KBEA-00121 - Controlling Accelerator communication through a firewall

Summary

Before configuring fixed port for Accelerator and controlling Accelerator communication through a firewall, you should familiarize yourself with Accelerator port usage.

Accelerator and TCP Ports Usage

ElectricAccelerator software uses five services for communication between its various components. These services and their TCP port usage are defined below. 

  • Cluster Manager (CM)
    The CM, by default, uses port 80 (443 secure) and 8030 (8031 secure).
  • Electric Make (eMake)
    eMake communicates with the CM via port 80 and 8030/8031.
    eMake communicates with agents through ephemeral ports. The best approach is to make eMake a trusted application that can access any port.
  • Agent
    The Agent communicates with the CM via port 80 and 8030/8031.
    For all other connections, the Agent uses ephemeral ports. The best approach is to make agent a trusted application that can access any port. The eMake Port, CM Port, and A2A ports are dynamically allocated by default. (You can configure these ports to use fixed values; see "Fixed Port Configuration" for more information.) 
    • To determine the port numbers assigned to each agent:
      • Using the web interface, click the agent name in the Agent Management tab. Port numbers are listed in the Agent Detail panel. 
      • Using the cmtool utility, run the following command to get the port numbers for each service: cmtool --cm=cetus-cm getAgents
    • eMake Port: The port used by eMake to communicate with this Agent.
    • CM Port: The port used by the CM to communicate with this Agent.
    • A2A Port: The port used by this Agent for A2A communication.
    • Console Port: The port that can be used when telnetting into this Agent, for access to its Tcl interpreter. Console service port numbers are calculated based on their agent number. The value for the Console port is set to 24x9 where x is the agent number (on Windows) or the agent number minus one (on Linux and Solaris).
  • erunner
    The erunner service uses port number 2411.
  • erunnertmp
    The erunnertmp service (installed during cluster upgrades) uses a random port number, so make it a trusted application also.

Fixed Port Configuration

Electric Cloud does not recommend this approach. The proper approach is to add the following processes to the local firewall ignore list (if possible):

For Windows:

  • C:\Ecloud\i686_win32\bin\ecagent.exe for 32 bit agent
    C:\ECloud\i686_win32\64\bin\ecagent.exe for 64 bit agent
  • C:\Ecloud\i686_win32\bin\erunnerd.exe

For Linux and Solaris:

  • /opt/ecloud/<architecture>/bin/ecagent 
  • /opt/ecloud/<architecture>/bin/erunnerd

In some instances it may be necessary to use fixed port numbers for each of the Accelerator services. For example, if your security policy requires explicitly defining all open ports on each machine's firewall.

The eMake machine must communicate with The Cluster Manager and Electric Agents.

  • For the Cluster Manager, only port 80 must be open.
  • Because agent ports are dynamically allocated at service startup time, you must configure fixed port numbers for Agents so you can open the appropriate ports in the firewall.
Linux and Solaris
  1. Add the following to the runagent.local file:
    set args(-fixedports) 1
  2. Run the following command to make the changes take effect:
    /etc/rc.d/init.d/ecagent restart
Windows
  1. Add the following to the runagent.local file:
    set args(-fixedports) 1
  2. Run the following to make the changes take effect:
    C:\ECloud\i686_win32\bin\ecagent_restart.bat 

Fixed port number assignment

Port numbers are defined by the following Tcl procedures, which are defined by runagent and can be overridden by redefining them in runagent.local:

  • consolePort (fixed even without "-fixedports 1")
  • emakePort
  • a2aPort
  • cmControlPort

Note: On Windows the EFS ID (and agent number) starts at 1. On UNIX/Linux the EFS ID starts at 0 (meaning it equals the agent number -1).

You can calculate the port numbers used based on their agent number. The value for each port is set to: 

  • eMake port: 2408 + 10x
  • Console port: 2409 + 10x
  • A2A port: 2410 + 10x
  • CM port: 2411 + 10x (Exception: On UNIX/Linux agent number 1, this port is 8001 to avoid collision with the erunner port.) 

Where x is the EFS ID.

Windows example:

Port Agent 1
Port #
Agent 2
Port #
eMake 2418 2428
Console 2419 2429
A2A 2420 2430
CM 2421 2431

UNIX/Linux example: 

Port Agent 1
Port #
Agent 2
Port #
eMake 2408 2418
Console 2409 2419
A2A 2410 2420
CM 8001 2421

Opening the firewall

Open holes in the firewall for all of the agent machines and for as many Agents as you have on each machine.

Fixed port settings algorithm

If you want to keep the current port settings, the port will always be assigned per the algorithm indicated above.

If you want to use a different algorithm to assign fixed ports or to direct them to a specific port range, do the following:

1. Copy the following Tcl procedures from runagent to runagent.local

  • consolePort
  • emakePort
  • a2aPort
  • cmControlPort

They look like the following:

proc consolePort{efsid} { return [expr{2409 + 10 * $efsid}]}

2. Then modify the algorithm to return the port of the range that you want in runagent.local.

3. Restart the Agent services.

Applies to

  • Product versions: All
  • OS versions: All
Have more questions? Submit a request

Comments

Powered by Zendesk