running sudo netstat -lntp | grep pid displayed:
tcp 0 0 127.0.0.1:33743 0.0.0.0:* LISTEN 1207/java
tcp 0 0 127.0.0.1:7000 0.0.0.0:* LISTEN 1207/java
tcp 0 0 127.0.0.1:7199 0.0.0.0:* LISTEN 1207/java
tcp6 0 0 127.0.0.1:9042 :::* LISTEN 1207/java
The Ip address was still 127.0.0.1. I think this is the problem.
How to configure the cassandra.yaml file?
I know where I was wrong.
I used sudo service cassandra restart to restart cassandra after editing the cassandra.yaml. The terminal showed:
Restarting cassandra (via systemctl): [ OK ]
Actually, I think it didn't really restart it. Then I used nodetool stopdaemon to stop cassandra and then start it again. The configuration of cassandra.yaml worked.
Helpful commands:
1.
ps aux | grep cassandra
sudo netstat -lntp | grep <cassandra_pid>
Using these commands to verify the ip/port of the cassandra service on remote VM.
tcp 0 0 127.0.0.1:7000 0.0.0.0:* LISTEN 5928/java
tcp 0 0 127.0.0.1:42682 0.0.0.0:* LISTEN 5928/java
tcp 0 0 127.0.0.1:7199 0.0.0.0:* LISTEN 5928/java
tcp6 0 0 10.138.0.2:9042 :::* LISTEN 5928/java
2.
telnet <cassandra_ip> 9042
Using this command to verify the ip/port of the cassandra service on local machine.

Connecting to a local network Raspberry Pi

I have a:
Rasberry Pi 2
running
Raspbian Jessie Version:November 2015
I am using Undertow (a Java http server) to serve a website. This is the code that I use to build the server.
Undertow server = Undertow.builder()
.addHttpListener(8890, "localhost")
.setHandler(Handlers.pathTemplate()
.add("/", resource(new PathResourceManager(staticFilePath, 100))
.setDirectoryListingEnabled(false))
.build();
Problem: I am unable to see the webserver from another machine on the local network despite being able to ping and SSH into the PI.
What I have done (on the Pi2):
wget localhost:8890
returns the index.html correctly
netstat -lptn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 127.0.0.1:8890 :::* LISTEN 1743/java
Chrome on my development machine 192.168.1.8:8890 gives
ERR_CONNECTION_REFUSED
wget 192.168.1.8:8890
Connecting to 192.168.1.8:8890... failed: Connection refused.
nmap 192.168.1.8
Starting Nmap 6.40 ( http://nmap.org ) at 2015-12-05 14:05 CST
Nmap scan report for 192.168.1.8
Host is up (0.039s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 1.83 seconds
It is my understanding that there is no firewall so I am baffled as to why I can't see the server from my development machine.
See:
tcp6 0 0 127.0.0.1:8890 :::* LISTEN 1743/java
Your web server listens only on localhost address (127.0.0.1). This way it couldn't be accessed from anywhere but localhost.
And your nmap scan shows the same: the only remotely accessible port is 22.
To access this service remotely you have to bind web server to any non-local address belonging to this raspberry pi (192.168.1.8) or to "any address" 0.0.0.0, as SSH service is bound.
How to do this is written in the manual of your web server. Probably, you have to start is with a "-d" param, i.e.
standalone.sh -b=0.0.0.0
standalone.sh -Djboss.bind.address=0.0.0.0
or something like this.
In listener setup code this looks like
"localhost" have to be replaced with some public name. This could be "0.0.0.0" or "192.168.1.8". We also can
cat "192.168.1.8 somename" >> /etc/hosts
and then use somename:
Undertow server = Undertow.builder() .addHttpListener(8890, "somename")

Resources