You have two classes[1] of access control for Riak:
- other Riak nodes in the ring
- clients making use of the Riak ring
For both access groups, the settings you want are in riak/etc/app.config.
The config directives you care about for client access all end in "_ip" and
"_port": web_ip, web_port, pb_ip, and pb_port. Make note of those and
configure your firewall to incoming TCP access to those ports or IP and port
combinations. The exceptions to this is the handoff_ip and handoff_port
directives. Those are for communication between Riak nodes only.
Riak uses the Erlang distribution mechanism for most inter-node
communication. Riak identifies other machines in the ring using Erlang
identifiers(<identifier>@<hostname or IP>, i.e. "r...@10.9.8.7"). Erlang
resolves these node identifiers to a TCP port on a given machine via the
Erlang Port Mapper daemon(epmd) running on each machine in a ring. epmd
listens on TCP port 4369 on the wildcard interface.
You can configure Riak to tell the Erlang interpreter(and thence epmd) to
only use a limited range of ports in riak/etc/app.config. If you want to
restrict the range of ports that Erlang and epmd will use for inter-Erlang
node communication to 6000-7999, you can add the following lines to
riak/etc/app.config:
{ kernel, [
{inet_dist_listen_min, 6000},
{inet_dist_listen_max, 7999}
]},
Then just configure your firewall to allow incoming access to TCP ports 6000
to 7999 from whichever network(s) contain your riak nodes are located on.
The short and sweet:
- Riak nodes need to be able to communicate freely on the following ports:
- epmd's listener: TCP:4369
- handoff_port listener: TCP:8099
- range of ports you configure in app.config
- Riak clients need to be able to contact a Riak node on the following
ports:
- web_port: TCP:8098
- pb_port: TCP:8097
One important note: if you do add the inet_dist_listen_min and
inet_dist_listen_max entries to riak/etc/app.config, you need to kill off
any running epmd so it it will pick up the new settings. epmd will continue
to run on a given machine even after all Erlang interpreters have exited.
--Ryan
1. Technically speaking there's a third class for inter-data center
replication if you're using the enterprise edition of Riak but its access
patterns are essentially that of a client. See the handoff_port directive.
_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
