Details
-
Bug
-
Status: Closed
-
Major - P3
-
Resolution: Fixed
-
2.4.10, 2.6.1
-
None
-
Fully Compatible
-
ALL
Description
'isself' should match the ports only if the hosts are being string matched. In cases where an instance is being addressed through a proxy port, port matching is an incorrect check - it invalidates a genuine match.
e.g. a mongod instance listening on port 27017 may be get redirected traffic from another port through IPtables routing. Such instances would fail to get added to a replica set for no good reason. Port proxies maybe required in multi-tenant cloud based systems where bind-able IPs/ports are NAT'ed.
Take this example replica set config to setup a one node cluster. The server itself can be addressed using a DNS name and an externally proxied port, but we cannot form a cluster if the same is used for the rs config.
config = {
|
"id" : "test",
|
"members" : [ {
|
"_id" : 0,
|
"host" : "public_dns_to_ec2_node:38132"
|
} ]
|
}
|
Internally, the mongod was bound to 127.0.0.1:27017 and we have IPtables proxy rule to route all tcp traffic from 38132 to 127.0.0.1:27017, e.g.
-A OUTPUT -d 10.203.77.175/32 -m tcp -p tcp --dport 38132 -j DNAT --to-destination 127.0.0.1:27017
|
-A PREROUTING -d 10.203.77.175/32 -m tcp -p tcp --dport 38132 -j DNAT --to-destination 127.0.0.1:27017
|
where 'public_dns_to_ec2_node' routes to 10.203.77.175 through public IP DNS registration.
With the above example it is clear that a fix is needed to not unnecessarily match the ports as integers. Or we cannot even create a one node cluster, leave aside a usable 3-node replica set.
Attachments
Issue Links
- related to
-
-
- Closed
-
- links to