Connecting to a Data.fs file on another server (SOLVED)

I am trying to connect Plone clients from Server1 to a Plone data.fs file that resides on Server2. The port number for data.fs on Server2 is 8100. I am currently getting an EHOSTUNREACH error.

Server 2:

  • Installed the same version of Plone (5.0.6) on Server 2

  • Started zeoserver only: bin/zeoserver start (did not start the Plone clients on Server 2)

  • When I ran netstat -tulpn, port 8100 is open:
    tcp 0 0* LISTEN 10200/python2.7

Server 1:

  • Stopped Plone

  • Changed buildout.cfg's zeo-address
    zeo-address = server2-ip-address:8100

  • Ran buildout: bin/buildout

  • Started client1: bin/client1 fg
    Error message:
    2017-03-14 12:14:46 WARNING ZODB.blob (21825) Blob dir /var/plone/sharedservices/zeocluster/var/blobstorage/ has insecure mode setting
    2017-03-14 12:14:46 INFO ZEO.cache created temporary cache file ''
    2017-03-14 12:14:46 WARNING ZEO.zrpc (21825) CW: error connecting to ('', 8100): EHOSTUNREACH

  • # netstat -tulpn
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0* LISTEN 3474/perl
    tcp 0 0* LISTEN 19308/sshd
    tcp 0 0* LISTEN 1610/master
    tcp6 0 0 :::3306 :::* LISTEN 1363/mysqld
    tcp6 0 0 :::80 :::* LISTEN 877/httpd
    tcp6 0 0 :::22 :::* LISTEN 19308/sshd
    tcp6 0 0 ::1:25 :::* LISTEN 1610/master
    tcp6 0 0 :::443 :::* LISTEN 877/httpd
    udp 0 0* 3474/perl

Any advise or help would be most appreciated. Thank you.

instances in server1 should be configured with something like this:

zeo-address = server2:8100
zeo-client = on

now check you're able to reach port 8100 from server1 in server 2:

$nc -z -v server2 8100
Connection to server2 8100 port [tcp/*] succeeded!

Yeah, check that your firewall is allowing incoming connections to the ZEO server

Thanks so much hvelarde and tkimnyugen.

The -z extension did not work but when I did the following, I think Server 1 is blocked from reaching Server 2:
$ nc -v server2 8100
Ncat: Version 6.40 ( )
Ncat: No route to host.

Checking on the firewall situation:
# iptables -L
Chain INPUT (policy ACCEPT)
_target prot opt source destination _

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I don't deal much with firewalls. So, any suggestions on what's the next best thing to do would be most appreciated.

you have to check the firewall on both machines; also, intermediate firewalls could block this traffic.

ask your system/network administrator for help on that.

"server2" is a placeholder name or is it literally what you've been using? The response "no route to host" means "you ain't gettin there from here", ie. the problem you have is with your network.

Server2 is just a placeholder. I have tried using Server2's IP address and also its domain name and was getting a no connection message either way:

This is what I have:

Server 1:
[root@server1 ~]# firewall-cmd --list-ports
10001/tcp 443/tcp 80/tcp 8100/tcp

[root@server2 ~]# firewall-cmd --list-ports
8100/tcp 3306/tcp

[root@server2]# netstat -tulpn
Active Internet connections (only servers)
_Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name _
tcp 0 0* LISTEN 1570/mysqld
tcp 0 0* LISTEN 9065/sshd
tcp 0 0* LISTEN 2013/master
tcp 0 0* LISTEN 11848/python2.7
tcp6 0 0 :::22 :::* LISTEN 9065/sshd
tcp6 0 0 ::1:25 :::* LISTEN 2013/master

When I tested the connections between Server1 to Server2, it tells me that I cannot connect:
Server1 to Server2:
[root@server1 ~]# nc -v server2 8100
Ncat: Version 6.40 ( )
Ncat: Connection refused.

Server2 to Server1:
[root@server2 ~]# nc -v server1 8100
Ncat: Version 6.40 ( )
Ncat: Connection refused.

I am waiting for my network/server administrator to get back with me to see if there is an intermediate firewall between the two servers.

However, please let me know if what I have done up to this point is incorrect. Thanks so much.

Does Apache need to be running on the database server (Server 2)?

No. Your zeo clients need to connect to the zeo server on port 8100 usually

Do I need to configure the zeo-address on server2? At the moment, it refers to localhost.

For some reason, I still cannot connect to server2's 8100 port. Port 8100 have been opened on both servers and there are no intermediate firewalls between the two servers:

[awong@server1 ~]$ nc -v 80
Ncat: Version 6.40 ( )
Ncat: Connected to server2-ipaddress:80.

[awong@server1 ~]$ nc -v 8100
Ncat: Version 6.40 ( )
Ncat: Connection refused.

the answer to this is in my first comment.

Thanks hvelarde.

What I found out is that not only do I need to make changes to Server 1's buildout.cfg as you have mentioned, I also need to make changes to the Server 2's buildout.cfg. Plone 5 binds ZODB to localhost by default. That is why Server 1 could not connect to Server 2 at port 8100. Server 2 would only allow a localhost connection:

Server 2
By default:
zeo-address =

Change to either of the following on Server 2's buildout.cfg:
zeo-address = 8100
zeo-address =

Once the above was done, I did the following:
$ sudo -u plone bin/buildout
$ sudo -u plone bin/zeoserver start

Server 1
zeo-address = server2-ip:8100

$ sudo -u plone bin/plonectl start

Everything is working perfectly now! Thank you so much for all your help.


1 Like

One new question pertaining to this new setup. If I upgrade the Plone version on Server 1, do I need to upgrade the Plone version on server 2? At the moment, I find myself just having to upgrade Plone on server 1 without having to do anything on Server 2. Is this best practice?

In a ZEO setup you need to run idential version.
For standalone instances nobody cares.

that's the default behaviour indeed. Zodb should be protected from being accessed from the network by default (usually with databases it's not recommended and Zodb has less security features than most). If the physical network between the 2 computers can be accessed on the local network, a firewall such as iptables could be used to restrict access for 8100 port only to the Zeo computer. If this is not done, a process listening on is wide open to every computer on the network.

So if Server 1 is 10.55.31.x, instead of using on Server 2, should I use 10.55.31.x:8100 so as to indicate that the ZOBD would only interact with Server 1 at 10.55.31.x?

no, use a firewall like iptables. If you use a subnetwork you will still leave this subnetwork open, so it brings something only if your subnetwork is really private to your 2 computers (like if you have a network card on your Zodb server connecting only to the Zeo computer in this case your Zodb would listen only on this interface)
If it's not the case, with iptables your administrator will be able to restrict the IP space to one address and if another computer use it at the same time than your Zeo server you will notice as things will turn seriously wrong.
The only real way to secure Zodb between servers is to use a tunnel but it's more involved although any network administrator should be able to setup one and not always really necessary see above.

Thanks gp54321 for your advice. This makes sense.

Thank you so much Andreas. I will get everything updated so that they will all have identical versions.