The Aerospike Knowledge Base has moved to https://support.aerospike.com. Content on https://discuss.aerospike.com is being migrated to either https://support.aerospike.com or https://docs.aerospike.com. Maintenance on articles stored in this repository ceased on December 31st 2022 and this article may be stale. If you have any questions, please do not hesitate to raise a case via https://support.aerospike.com.
block/unblock a node from joining a cluster
Problem Description
In some situation, customers may want to prevent a node from joining a cluster.
Explanation
This may be due to various reasons, potentially to do some maintenance/tests without changing a node’s configuration but requiring the asd daemon to come up (or having a chance of coming up). This is not common at all.
Solution
Backup your current firewall settings:
iptables-save > /etc/iptables.lastrules
Use iptable to block the incoming traffic. e.g. if the node has ip address 10.231.1.85, then you will run this on all other nodes:
iptables -I INPUT -p tcp --dport 3002 -d 10.231.1.85/32 -j REJECT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.85/32 -j REJECT
Note, you always want to use REJECT for a quick result. IPtables REJECT will actively respond to the caller with icmp-port-unreachable by default, allowing the host to immediately take action on an unreachable connection. If you use DROP, this will simulate 100% packet loss instead, as packets will simply be silently dropped. This may then take a while for the caller to realise that the host is down by the fact the connections are timing out with lack of response.
Alternative, you may need to specify a set of allowable node(s) to join a cluster while rejecting all other requests:
iptables -A OUTPUT -p tcp --dport 3002 -d 0.0.0.0/0 -j REJECT
iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.80/32 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.80/32 -j ACCEPT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.80/32 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.81/32 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.81/32 -j ACCEPT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.81/32 -j ACCEPT
.
.
.
iptables -I OUTPUT -p tcp --dport 3002 -d 10.231.1.84/32 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 3001 -d 10.231.1.84/32 -j ACCEPT
iptables -I INPUT -p tcp --dport 3001 -s 10.231.1.84/32 -j ACCEPT
On reboot, the above settings will be gone. However, if settings are changed permanently, you can restore to previous settings:
iptables-restore /etc/iptables.lastrules
Notes
- http://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/
- Apply to every node in the cluster
- For CentOS/RHEL, use “iptables save” to save the settings permanently
- DROP will silently drop the packet while REJECT will respond with an error
- You could delete the rule manually one at a time. However, it is easier to restore from backup.
Keywords
iptable
Timestamp
9/1/16