Issue with Scalr UI Access from different server

[himanshu jain]

Hi,

I am newbie in Scalr. I installed Scalr in my test lab intending to manage all the hypervisors to start with. 

Problem: 

I am unable to access scalr UI/wizard. It shows me unable to connect to the site.

Locally I can see that scalr is listening at port 80. I am able to browse the site locally.

I checked for firewall blockage locally as well as enterprise, There is no firewall service running in the server and this seems to be uneachable even for the neighbouring servers which are in same subnet and no firewall in between them.

While server is reachable at port 22 it is unreachable at port 80 via telnet.

Please suggest. DO let me know if any logs or any more information required.

[Jay Farschman]

Himanshu,

You didn't tell us which version of Scalr you are running, or which operating system you are working on.... but it does seem clear that you checked the firewall.  Here is a little background on my setup.  My /etc/scalr-server.rb is setup to allow access on port 443.  This is a really simple thing to do:

routing[:endpoint_host] = "10.xxx.xxx.xxx"

routing[:endpoint_scheme] = 'https'

If you make a change be sure to run 

scalr-server-ctl reconfigure

Second, there is a nice tool "scald-server-manage" that maintains all of the services (like Monit):

# scalr-server-manage

crond                            RUNNING   pid 23608, uptime 58 days, 15:42:35

httpd                            RUNNING   pid 7446, uptime 58 days, 1:01:23

memcached                        RUNNING   pid 23591, uptime 58 days, 15:42:35

mysql                            RUNNING   pid 8544, uptime 58 days, 1:00:45

rrd                              RUNNING   pid 23040, uptime 58 days, 15:42:36

service-analytics_poller         RUNNING   pid 23017, uptime 58 days, 15:42:37

service-analytics_processor      RUNNING   pid 23553, uptime 58 days, 15:42:35

service-dbqueue                  RUNNING   pid 23015, uptime 58 days, 15:42:37

service-msgsender                RUNNING   pid 23032, uptime 58 days, 15:42:37

service-plotter                  RUNNING   pid 23065, uptime 58 days, 15:42:36

service-poller                   RUNNING   pid 23057, uptime 58 days, 15:42:36

service-szrupdater               RUNNING   pid 32120, uptime 58 days, 15:12:02

zmq_service                      RUNNING   pid 23631, uptime 58 days, 15:42:34

When I run netstat on the Scalr server I see both port 80 and 443 serving up requests

# netstat -tupan |grep LISTEN

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      3155/httpd      

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      965/sshd        

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      3155/httpd      

tcp        0      0 127.0.0.1:6270          0.0.0.0:*               LISTEN      3155/httpd      

tcp        0      0 127.0.0.1:6271          0.0.0.0:*               LISTEN      3155/httpd      

tcp        0      0 127.0.0.1:6272          0.0.0.0:*               LISTEN      23191/python    

tcp        0      0 127.0.0.1:6280          0.0.0.0:*               LISTEN      8357/mysqld     

tcp        0      0 127.0.0.1:6281          0.0.0.0:*               LISTEN      23591/memcached

I wonder what happens when you try netcat or nc (depends on your OS).  Try this from you Scalr Server:

# nc -vv localhost 80

Connection to localhost 80 port [tcp/http] succeeded!

or maybe try curl.  My Curl command returns a document with the <title>Scalr CMP</title>

curl http://localhost

curl -k https://localhost 

You may want to look at the log files:

/opt/scalr-server/var/log/httpd

Hope this helps.

[Marc O'Brien]

Hi Himanshu,

All of Jay's noted points are valid and worth testing.  Additionally, please ensure that you have followed all of the basic installation guide including the steps to manually run the wizard with "sudo /opt/scalr-server/bin/scalr-server-wizard " as well as reconfigure as Jay noted.  Once this has been completed, and scalr-server-manage shows all Scalr services as running, you should be able to successfully access the login page for your installation.  Let us know if troubles persist.

Many thanks,
Wm. Marc O'Brien
Scalr Technical Support

[himanshu jain]

Thanks for taking time Jay & Marc!!

Here is the information:

Netstat print showing listening on 80:

[root@localhost ~]#

[root@localhost ~]# netstat -nap | grep 80

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5268/httpd

However while I tried telnetting in local host itself, I can see two different printouts:

[root@localhost ~]# telnet localhost 80 --refusing here

Trying ::1...

telnet: connect to address ::1: Connection refused

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

q

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>403 Forbidden</title>

</head><body>

<h1>Forbidden</h1>

<p>You don't have permission to access /

on this server.<br />

</p>

</body></html>

Connection closed by foreign host.

[root@localhost ~]# telnet 10.14.34.91 80   --Connecting here

Trying 10.14.34.91...

Connected to 10.14.34.91.

Escape character is '^]'.

Nmap from the localhost looks like:

[root@localhost ~]# nmap localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-14 21:45 IST

Nmap scan report for localhost (127.0.0.1)

Host is up (0.0000050s latency).

Other addresses for localhost (not scanned): 127.0.0.1

Not shown: 997 closed ports

PORT   STATE SERVICE

22/tcp open  ssh

25/tcp open  smtp

80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

[root@localhost ~]#

 

Whereas from the neighboring server in same subnet it looks like (No port 80)

[root@TEST_ZABBIX_1 ~]# nmap 10.xx.xx.xx

Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-14 21:50 IST

Nmap scan report for 10.xx.xx.xx

Host is up (0.00079s latency).

