One thing that gets us in trouble is the client server issue with LDM.
Even though data flows down hill, the LDM request flows up hill. This is a
problem for our firewall setups which typically block all up hill client
requests. Data at AWC flows from the ops network which is high security to
the development/research network which is medium security to the public
network (where public facing web servers are located) which is low
security. To make this work, all data used by the center has to enter at
the top tier, the ops network. The preference would be for the ops network
to push data to the development/research network and the for the
development/research network to push data to the public network. The best
way to do this is with rsync or scp where the top tier is the client
opening up the socket on the lower tier and pushes data down hill. Opening
up firewalls to flow data down hill is easy since there is no possibility
someone hacking into the lower tier could open up a socket to a server in
the higher tier. But the LDM doesn't work that way. The lower tier LDM
makes the client request to an up tier server. This means you have to open
up port 388 going up hill which our IT staff refuses to do because it's
opening up a small hole in the impenetrable firewall. Because LDM is so
good at moving data, we've made an exception for the LDM but every time we
add an LDM, we have to make special firewall requests to open port 388
upstream and it always poses a problem with our security audits.
Dan.
On Sun, Jun 5, 2016 at 2:53 PM, Donna Cote <d-cote@xxxxxxxx> wrote:
> I thought that was for logging properly - which is working fine. I'm
> wondering about the iptables. I will run the setuid in a little while
> (stepping away from the computer to mow the lawn...might not be able to mow
> tomorrow).
> On Jun 5, 2016 2:45 PM, "Patrick L. Francis" <wxprofessor@xxxxxxxxx>
> wrote:
>
>> That sounds like your setuids did not execute J
>>
>>
>>
>> Goto your source directory and:
>>
>>
>>
>> su root -c ‘make root-actions’
>>
>>
>>
>> cheers,
>>
>>
>>
>> --patrick
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> …………………………………………………………
>>
>> Patrick L. Francis PhD DMin
>>
>> Vice President of Research & Dev
>>
>> Aeris Weather
>>
>>
>>
>> http://aerisweather.com/
>>
>> http://facebook.com/wxprofessor/
>>
>>
>>
>> …………………………………………………………
>>
>>
>>
>> ..
>>
>>
>>
>> *From:* ldm-users-bounces@xxxxxxxxxxxxxxxx [mailto:
>> ldm-users-bounces@xxxxxxxxxxxxxxxx] *On Behalf Of *Donna Cote
>> *Sent:* Sunday, June 5, 2016 3:41 PM
>> *To:* LDM <ldm-users@xxxxxxxxxxxxxxxx>
>> *Subject:* [ldm-users] diagnosing problem when ldmping works one-way
>> (not both ways)
>>
>>
>>
>> I have recently started up an LDM server for the sole purpose of
>> gathering and holding rtstats data for our relay, cluster and storage LDM
>> systems.
>>
>> The new LDM is on our host called earthdata. Now, I can ssh, scp, and
>> ping just fine between our systems but ldmping on any of our LDM servers
>> gives me a "SVC_UNAVAIL" message.
>>
>> All of our LDM is version 6.12.14. I have checked the exec entry in the
>> ldmd.conf file. I have checked the allow and request entries. I have
>> restarted LDM on each system. Still, curoi - to - earthdata is
>> "SVC_UNAVAIL" while earthdata - to - curoi is "RESPONDING" just fine. With
>> the notifyme utility, I see no rtstats data getting to earthdata.
>>
>> Any ideas on what to check for and how I could fix this?
>>
>> Thanks,
>> Donna
>>
>> > [ldm@curoi ~]$ ldmping earthdata
>>
>> > Jun 05 04:03:46 ulog INFO: State Elapsed Port Remote_Host
>> rpc_stat
>> > Jun 05 04:03:46 ulog INFO: Resolving earthdata to 128.194.165.79 took
>> 0.000851 seconds
>> > Jun 05 04:03:56 ulog ERROR: SVC_UNAVAIL 10.000997 0 earthdata
>> h_clnt_create(earthdata): Timed out while creating connection
>> > Jun 05 04:04:21 ulog ERROR: ADDRESSED 0.000002 0 earthdata
>> h_clnt_create(earthdata): Timed out while creating connection
>> > ^C
>>
>> >
>>
>> > [ldm@curoi ~]$ grep -w earthdata etc/ldmd.conf
>> > exec "rtstats -f ANY -h earthdata.tamu.edu"
>> > allow ANY ^((earthdata)|(earthdata\.tamu\.edu))$
>> > [ldm@curoi ~]$
>>
>>
>>
>> >
>> >
>> ----------------------------------
>>
>>
>>
>> >
>> > [ldm@earthdata ~]$ ldmping curoi
>> > Jun 05 04:03:23 ulog INFO: State Elapsed Port Remote_Host
>> rpc_stat
>> > Jun 05 04:03:23 ulog INFO: Resolving curoi to 128.194.165.100 took
>> 0.001789 seconds
>> > Jun 05 04:03:23 ulog INFO: RESPONDING 0.004038 388 curoi
>> > Jun 05 04:03:48 ulog INFO: RESPONDING 0.000335 388 curoi
>> > ^C
>> > >
>> > > [ldm@earthdata ~]$ > grep curoi etc/ldmd.conf
>> > > request ANY "^rtstats" curoi.tamu.edu
>> > > allow ANY ^((curoi)|(curoi\.tamu\.edu))$
>> > > [ldm@earthdata ~]$
>>
>
> _______________________________________________
> NOTE: All exchanges posted to Unidata maintained email lists are
> recorded in the Unidata inquiry tracking system and made publicly
> available through the web. Users who post to any of the lists we
> maintain are reminded to remove any personal information that they
> do not want to be made public.
>
>
> ldm-users mailing list
> ldm-users@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe, visit:
> http://www.unidata.ucar.edu/mailing_lists/
>
--
*Dan Vietor*
*Senior Research Meteorologist*
CIRA, Colorado State Univ
Aviation Weather Center
Kansas City, MO
816.584.7211
