在内部和外部IP地址播放时连接Erlang节点 [英] Connecting Erlang nodes when an internal and external IP address are at play
问题描述
我有两台使用内部IP地址的虚拟机互相通话,而外界只能通过外部IP地址知道这些虚拟机。
我有一个使用两个VM的分布式缓存 - 每个都有一个必须与另一个通信的Erlang节点。我还将Erlang客户端的其他机器上的现金需要与VM上的一个(或两个)Erlang缓存节点进行通信。
所以,如果我有使用内部IP地址命名的缓存节点,那么它们可以相互通信,但是没有其他的Erlang节点可以与它们交互。但是,如果我使用虚拟机的外部IP地址命名缓存节点,那么外部的Erlang节点可以与缓存节点进行通信,但缓存节点不能相互通信。
有没有什么可以做的,除了使用不依赖于将节点加入网格的http或基于套接字的界面?
你想要实现的是绝对可行。
初步
Erlang的分发地址分为两部分:节点名称和主机名。它们由 @ 符号分隔。
主机名可以是数字IPv4地址。他们也可以是域名。有两种截然不同的模式,其中主机名很短(单字,例如 vm1 ),它们长(几个字,例如 vm1.domain .COM )。 IP地址是长名称。在一种模式(短或长)中启动的节点只能与以相同模式启动的节点进行通信。节点也受到cookie的保护:节点将只接受与匹配的cookie的传入连接。最简单的是使用相同的cookie启动给定集群的所有节点。
当Erlang节点尝试连接到另一个Erlang节点时,需要找到IP地址的遥远节点。如果它与自己相同,它将只是尝试在本地主机上连接。如果不同,它将尝试将此主机名解析为IP地址。
然后它将连接到 epmd 守护进程在这个主机被告知哪个端口Erlang正在运行。
解决方案和例子
基于此机制,您可以使用短名称或长名称,但利用解析机制。最简单的Unix将是在您的计算机的每个 / etc / hosts 上配置不同的IP(特别是在两台虚拟机上),以便他们通过私有连接我们假设虚拟机A(VM A)具有专用IP地址10.0.0.2和公共IP地址123.4.5.2,并且通过它们的公共地址进行访问。
VM B具有专用IP地址10.0.0.3和公共IP地址123.4.5.3。我们还要说你决定去找短名称。
你可以在 / etc / hosts :
10.0.0.3 vmb
您可以将匹配的条目放在VM B的 / etc / hosts 上:
10.0.0.2 vma
所有外部客户,您可以:
123.4.5.2 vma
123.4.5.3 vmb
您将按以下方式启动您的节点:
#VM上的节点foo
erl -sname foo @ vma -cookie RANDOMCOOKIE
#VM B上的节点foo
erl -sname foo @ vmb -cookie RANDOMCOOKIE
#客户端节点:$ b $ b erl -sname client -cookie RANDOMCOOKIE
您可以避免 / etc / hosts 如果您有域名(例如 yourdomain.com ),您可以在客户端节点上编辑, code> vma.yourdomain.com 解析为123.4.5.2。您还可以使用特定的 Erlang Inet配置文件。
安全性
Erlang分发机制不是公开的。此外,所有通信将不加密。我强烈建议在每个主机上配置防火墙仅允许来自其他群集服务器的连接,使用SSL分发。
对于防火墙:Erlang分发使用端口4369为 epmd 以及每个节点的随机端口。您可以通过使用Erlang内核应用程序环境设置 inet_dist_listen_min 和 inet_dist_listen_max 来限制这些随机端口的范围。您将需要允许这些端口上的传入TCP连接,但仅允许来自集群的其他主机。
SSL分发对于设置来说相当复杂,但有文档记录的。您的情况的主要缺点是所有连接都应该通过SSL,包括私有网络上的两台虚拟机之间的连接以及打开远程shell的本地连接。
I have two Virtual Machines that use internal IP addresses to speak to one another while the outside world knows about these VMs only via external IP addresses.
I have a distributed cache that makes use of the two VM's - each has an Erlang Node that must communicate with the other. I also have Erlang clients of the cash, on other machines, that need to communicate with one (or both) of the Erlang caching nodes on the VMs.
So, if I have the cache nodes named using the internal IP addresses then they can communicate with one another, but no other Erlang node can interact with them. But, if I name the cache nodes using the VM's external IP addresses, then the outside Erlang nodes can communicate with the cache nodes, but the cache nodes cannot communicate with one another.
Is there something I can do about this other than using an http or socket-based interface that does not rely on joining the nodes into a mesh?
What you are trying to achieve is definitely doable.
Preliminaries
Erlang's distribution addresses are in two parts: the node name and the host name. They are separated by the @ sign.
Host names can be numeric IPv4 addresses. They can also be domain names. There are two distinct modes, where host names are short (single word, e.g. vm1) and where they are long (several words, e.g. vm1.domain.com). IP addresses are long names. Nodes started in one mode (short or long) can only communicate with nodes started in the same mode. Nodes are also protected by a cookie: a node will only accept incoming connection with a matching cookie. The easiest is to start all nodes of a given cluster with the same cookie.
When an Erlang node tries to connect to another Erlang node, it needs to find the IP address of the distant node. If it is the same as itself, it will simply try to connect on the local host. If it is different, it will try to resolve this host name to an IP address.
Then it will connect to the epmd daemon on this host to be told which port Erlang is running. epmd as well as Erlang nodes listen on all interfaces (by default).
Solution and example
Based on this mechanism, you could use either short or long names, but exploit the resolution mechanism. The easiest on Unix would be to configure different IPs on each /etc/hosts of your machines (especially on the two virtual machines) so they will connect to each other through their private addresses, while being accessed through their public addresses.
Let's say that Virtual machine A (VM A) has private IP address 10.0.0.2 and public IP address 123.4.5.2 and VM B has private IP address 10.0.0.3 and public IP address 123.4.5.3. Let's also say that you decided to go for short names.
You could put on VM A this entry in /etc/hosts:
10.0.0.3 vmb
You could put the matching entry on VM B's /etc/hosts:
10.0.0.2 vma
And on all the external clients, you could put:
123.4.5.2 vma
123.4.5.3 vmb
You would start your nodes as follows:
# Node foo on VM A:
erl -sname foo@vma -cookie RANDOMCOOKIE
# Node foo on VM B:
erl -sname foo@vmb -cookie RANDOMCOOKIE
# Client nodes:
erl -sname client -cookie RANDOMCOOKIE
You can avoid the /etc/hosts edits on client nodes if you have a domain name (e.g. yourdomain.com) and you can get vma.yourdomain.com to resolve to 123.4.5.2. You can also use a specific Erlang Inet configuration file.
Security
Erlang distribution mechanism is not meant to be public facing. Besides, all communications will be unencrypted. I strongly suggest to configure firewalls on each host to only let connections from other cluster servers and use SSL distribution.
For the firewall: Erlang distribution uses port 4369 for epmd as well as random ports for each node. You can limit the range of these random ports by using Erlang kernel application environment settings inet_dist_listen_min and inet_dist_listen_max. You will need to allow incoming TCP connections on these ports, but only from other hosts of the cluster.
SSL distribution is quite complex to setup but well documented. The main drawback in your case is that all connections should be over SSL, including those between the two virtual machines on their private network, and local connections to open remote shells.
这篇关于在内部和外部IP地址播放时连接Erlang节点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