Not shown: 999 filtered ports

PORT   STATE SERVICE

22/tcp open  ssh

MAC Address: E6:D8:88:3D:C9:F1 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds

[root@TEST_ZABBIX_1 ~]#

NC print shows like this:

[root@localhost ~]# nc -vv localhost 80

Ncat: Version 6.40 ( http://nmap.org/ncat )

libnsock nsi_new2(): nsi_new (IOD #1)

libnsock nsock_connect_tcp(): TCP connection requested to ::1:80 (IOD #1) EID 8

libnsock nsock_trace_handler_callback(): Callback: CONNECT ERROR [Connection refused (111)] for EID 8 [::1:80]

Ncat: Connection to ::1 failed: Connection refused.

Ncat: Trying next address...

libnsock nsock_connect_tcp(): TCP connection requested to 127.0.0.1:80 (IOD #1) EID 16

libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 16 [127.0.0.1:80]

Ncat: Connected to 127.0.0.1:80.

libnsock nsi_new2(): nsi_new (IOD #2)

libnsock nsock_read(): Read request from IOD #1 [127.0.0.1:80] (timeout: -1ms) EID 26

libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 34

^Z

[1]+  Stopped                 nc -vv localhost 80

[root@localhost ~]# nc -vv 10.xx.xx.xx 80

Ncat: Version 6.40 ( http://nmap.org/ncat )

libnsock nsi_new2(): nsi_new (IOD #1)

libnsock nsock_connect_tcp(): TCP connection requested to 10.14.34.91:80 (IOD #1) EID 8

libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [10.14.34.91:80]

Ncat: Connected to 10.14.34.91:80.

libnsock nsi_new2(): nsi_new (IOD #2)

libnsock nsock_read(): Read request from IOD #1 [10.14.34.91:80] (timeout: -1ms) EID 18

libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 26

My OS is CentOS 7.0

Below are the other details (staus of other services and version)

[root@localhost bin]# ./scalr-server-manage

crond                            RUNNING   pid 17836, uptime 6:11:57

httpd                            RUNNING   pid 5268, uptime 3:43:27

memcached                        RUNNING   pid 17835, uptime 6:11:57

mysql                            RUNNING   pid 17833, uptime 6:11:57

rrd                              RUNNING   pid 17827, uptime 6:11:57

service-analytics_poller         RUNNING   pid 17829, uptime 6:11:57

service-analytics_processor      RUNNING   pid 17834, uptime 6:11:57

service-dbqueue                  RUNNING   pid 17826, uptime 6:11:57

service-msgsender                RUNNING   pid 17828, uptime 6:11:57

service-plotter                  RUNNING   pid 17832, uptime 6:11:57

service-poller                   RUNNING   pid 17831, uptime 6:11:57

service-szrupdater               RUNNING   pid 17830, uptime 6:11:57

zmq_service                      RUNNING   pid 17837, uptime 6:11:57

supervisor> help

default commands (type help <topic>):

=====================================

add    clear  fg        open  quit    remove  restart   start   stop  update

avail  exit   maintail  pid   reload  reread  shutdown  status  tail  version

supervisor> version

3.1.3

supervisor>

I did follow the instruction as provided on the site.

Thanks & Regards,

Himanshu Jain

[Jay Farschman]

Himanshu,

I'm not a CentOS 7 user, I use Ubuntu, but you may want to let Chef have another try at the configuration.

scalr-server-wizard

scalr-server-ctl reconfigure

I think some where, if you scroll back far enough you'll see me struggling with a similar issue that I solved letting Chef run again. It's funny, I try all kinds of things, then it's resolved with a couple of simple commands.

[hj jain]

Hi Jay,

I did that already, however i will give try with https schema and update you if any change.

Thanks & Regards,
Himanshu Jain

---

From: Jay Farschman
Sent: ‎14-‎09-‎2016 22:13
To: scalr-discuss
Subject: Re: Issue with Scalr UI Access from different server

--
You received this message because you are subscribed to a topic in the Google Groups "scalr-discuss" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/scalr-discuss/AYYDMy5lE2E/unsubscribe.
To unsubscribe from this group and all its topics, send an email to scalr-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[himanshu jain]

On Wednesday, September 14, 2016 at 4:21:43 PM UTC+5:30, himanshu jain wrote:

[himanshu jain]

I think I found the issue,

While I was rerunning the chef recipes I could see service iptables to be enabled which acts as firewall in the linux server. I stopped it and I was able to access the UI. 

Recipe: iptables-ng::manage

  * ruby_block[restart_iptables] action create

  Recipe: <Dynamically Defined Resource>

    * service[iptables] action enable

      - enable service service[iptables]

    * service[iptables] action restart

      - restart service service[iptables]

    * service[ip6tables] action enable

      - enable service service[ip6tables]

    * service[ip6tables] action restart

      - restart service service[ip6tables]

    - execute the ruby block restart_iptables

Running handlers:

Running handlers complete

Chef Client finished, 57/103 resources updated in 348.309935093 seconds

Thanks & Regards,

Himanshu Jain

On Wednesday, September 14, 2016 at 4:21:43 PM UTC+5:30, himanshu jain wrote:

[Marc O'Brien]

Hi Himanshu,

Yes, you will need to configure the iptables software firewall to allow traffic on the appropriate service ports.  Something like the following will add the accept rule for HTTP traffic over port 80:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Be sure to save the firewall rules after applying changes so that they persist after reboot.  This is assumed to be part of your initial firewall security configuration. 

Typically you will not want to leave the server operating without iptables enabled due to potential security concerns.  Be sure to repeat this process for port 443 if you will be using HTTPS.

Many thanks,
Wm. Marc O'Brien
Scalr Technical Support

[hj jain]

Thanks Marc,

Thats true!! Will set that up.

---

From: Marc O'Brien
Sent: ‎15-‎09-‎2016 20:47

To: scalr-discuss
Subject: Re: Issue with Scalr UI Access from different server