Block/unblock a node from joining a cluster

The Aerospike Knowledge Base has moved to https://support.aerospike.com. Content on https://discuss.aerospike.com is being migrated to either https://support.aerospike.com or https://docs.aerospike.com. Maintenance on articles stored in this repository ceased on December 31st 2022 and this article may be stale. If you have any questions, please do not hesitate to raise a case via https://support.aerospike.com.

block/unblock a node from joining a cluster

Problem Description

In some situation, customers may want to prevent a node from joining a cluster.

Explanation

This may be due to various reasons, potentially to do some maintenance/tests without changing a node’s configuration but requiring the asd daemon to come up (or having a chance of coming up). This is not common at all.

Solution

Backup your current firewall settings:

iptables-save > /etc/iptables.lastrules

Use iptable to block the incoming traffic. e.g. if the node has ip address 10.231.1.85, then you will run this on all other nodes:

iptables -I INPUT -p tcp --dport 3002 -d 10.231.1.85/32 -j REJECT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.85/32 -j REJECT

Note, you always want to use REJECT for a quick result. IPtables REJECT will actively respond to the caller with icmp-port-unreachable by default, allowing the host to immediately take action on an unreachable connection. If you use DROP, this will simulate 100% packet loss instead, as packets will simply be silently dropped. This may then take a while for the caller to realise that the host is down by the fact the connections are timing out with lack of response.

Alternative, you may need to specify a set of allowable node(s) to join a cluster while rejecting all other requests:


iptables -A OUTPUT -p tcp --dport 3002 -d 0.0.0.0/0 -j REJECT

iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.80/32 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.80/32 -j ACCEPT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.80/32 -j ACCEPT

iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.81/32 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.81/32 -j ACCEPT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.81/32 -j ACCEPT
.
.
.
iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.84/32 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.84/32 -j ACCEPT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.84/32 -j ACCEPT

On reboot, the above settings will be gone. However, if settings are changed permanently, you can restore to previous settings:

iptables-restore /etc/iptables.lastrules

Notes

Keywords

iptable

Timestamp

9/1/16

I would like to add a small tip about saving iptables rules. If you are using CentOS 7, you can save rules like this: $ service iptables save Or if you are using a Debian based distro, you can save rules using iptables-persistent: $ netfilter-persistent save Also, the rules order matters. So what comes first wins I recommend this resource for more info about iptables firewall iptables firewall examples