I am trying to connect Plone clients from Server1 to a Plone data.fs file that resides on Server2. The port number for data.fs on Server2 is 8100. I am currently getting an EHOSTUNREACH error.
Server 2:
Installed the same version of Plone (5.0.6) on Server 2
Started zeoserver only: bin/zeoserver start (did not start the Plone clients on Server 2)
When I ran netstat -tulpn, port 8100 is open: tcp 0 0 127.0.0.1:8100 0.0.0.0:* LISTEN 10200/python2.7
The -z extension did not work but when I did the following, I think Server 1 is blocked from reaching Server 2: $ nc -v server2 8100 Ncat: Version 6.40 ( http://nmap.org/ncat ) Ncat: No route to host.
Checking on the firewall situation: # iptables -L Chain INPUT (policy ACCEPT)
_target prot opt source destination _
"server2" is a placeholder name or is it literally what you've been using? The response "no route to host" means "you ain't gettin there from here", ie. the problem you have is with your network.
When I tested the connections between Server1 to Server2, it tells me that I cannot connect: Server1 to Server2: [root@server1 ~]# nc -v server2 8100 Ncat: Version 6.40 ( http://nmap.org/ncat ) Ncat: Connection refused.
Server2 to Server1: [root@server2 ~]# nc -v server1 8100 Ncat: Version 6.40 ( http://nmap.org/ncat ) Ncat: Connection refused.
I am waiting for my network/server administrator to get back with me to see if there is an intermediate firewall between the two servers.
However, please let me know if what I have done up to this point is incorrect. Thanks so much.
Do I need to configure the zeo-address on server2? At the moment, it refers to localhost.
For some reason, I still cannot connect to server2's 8100 port. Port 8100 have been opened on both servers and there are no intermediate firewalls between the two servers:
[awong@server1 ~]$ nc -v server2.com 80 Ncat: Version 6.40 ( http://nmap.org/ncat ) Ncat: Connected to server2-ipaddress:80.
What I found out is that not only do I need to make changes to Server 1's buildout.cfg as you have mentioned, I also need to make changes to the Server 2's buildout.cfg. Plone 5 binds ZODB to localhost by default. That is why Server 1 could not connect to Server 2 at port 8100. Server 2 would only allow a localhost connection:
Server 2 buildout.cfg:
By default:
zeo-address = 127.0.0.1:8100
Change to either of the following on Server 2's buildout.cfg:
[zeoserver]
zeo-address = 8100
OR
zeo-address = 0.0.0.0:8100
Once the above was done, I did the following:
$ sudo -u plone bin/buildout
$ sudo -u plone bin/zeoserver start
Server 1 buildout.cfg:
[zeoserver]
zeo-address = server2-ip:8100
$ sudo -u plone bin/plonectl start
Everything is working perfectly now! Thank you so much for all your help.
One new question pertaining to this new setup. If I upgrade the Plone version on Server 1, do I need to upgrade the Plone version on server 2? At the moment, I find myself just having to upgrade Plone on server 1 without having to do anything on Server 2. Is this best practice?
that's the default behaviour indeed. Zodb should be protected from being accessed from the network by default (usually with databases it's not recommended and Zodb has less security features than most). If the physical network between the 2 computers can be accessed on the local network, a firewall such as iptables could be used to restrict access for 8100 port only to the Zeo computer. If this is not done, a process listening on 0.0.0.0 is wide open to every computer on the network.
So if Server 1 is 10.55.31.x, instead of using 0.0.0.0:8100 on Server 2, should I use 10.55.31.x:8100 so as to indicate that the ZOBD would only interact with Server 1 at 10.55.31.x?
no, use a firewall like iptables. If you use a subnetwork you will still leave this subnetwork open, so it brings something only if your subnetwork is really private to your 2 computers (like if you have a network card on your Zodb server connecting only to the Zeo computer in this case your Zodb would listen only on this interface)
If it's not the case, with iptables your administrator will be able to restrict the IP space to one address and if another computer use it at the same time than your Zeo server you will notice as things will turn seriously wrong.
.
The only real way to secure Zodb between servers is to use a tunnel but it's more involved although any network administrator should be able to setup one and not always really necessary see above.