Security improvement

Binding setting

If you install system following this document, there are some components which listen ports are bind on all address by default. To improve the system security level, we recommend that you change the default settings.

  • rabbitmq

    Recommend bind on loopback address (127.0.0.1)

    Edit /etc/rabbitmq/rabbitmq.config, remove {“::1”, 5672}, for example
    [
     {
      rabbit,
       [
        {
         tcp_listeners, [{"127.0.0.1", 5672}]
        }
       ]
     }
    ]
    
  • postgresql

    It binds on loopback address (127.0.0.1) by default. Not recommend change the default setting.

  • confluent

    It binds on loopback address (127.0.0.1) by default. Not recommend change the default setting.

  • influxdb

    Recommend bind on loopback address (127.0.0.1)

    Edit /etc/influxdb/config.toml, uncomment the line #bind-address=”:8086” in [http] part and change it to bind-address=”127.0.0.1:8086”, for example:
    [http]
       # Determines whether HTTP endpoint is enabled.
       # enabled = true
    
       # The bind address used by the HTTP service.
       bind-address = "127.0.0.1:8086"
    
  • lico-core

    Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-core, recommend bind on loopback address.

    Edit /etc/lico/supervisor.d/antilles.ini, change the parameter of command in program antilles, change --bind:18080 to --bind <INTELNAL IP>:18080, for example:
    [program:confluent_proxy]
    
    command=/usr/bin/gunicorn --paste /etc/lico/confluent-proxy.ini --bind 172.20.0.14:18080 --log-config /etc/lico/confluent-proxy.ini --workers 1 --threads 50 --timeout 3600 --worker-class gevent --keep-alive 65 --log-level info --access-logfile - --error-logfile - --capture-output
    
  • lico-ganalia-mond

    It binds on loopback address (127.0.0.1) by default. Not recommend change the default setting.

  • lico-confluent-proxy

    Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-confluent-proxy, recommend bind on loopback address.

    Edit /etc/lico/supervisor.d/confluent-proxy.ini, change the parameter of command in program confluent-proxy, change --bind:18081 to --bind <INTELNAL IP>:18081, for example:
    [program:confluent_proxy]
    
    command=/usr/bin/gunicorn --paste /etc/lico/confluent-proxy.ini --bind 172.20.0.14:18081 --log-config /etc/lico/confluent-proxy.ini --workers 1 --threads 50 --timeout 3600 --worker-class gevent --keep-alive 65 --log-level info --access-logfile - --error-logfile - --capture-output
    
  • lico-vnc-proxy

    Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-vnc-proxy, recommend bind on loopback address.

    Edit /etc/lico/supervisor.d/vncproxy.ini, change the parameter of command in program vncproxy, change --bind:18083 to --bind <INTELNAL IP>:18083, the IP in websockify parameter --token-source also need to be changed to <INTELNAL IP>, for example:
    [program:vncproxy]
    
    command=/usr/bin/gunicorn --paste /etc/lico/vnc-proxy.ini –bind 172.20.0.14:18083 --log-config /etc/lico/vnc-proxy.ini --workers 1 --timeout 3600 --worker-class gevent --keep-alive 65 --log-level info --access-logfile - --error-logfile - --capture-output
    
    ......
    
    [program:websockify]
    
    command=/usr/bin/websockify 18082 --token-plugin=JSONTokenApi --token-source='http://172.20.0.14:18083/lookup?token=%s'
    
  • lico-wechat-agent

    Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-wechat-agent, recommend bind on loopback address.

    Edit /etc/sysconfig/lico-wechat-agent, change the GUNICORN_CMD_ARGS, change --bind:18090 to --bind <INTELNAL IP>:18090, for example:
    # lico-wechat-agent environment file
    
    GUNICORN_CMD_ARGS= \
            --bind 172.20.0.14:18090 \
            --log-config /etc/lico/wechat-agent.ini \
            --workers 1 \
            --threads 4 \
            --worker-class gevent \
            --timeout 3600 \
            --keep-alive 65 \
            --log-level info \
            --access-logfile - \
            --error-logfile - \
            --capture-output True
    
  • lico-mail-agent

    Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-wechat-agent, recommend bind on loopback address.

    Edit /etc/sysconfig/lico-wechat-agent, change the GUNICORN_CMD_ARGS, change --bind:18091 to --bind <INTELNAL IP>:18091, for example:
    # lico-wechat-agent environment file
    
    GUNICORN_CMD_ARGS= \
            --bind 172.20.0.14:18091 \
            --log-config /etc/lico/mail-agent.ini \
            --workers 1 \
            --threads 4 \
            --worker-class gevent \
            --timeout 3600 \
            --keep-alive 65 \
            --log-level info \
            --access-logfile - \
            --error-logfile - \
            --capture-output True
    
  • lico-sms-agent

    Recommend bind on internal address, if there is no login nodes in cluster and lico-portal is installed on the same node with lico-mail-agent, recommend bind on loopback address.

