Disable Dynamic/Ephemeral Ports in Vertica and Spread for single node installs??

Synaptic_AxonSynaptic_Axon Registered User
Is there a way to disable the ephemeral/dynamic port in single-node installations of Vertica 4.1.9 through the vertica.conf file? I noticed that both Vertica and the Spread daemon open up these ports. The Vertica port is tcp and the Spread port is udp. I can block the ports with iptables but I would prefer to disable them altogether. Thank you!

Comments

  • Hi, for a single-node installation, are you seeing Vertica open sockets to Spread on IP addresses other than 127.0.0.1? I would expect it to connect via localhost (as long as Vertica is configured to use localhost as its internal IP address), in which case the ports are not open externally so no firewall would be needed. Vertica and Spread do need to be able to communicate with each other; hence the local TCP connection. The UDP connection is Spread listening for other nodes and/or management tools; there's no way to turn it off at present. I have to admit, I'm not personally overly familiar with the network stack in Vertica 4.1. It has changed significantly in more-recent versions. If 4.1 is working well for you, more power to you; but it's quite old at this point, and it's possible that you would have a better experience with a newer version. For example, I know that 6.1 (the current version) listens on a much more restricted set of ports, at least in the multi-node case.
  • Synaptic_AxonSynaptic_Axon Registered User
    Thank you for the quick reply. My concern isn't about the vertica to spread communication but the listening ephemeral/dynamic ports. Here's an example of the ephmeral port being opened in 4.1.9: # netstat -lnp | grep vertica tcp 0 0 0.0.0.0:5433 0.0.0.0:* LISTEN 30366/vertica tcp 0 0 0.0.0.0:54439 0.0.0.0:* LISTEN 30366/vertica tcp6 0 0 :::5433 :::* LISTEN 30366/vertica I do have port 5433 open because I need to be able to connect to it externally to run SELECT queries. But I think it should be possible to disable the secondary port (54439/tcp in this case). Here's an example showing how the port changes after a restart: # netstat -lnp | grep vertica tcp 0 0 0.0.0.0:5433 0.0.0.0:* LISTEN 5942/vertica tcp 0 0 0.0.0.0:56076 0.0.0.0:* LISTEN 5942/vertica tcp6 0 0 :::5433 :::* LISTEN 5942/vertica I ran "SELECT dump_configuration()" hoping to find a configuration parameter but came up empty. Perhaps there is an undocumented configuration setting or another way to invoke the vertica daemon to prevent the dynamic port from being opened. The spread daemon is also doing this on udp even though the spread segment only includes 127.0.0.1: # netstat -lnp | grep spread tcp 0 0 127.0.0.1:4803 0.0.0.0:* LISTEN 29024/spread udp 0 0 127.0.0.1:4803 0.0.0.0:* 29024/spread udp 0 0 127.0.0.1:4804 0.0.0.0:* 29024/spread udp 0 0 0.0.0.0:54027 0.0.0.0:* 29024/spread unix 2 [ ACC ] STREAM LISTENING 56637 29024/spread /tmp/4803 Spread_Segment 127.0.0.1:4803 { N127000000001 127.0.0.1 { 127.0.0.1 } } I'm not even sure that spread should be required on a single-node installation, but 4.1.9 does require it. Anyway, if you have any other ideas about how to prevent the dynamic ports from being opened in either vertica or spread, please let me know. Thank you!
  • Hi, unfortunately Vertica does not allow you to disable ports this way. Vertica is a cluster-database product. We certainly could in theory special-case its behavior in the one-node case, but we don't currently do so; at least not consistently with regard to Spread and other network usage. If you are concerned about these ports, a firewall is the way to go. If you'd like to see this added as a feature, feel free to post it here with the "Share an idea" widget, and/or to get in touch with your sales rep to request it.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file