perfSONAR User Q&A and Other Discussion

[Andrew Lake <>]

Hi,

The only things that needs access to memcached comes from localhost. The esmond archiving plugin in pscheduler uses it as a cache between archiving processes to speed-up some requests. You can safely block it.

For a list of the ports that need to be open see http://docs.perfsonar.net/manage_security.html. If you would like a default set of firewall rules installed for you run ‘yum install perfsonar-toolkit-security’ on your testpoint which will setup rules on the host that only allow the listed ports through.

Hope that helps,

Andy

On February 8, 2018 at 4:54:03 PM, Hervey Allen () wrote:

Hi All - Our IT Security group contacted us to say that the memcached
process was open on our perfSONAR Testpoint bundle instance we had
installed.

It is...

Question - I have the perfSONAR default firewall rules in place. This is
running on a CentOS 7 box. What specifically needs to talk to this
service? Is this a service that is installed with Postgres? That's what
I think is happening.

Does Esmond need access to memcache from an archive host? Anything else?
Based on the release notes for 4.0rc3:

"Added memcached support to esmond archiver for tracking metadata
objects already created in order to increase archiver performance"

I think this is the case.

I'm trying to figure out proper strategy for recommending what to do
with the open memcached service.

I believe adding a firewall rule to only allow access to memcached on
the perfSONAR Testpoint Bundle node and from wherever we have Esmond is
what makes sense?

Comments or recommendations are most welcome.

Thank you!

- Hervey



Network Startup Resource Center
https://nsrc.org/