    Edit /etc/sysconfig/lico-sms-agent, change the GUNICORN_CMD_ARGS, change "--bind :18092" to "--bind <INTELNAL IP>:18092", for example:
    # lico-sms-agent environment file
    
    GUNICORN_CMD_ARGS= \
            --bind 172.20.0.14:18092 \
            --log-config /etc/lico/sms-agent.ini \
            --workers 1 \
            --timeout 3600 \
            --keep-alive 65 \
            --log-level info \
            --access-logfile - \
            --error-logfile - \
            --capture-output True
    

Firewall setting

  • el7

    Considering the security of the system, we recommend that you enable the firewall on the management node, and login nodes.If you setup the cluster and install LiCO follow this document, you can follow the below steps to setup your firewall. We recommend you reference the official firewall setup document to setup it by yourself. You can visit the official document from:
    Run the below commands to install and enable the firewall:
    $ sduo yum install -y firewalld
    $ sudo systemctl enable firewalld
    $ sudo systemctl start firewalld
    
    • Management Node

      Run the below commands to add roles to public zone:
      # Add SSH service port
      $ sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
      
      # Add httpd service port
      $ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
      
      # Add NFS service port
      $ sudo firewall-cmd --zone=public --add-port=2049/tcp --permanent
      
      # Add Ganglia gmond port
      $ sudo firewall-cmd --zone=public --add-port=8649/udp --permanent
      
      # Add Slurm slurmctld port
      $ sudo firewall-cmd --zone=public --add-port=6817/tcp --permanent
      
      # Add OpenLDAP slapd port
      $ sudo firewall-cmd --zone=public --add-port=636/tcp --permanent
      $ sudo firewall-cmd --zone=public --add-port=389/tcp --permanent
      
      # Add lico-confluent-proxy port
      $ sudo firewall-cmd --zone=public --add-port=18081/tcp --permanent
      
      # Add lico-core port
      $ sudo firewall-cmd --zone=public --add-port=18080/tcp --permanent
      
      # Add TensorBoard random binding port range
      $ sudo firewall-cmd --zone=public --add-port=20000-25000/tcp --permanent
      
      Run the below command to add the internal network interface into the public zone:
      $ sudo firewall-cmd --zone=public --add-interface=eth0 --permanent
      $ sudo firewall-cmd --zone=public --add-interface=eth1 --permanent
      

      Note

      eth0 and eth1 should be your internal and external network interface

      Run the below command to enable roles:
      $ sudo firewall-cmd --complete-reload
      
    • Login node

      Run the below commands to add roles to public zone:
      # Add SSH service port
      $ sudo firewall-cmd --zone=public --add-port=22/tcp --permanent
      
      # Add Nginx service port, you can adjust 8443 to your setting
      $ sudo firewall-cmd --zone=public --add-port=8443/tcp --permanent
      
      Run the below command to add the internal network interface into the public zone:
      $ sudo firewall-cmd --zone=public --add-interface=eth0 --permanent
      $ sudo firewall-cmd --zone=public --add-interface=eth1 --permanent
      

      Note

      eth0 and eth1 should be your internal and external network interface

      Run the below command to enable roles:
      $ sudo firewall-cmd --complete-reload
      
  • sle12

    Considering the security of the system, we recommend that you enable the firewall on the management node, and login nodes.If you setup the cluster and install LiCO follow this document, you can follow the below steps to setup your firewall. We recommend you reference the official firewall setup document to setup it by yourself. You can visit the official document from:
    Run the below command to run YaST2 first
    $ sudo yast
    

    Enter Security and Users > Firewall

    • Management Node

      Select Allowed Services:

      Set Allowed Services for Selected Zone to External Zone,
      Click Advanced, in the pop dialog:
      Set TCP Ports to 20000:25000 2049 22 80 389 636 6817 18080 18081
      Set UDP Ports to 8649

      Note

      TCP/22: ssh service port
      TCP/80: httpd service port
      TCP/2049: nfs service port
      TCP/6817: slurm slurmctld port
      TCP/636, 389: openldap slapd port
      TCP/18081: lico-confluent-proxy port
      TCP/18080: lico-core port
      TCP/20000:25000: TensorBoard random binding port range
      UDP/8649: ganglia gmond port

      Select Interfaces:

      Set eth0 and eth1 to using External Zone.

      Note

      eth0 and eth1 should be your internal and external network interface.

      Select Start-Up

      Set Service Start to Enable Firewall Automatic Starting
      Click Save Settings and Restart Firewall Now
      Exit YaST
    • Login node

      Select Allowed Services:

      Set Allowed Services for Selected Zone to External Zone,
      Click Advanced, in the pop dialog:
      Set TCP Ports to 8443 22

      Note

      TCP/22: ssh service port
      TCP/8443: nginx service port

      Select Interfaces:

      Set eth0 and eth1 to using External Zone.

      Note

      eth0 and eth1 should be your internal and external network interface.

      Select Start-Up

      Set Service Start to Enable Firewall Automatic Starting
      Click Save Settings and Restart Firewall Now
      Exit YaST