Configuring & Tunning the Operating System
Useable Ports by Kernel
To let the Kernel use the up most ports, the recommendation is to make all port useable and reserve the nominated services ports. That can be achieved by applying configrations to the /etc/sysctl.conf
.
# SET WELLKNOWN UNUSED PORTS AVAILABLE
"net.ipv4.ip_unprivileged_port_start = 0" >> /etc/sysctl.conf;
# LET ANY PORT TO BE AVAILABLE FOR KERNEL USE ASSIGMENT
"net.ipv4.ip_local_port_range = 1 65535" >> /etc/sysctl.conf;
# DEFINE THE PORTS TO RESERVE - THE PORT-SERVICE DEPENDS ON YOUR SYSTEM DESIGNATION
### KNOWN SYSTEM COMMON
RESERVED_PORTS=""; #
RESERVED_PORTS="${RESERVED_PORTS},22" # SSH-SERVER
RESERVED_PORTS="${RESERVED_PORTS},53" # LOCAL/PUBLIC DNS
### SWC-DB RELATED
RESERVED_PORTS="${RESERVED_PORTS},14000" # SWCDB-FSBROKER
RESERVED_PORTS="${RESERVED_PORTS},15000" # SWCDB-MANAGER
RESERVED_PORTS="${RESERVED_PORTS},16000" # SWCDB-RANGER
RESERVED_PORTS="${RESERVED_PORTS},17000" # SWCDB-BROKER
RESERVED_PORTS="${RESERVED_PORTS},18000" # SWCDB-THRIFTBROKER
### APACHE-HADOOP RELATED
RESERVED_PORTS="${RESERVED_PORTS},2181,2888,3888" # ZOOKEEPER
RESERVED_PORTS="${RESERVED_PORTS},8040,8042" # NODE-MANAGER
RESERVED_PORTS="${RESERVED_PORTS},8030-8033,8088,8090" # RESOURCE-MANAGER
RESERVED_PORTS="${RESERVED_PORTS},8485" # QUORUM-JOURNAL-MANAGER
RESERVED_PORTS="${RESERVED_PORTS},50100,50105" # HADOOP-BACKUP-NODE
RESERVED_PORTS="${RESERVED_PORTS},50010,50020,50075" # HADOOP-DATA-NODE
RESERVED_PORTS="${RESERVED_PORTS},9000,50070" # HADOOP-NAME-NODE
RESERVED_PORTS="${RESERVED_PORTS},50090" # HADOOP-SECONDARYNAME-NODE
RESERVED_PORTS="${RESERVED_PORTS},50030" # HADOOP-JOBTRACKER
RESERVED_PORTS="${RESERVED_PORTS},50060" # HADOOP-TASKTRACKER
# SET THE RESERVED PORTS
"net.ipv4.ip_local_reserved_ports = ${RESERVED_PORTS}" >> /etc/sysctl.conf;
The values used are by known common/default and do not extend beyond the minimal needs to run SWC-DB and HDFS. Add 80,443 to RESERVED_PORTS if your system is going to run http/s server and etc.
Accessible Network
nftables(NetFilter Tables) is the recommend application(Firewall) to manage the networking access.
The Recommended nftables Rules to Apply:
1. Each Server Define it's own origin
Host's Defintion Rules-File: /YourPathTo/nftables/host.nft
define host_ipv4 = {
THIS-SERVER'S-IPv4-1,
THIS-SERVER'S-IPv4-1
};
define host_ipv6 = {
THIS-SERVER'S-IPv6-1,
THIS-SERVER'S-IPv6-2
};
define allowed_udp_ports = {53};
define allowed_tcp_ports = {22,80,443,853};
The allowed ports are the Services Ports that should be accessible/open to the wide-network.
