perfSONAR User Q&A and Other Discussion

[Hervey Allen <>]

On 2/9/18 6:18 AM, Andrew Lake wrote:
> Hi,
> 
> The only things that needs access to memcached comes from localhost. The
> esmond archiving plugin in pscheduler uses it as a cache between
> archiving processes to speed-up some requests. You can safely block it.
> 

I read more and came to that conclusion. Thank you Andy!

> For a list of the ports that need to be open
> see http://docs.perfsonar.net/manage_security.html. If you would like a
> default set of firewall rules installed for you run ‘yum install
> perfsonar-toolkit-security’ on your testpoint which will setup rules on
> the host that only allow the listed ports through.
> 

I think that's what was missed... we had installed the perfSONAR
Toolkit, but totally spaced on doing that step and the following:

/usr/lib/perfsonar/scripts/configure_firewall install


d'oh!

Thank you Andy. Makes so much more sense now.

- Hervey

> Hope that helps,
> Andy
> 
> 
> 
> On February 8, 2018 at 4:54:03 PM, Hervey Allen 
> (
> <mailto:>)
>  wrote:
> 
>> Hi All - Our IT Security group contacted us to say that the memcached
>> process was open on our perfSONAR Testpoint bundle instance we had
>> installed.
>>
>> It is...
>>
>> Question - I have the perfSONAR default firewall rules in place. This is
>> running on a CentOS 7 box. What specifically needs to talk to this
>> service? Is this a service that is installed with Postgres? That's what
>> I think is happening.
>>
>> Does Esmond need access to memcache from an archive host? Anything else?
>> Based on the release notes for 4.0rc3:
>>
>> "Added memcached support to esmond archiver for tracking metadata
>> objects already created in order to increase archiver performance"
>>
>> I think this is the case.
>>
>> I'm trying to figure out proper strategy for recommending what to do
>> with the open memcached service.
>>
>> I believe adding a firewall rule to only allow access to memcached on
>> the perfSONAR Testpoint Bundle node and from wherever we have Esmond is
>> what makes sense?
>>
>> Comments or recommendations are most welcome.
>>
>> Thank you!
>>
>> - Hervey
>>
>>
>>
>> Network Startup Resource Center
>> https://nsrc.org/


-- 
Hervey Allen      Assistant Director, Network Startup Resource Center

   http://nsrc.org/ : http://facebook.com/nsrc.org
GPG Fingerprint:  AC08 31CB E453 6C65 2AB3 4EDB CEEB 5A74 C6E5 624F