When I tested the connections between Server1 to Server2, it tells me that I cannot connect: Server1 to Server2: [root@server1 ~]# nc -v server2 8100 Ncat: Version 6.40 ( http://nmap.org/ncat ) Ncat: Connection refused.
Server2 to Server1: [root@server2 ~]# nc -v server1 8100 Ncat: Version 6.40 ( http://nmap.org/ncat ) Ncat: Connection refused.
I am waiting for my network/server administrator to get back with me to see if there is an intermediate firewall between the two servers.
However, please let me know if what I have done up to this point is incorrect. Thanks so much.
What I found out is that not only do I need to make changes to Server 1's buildout.cfg as you have mentioned, I also need to make changes to the Server 2's buildout.cfg. Plone 5 binds ZODB to localhost by default. That is why Server 1 could not connect to Server 2 at port 8100. Server 2 would only allow a localhost connection:
Server 2 buildout.cfg:
zeo-address = 127.0.0.1:8100
Change to either of the following on Server 2's buildout.cfg:
zeo-address = 8100
zeo-address = 0.0.0.0:8100
Once the above was done, I did the following:
$ sudo -u plone bin/buildout
$ sudo -u plone bin/zeoserver start
Server 1 buildout.cfg:
zeo-address = server2-ip:8100
$ sudo -u plone bin/plonectl start
Everything is working perfectly now! Thank you so much for all your help.
One new question pertaining to this new setup. If I upgrade the Plone version on Server 1, do I need to upgrade the Plone version on server 2? At the moment, I find myself just having to upgrade Plone on server 1 without having to do anything on Server 2. Is this best practice?
that's the default behaviour indeed. Zodb should be protected from being accessed from the network by default (usually with databases it's not recommended and Zodb has less security features than most). If the physical network between the 2 computers can be accessed on the local network, a firewall such as iptables could be used to restrict access for 8100 port only to the Zeo computer. If this is not done, a process listening on 0.0.0.0 is wide open to every computer on the network.
no, use a firewall like iptables. If you use a subnetwork you will still leave this subnetwork open, so it brings something only if your subnetwork is really private to your 2 computers (like if you have a network card on your Zodb server connecting only to the Zeo computer in this case your Zodb would listen only on this interface)
If it's not the case, with iptables your administrator will be able to restrict the IP space to one address and if another computer use it at the same time than your Zeo server you will notice as things will turn seriously wrong.
The only real way to secure Zodb between servers is to use a tunnel but it's more involved although any network administrator should be able to setup one and not always really necessary see above.