You have two classes[1] of access control for Riak:

 - other Riak nodes in the ring
 - clients making use of the Riak ring

For both access groups, the settings you want are in riak/etc/app.config.
 The config directives you care about for client access all end in "_ip" and
"_port": web_ip, web_port, pb_ip, and pb_port.  Make note of those and
configure your firewall to incoming TCP access to those ports or IP and port
combinations.  The exceptions to this is the handoff_ip and handoff_port
directives.  Those are for communication between Riak nodes only.

Riak uses the Erlang distribution mechanism for most inter-node
communication.  Riak identifies other machines in the ring using Erlang
identifiers(<identifier>@<hostname or IP>, i.e. "r...@10.9.8.7").  Erlang
resolves these node identifiers to a TCP port on a given machine via the
Erlang Port Mapper daemon(epmd) running on each machine in a ring.  epmd
listens on TCP port 4369 on the wildcard interface.

You can configure Riak to tell the Erlang interpreter(and thence epmd) to
only use a limited range of ports in riak/etc/app.config.  If you want to
restrict the range of ports that Erlang and epmd will use for inter-Erlang
node communication to 6000-7999, you can add the following lines to
riak/etc/app.config:

{ kernel, [
              {inet_dist_listen_min, 6000},
              {inet_dist_listen_max, 7999}
             ]},

Then just configure your firewall to allow incoming access to TCP ports 6000
to 7999 from whichever network(s) contain your riak nodes are located on.

The short and sweet:

 - Riak nodes need to be able to communicate freely on the following ports:
   - epmd's listener: TCP:4369
   - handoff_port listener: TCP:8099
   - range of ports you configure in app.config
 - Riak clients need to be able to contact a Riak node on the following
ports:
   - web_port: TCP:8098
   - pb_port: TCP:8097

One important note: if you do add the inet_dist_listen_min and
inet_dist_listen_max entries to riak/etc/app.config, you need to kill off
any running epmd so it it will pick up the new settings.  epmd will continue
to run on a given machine even after all Erlang interpreters have exited.

--Ryan

1. Technically speaking there's a third class for inter-data center
replication if you're using the enterprise edition of Riak but its access
patterns are essentially that of a client.  See the handoff_port directive.
_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com

Reply via email to