Anyone using inet_tls on their Riak cluster?

[Ken Key]

Aloha,

Short Form:
is anyone using TLS to secure the erlang cluster traffic in their Riak 
cluster?

It would appear the answer is "no" as riak-admin, as written, will not 
work in v1.2.1 and v1.3.0 - or am I missing something?


Long Form (for the non-TL;DR folks):

I've been kicking the tires on Riak 1.2.1 (AWS AMI from Marketplace, 
RHEL 6 and RPM from Basho repo) as well as 1.3.0 and it appears that 
riak-admin cannot work if you are using inet_tls as your dist.  I saw 
some traffic (via Nabble) asking a similar question on riak-users in Oct 
2012 with no answer.

The first issue is the commented out template in /etc/riak/vm.config is 
wrong.  It says to use:

  -proto_dist inet_ssl

where, at least for the R15B01 embedded in the RPMs and the AMI, it has 
to be i'net_tls'.

Once I am past that issue, I get Riak to start but riak-admin refuses to 
run, reporting:

'Node is not running!'

I tracked the issue down to nodetool, when it tries to do a 'ping', gets 
more than 'pong' back.  Specifically, it gets:

pong
close called #Port<0.1074> [{inet_tls_dist,close,1,
                                [{file,"inet_tls_dist.erl"},{line,99}]},

{lists,foreach,2,[{file,"lists.erl"},{line,1262}]},
                            {net_kernel,terminate,2,
                                [{file,"net_kernel.erl"},{line,570}]},
                            {gen_server,terminate,6,
                                [{file,"gen_server.erl"},{line,722}]},
                            {proc_lib,init_p_do_apply,3,
                                [{file,"proc_lib.erl"},{line,227}]}]

I whacked on a private copy riak-admin to ignore the extra data 
(actually, to change all the cut-and-paste "$NODETOOL ping" code to use 
'ensure_node_running() BASH function defined in the script and just 
modify that) and could successfully cluster the nodes.  Every command 
sent via nodetool/riak-admin ends with the above close traceback.

So, from the fact that the stock riak-admin does not even work with 
inet_tls I come to the conflusion that no one is securing their erlang 
cluster traffic.  I funneled this question through a co-worker to the 
Basho folks at Erlang Factory last week and they advised asking 
riak-users.

So that leads me here with the following questions:

Is anyone using inet_tls on their Riak clusters?  In production?  Is 
that an insane idea to even try?  The behavior of nodetool has me leery 
as to the stability of inet_tls in Riak's environment.

Am I missing something that explains the nodetool ping and riak-admin 
issue?

Mahalo for any guidance,
K^2



_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com