Enabling Nutanix 2009 page access with allssh command

On top of HTML5 based Prism GUI, Nutanix cluster has nifty web pages to give additional information on what is going on in your cluster. Under normal conditions there isn’t usually need to access these pages, but they can be handy in troubleshooting or in performance testing. By default these pages are not accessible, as they are firewalled with iptables rules. Example of such page is 2009 page, which contains information about I/O requests that process called “Stargate” handles.

Enabling access for a single Controller Virtual Machine (CVM)

You can allow access to these pages by modifying iptables rules per controller virtual machine (CVM) basis.

As an example how to enable access to 2009 or Stargate page for a single CVM

  • log in to CVM as nutanix user
    • ssh nutanix@
  • elevate privileges to root level:
    • sudo su –
  • issue iptables command to allow traffic to port 2009

iptables -t filter -A WORLDLIST -p tcp -m tcp --dport 2009 -j ACCEPT

  • Command above should be  entered as one line
  • Notice that there are TWO dashes in front of dport option!!

Example: Enabling 2009 page access for single  CVM

screen-shot-2016-12-09-at-08-43-02

Once you have enabled access, you access the information provided by the page, by launching web browser and entering CVM-IP-ADDRESS:2009 in the address field

Example: Stargate page for a single CVM

screen-shot-2016-12-09-at-08-45-49

These iptables modifications are not permanent, the next time you reboot your CVM, the CVM reverts back to default iptables rules (which don’t allow traffic to 2009 port). If you want to permanently allow access, you can modify the iptables rule permanently by following instructions here This approach requires logging into each CVM separately and editing iptables rule file as root user. This is fine when your cluster has only few nodes, but as your cluster size increases it might become cumbersome.

Allssh command

Nutanix has special command, “allssh”. This command can be used to issue commands which should run on all cluster nodes. You can run this command from any CVM.

The command works without password only as “nutanix” user. If you try to run it as root user, you will be prompted for root password on each of the nodes.

Example: “allssh date” command

screen-shot-2016-12-09-at-08-48-37

  • allssh command will run any commands behind it on every node in the cluster
  • In this case we issued date command on each node and results of individual date commands can be seen in the example above

Enabling access to 2009 page with allssh command

You can also combine allssh and iptables commands to enable access to all nodes and do so by just using one command line and running it from just one CVM. Since you need root privileges to modify iptables rules and you can’t use allssh command as root user, a sudo command is also required

  • login as nutanix user to any of your CVMs
  • issue following command:

allssh "sudo iptables -t filter -A WORLDLIST -p tcp -m tcp --dport 2009 -j ACCEPT"

  • again command should be just one line
  • and two dashes infront of dport option

Example: Enabling access on four node Nutanix cluster

screen-shot-2016-12-09-at-09-00-37

Note if you enter the allssh command multiple times, you will have multiple rules that allow access. In such case, if you want to disable access, each rule has to be removed individually (see below).

Disabling access to 2009 page with allssh command

If for some reason you want to disable the access, this can be also done with allssh command. Basically the allssh/iptables command is the same as with allowing access, with one exception: instead -A option, use -D option

allssh "sudo iptables -t filter -D WORLDLIST -p tcp -m tcp --dport 2009 -j ACCEPT"

Example: Disabling access with allssh command

screen-shot-2016-12-09-at-09-08-35

If you can still access the page after issuing this command, the most likely explanation is that there are multiple rules allowing access. Either you have entered the command allowing access multiple times or some one else has enabled the access. You can repeat rule removal allssh command multiple times until you get error message stating that no such rule exists: “iptables: Bad rule (does a matching rule exist in that chain?).”

Example: Removing duplicate rules

screen-shot-2016-12-09-at-09-13-33

  • Rule removal “allssh command is issued until you get error message about “Bad Rule”
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s