2. Each Server set with the Definitions of the whole cluster
Cluster's IPv4 Rules-File: /YourPathTo/nftables/cluster-ipv4.nft
set cluster_ipv4 {
type ipv4_addr
elements = {
FILL-THE-IPv4s-1,
FILL-THE-IPv4s-2
}
};
Cluster's IPv6 Rules-File: /YourPathTo/nftables/cluster-ipv6.nft
set cluster_ipv6 {
type ipv6_addr
elements = {
FILL-THE-IPv6s-1,
FILL-THE-IPv6s-2
}
};
3. The Networking Rules to the Cluster corelation
The Rules-File: /YourPathTo/nftables/rules.nft To be used for loading nft-rules nft -f /YourPathTo/nftables/rules.nft
flush ruleset;
include "/YourPathTo/nftables/host.nft";
table inet filter {
chain host_out {
ip saddr 127.0.0.1/8 goto loc_state
ip6 saddr ::1/128 goto loc_state
ip saddr $host_ipv4 goto loc_state
ip6 saddr $host_ipv6 goto loc_state
}
include "/YourPathTo/nftables/cluster-ipv4.nft";
include "/YourPathTo/nftables/cluster-ipv6.nft";
chain host {
ip saddr 127.0.0.1/8 ip daddr 127.0.0.1/8 goto loc_state
ip6 saddr ::1/128 ip6 daddr ::1/128 goto loc_state
ip saddr $host_ipv4 ip daddr $host_ipv4 goto loc_state
ip6 saddr $host_ipv6 ip6 daddr $host_ipv6 goto loc_state
ip saddr $host_ipv4 ip daddr 127.0.0.1/8 goto loc_state
ip saddr 127.0.0.1/8 ip daddr $host_ipv4 goto loc_state
ip6 saddr $host_ipv6 ip6 daddr ::1/128 goto loc_state
ip6 saddr ::1/128 ip6 daddr $host_ipv6 goto loc_state
}
chain loc_state {
ct state invalid reject;
accept;
}
chain input {
type filter hook input priority 0; policy drop;
ct state established, related accept;
iifname lo goto host
jump host
ip saddr @cluster_ipv4 goto loc_state
ip6 saddr @cluster_ipv6 goto loc_state
ct state invalid drop;
ip daddr != $host_ipv4 counter log prefix "IPv4_IN_DROPPED" drop
ip6 daddr != $host_ipv6 counter log prefix "IPv6_IN_DROPPED" drop
ip protocol icmp icmp type { echo-request, destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
udp dport $allowed_udp_ports accept
tcp dport $allowed_tcp_ports accept
}
chain output {
type filter hook output priority 0; policy drop;
ct state established, related accept;
ct state invalid reject
goto host_out
}
chain forward {
type filter hook forward priority 0; policy accept;
ct state established, related accept;
ct state invalid reject
ip saddr @cluster_ipv4 ip daddr @cluster_ipv4 accept
ip6 saddr @cluster_ipv6 ip6 daddr @cluster_ipv6 accept
goto host
}
};
4. Confirm The NetFilter Tables Rules are correct and loaded
- Execute load Rules:
nft -f /YourPathTo/nftables/rules.nft;
- Enter
nft
in Interactive mode.
nft -i;
- List the Rules
nft> list ruleset;
5. Applying the nftables rules with the system start
- A case of service based, replace the config file, expected to be the
/etc/nftables.conf
, which is loaded by thesystemctl status nftables
with the Cluster Rules/YourPathTo/nftable/rules.nft
rm -f /etc/nftables.conf; ln -s /YourPathTo/nftable/rules.nft /etc/nftables.conf;
- A case of scripts loaded from
/etc/init.d/
. Create and Apply ‘/etc/init.d/nft' with nft loading the Cluster Rules.echo '#! /bin/sh' > /etc/init.d/nft; echo "nft -f /YourPathTo/nftables/rules.nft;" >> /etc/init.d/nft; echo "exit 0;" >> /etc/init.d/nft; chmod 755 /etc/init.d/nft;
Memory Performance
Keep the Database (memory-pages) in RSS without using file-backed pages swapping.
echo "vm.swappiness = 0" >> /etc/sysctl.conf;