Hi all,
Since the messing with IPtables by the BDII init.d script hit us again, may this
info is of worth to somebody. At least for the bdii shipped with 2.4.0 these lines must
be added to the any iptables configuration on machines running a BDII.
Could any future changes to this be put in the release notes for the next releases?
# Generated by iptables-save v1.2.8 on Sat Apr 30 14:09:43 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2173 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2172 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2171 -j ACCEPT
COMMIT
# Completed on Sat Apr 30 14:09:43 2005
# Generated by iptables-save v1.2.8 on Sat Apr 30 14:09:43 2005
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 2170 -j REDIRECT --to-ports 2172
-A OUTPUT -d $IPADDR -p tcp -m tcp --dport 2170 -j DNAT --to-destination $IPADDR:2172
COMMIT
# Completed on Sat Apr 30 14:09:43 2005
Maybe that's the reason for the somewhat higher number of sites failing
the job-list-match tests in SFT?
SYSTEMS AFFECTED
--------------------
tbn20.nikhef.nl LCG2ELPROD CE,SITE-BDII
ACTIONS
-----------
Restarted service to get correct iptables manging installed and incorporated
into default iptables set.
PROBLEMS RESOLVED
---------------------
tbn20 dropped out of the all-sites zone again and JL test by SFT fails.
Also addresses:
Peter Love wrote:
> One issue with having iptable rules injected by init.d scripts it that
> the service needs restarting after every iptables restart. I'd prefer
> we're told about nat redirect requirements and implement iptable rules
> ourselves.
>
> Peter
>
> Laurence ([log in to unmask]) wrote:
>
>>It looks like it is okay. It takes about 30 seconds for the BDII to
>>first populate.
>>To check the bdii do
>>
>>tail -f /opt/lcg/bdii/var/lcg-bdii.log
>>
>>Juan Jose Pardo Navarro wrote:
>>
>>
>>>Hi,
>>>
>>>I have updated to 2_4_0, and the BDII has a error.
>>>lcg-bdii put a rule of iptables,
>>>
>>>why?
>>>
>>>
>>>[root@gridbdii01 root]# iptables -F
>>>
>>>[root@gridbdii01 root]# /etc/rc.d/init.d/lcg-bdii stop
>>>iptables: Bad rule (does a matching rule exist in that chain?)
>>>iptables: Bad rule (does a matching rule exist in that chain?)
>>>iptables: Bad rule (does a matching rule exist in that chain?)
>>>Stopping BDII [ OK ]
>>>
>>>[root@gridbdii01 root]# /etc/rc.d/init.d/lcg-bdii start
>>>Starting BDII [ OK ]
>>>
>>>
>>>
>>>% ldapsearch -x -H ldap://gridbdii01.ft.uam.es:2170 -b \
>>>mds-vo-name=local,o=grid
>>>
>>>ldap_bind: Can't contact LDAP server
>>>
>>>
>>>
>>>
>>>
>>>
>>>
|