nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Witt <joe.w...@gmail.com>
Subject Re: Remote process group networking
Date Tue, 03 Nov 2015 09:48:25 GMT
...wonder if we should turn this into a FAQ/explanation.

Thanks for writing this up and following through with resolution Ricky.

On Fri, Oct 16, 2015 at 2:36 PM, Rick Braddy <rbraddy@softnas.com> wrote:
> Just to close this topic off...
>
> First, I found an error in my remote target node flow that was preventing proper connection
from the source node and hampering troubleshooting - had a connector inside a process group,
but no connector at top level of graph, which is required for Remote Process Group access.
>
> On firewall configuration, indeed only TCP traffic on the UI port 8080 plus the site-to-site
port (e.g., 8081) need to be open on the target node for unidirectional site-to-site operation
(not required to be open on the source node's firewall).  No other ports are required across
firewall boundaries.
>
> nifi.remote.input.socket.host must be set to the external (Internet) NAT firewall address
is the other key configuration item, because when site-to-site connection is established,
the source node must connect to the firewall (not directly to the remote target node's local
IP, which is the default if this value is not configured).
>
> localhost must also be enabled for local operation, as the "service nifi status" (and
probably other stuff) makes calls via localhost (in case you're using iptables, as I was for
testing).
>
> Best,
> Rick
>
> -----Original Message-----
> From: Rick Braddy [mailto:rbraddy@softnas.com]
> Sent: Monday, October 05, 2015 4:45 PM
> To: dev@nifi.apache.org
> Subject: RE: Remote process group networking
>
> Still no definitive answers...
>
> My testing shows that both the NiFi UI port (e.g., 8080) and the data port (e.g., 8081)
must be open in both directions through a firewall.  Even with those iptables rules, it seems
something is missing.  I will figure it out eventually, and let everyone know what's required
to use Nifi across firewall boundaries.
>
> Rick
>
> -----Original Message-----
> From: Rick Braddy
> Sent: Monday, October 05, 2015 10:18 AM
> To: dev@nifi.apache.org
> Subject: RE: Remote process group networking
>
> Let me ask this in a simpler way... for Nifi Remote Process Group communications across
firewall boundaries, which ports must be open through firewalls between a source node running
the local graph processes and the Remote Process Group node?
>
> Rick
>
> -----Original Message-----
> From: Rick Braddy [mailto:rbraddy@softnas.com]
> Sent: Saturday, October 03, 2015 4:59 PM
> To: dev@nifi.apache.org
> Subject: Remote process group networking
>
> I have a question about network paths required for proper operation of remote process
groups.
>
> By default, the initial connection from source node to remote process group target node
is on port 8080.  Then, there's a second port (e.g., I set it to 8081 and a setting for whether
it's SSL secured or not).
>
> The question is, are the TCP connection one way, from source node where graph is running
to the remote process group's node only, or are bidirectional TCP connections required?
>
> The reason I ask is encountering problems trying to connect from data center that has
open outbound firewall, but allows no incoming connections.  On the target node, there is
no indication in nifi-app.log of the source node even attempting connect (not sure if debug
logging is required).
>
> If there's some other information on remote process group network topology setup and/or
troubleshooting, would be great to read up on it.
>
> Thanks
> Rick

Mime
View raw message