9.10. Configuring Required Services on Node Hosts

Node hosts must run a number of services to provide application developers with the full range of features and functionality that the product offers.
The sshd daemon is required to provide access to Git repositories, and the node host must also allow HTTP and HTTPS connections to the applications running within gears on the node host. The openshift-node-web-proxy daemon is required for WebSockets usage, which also requires that ports 8000 and 8443 be opened.
Further configuration steps are described in the following sections.
Run the following commands to correctly configure the firewall and ensure the required services start when the node boots:
# lokkit --nostart --service=ssh
# lokkit --nostart --service=https
# lokkit --nostart --service=http
# lokkit --nostart --port=8000:tcp
# lokkit --nostart --port=8443:tcp
# chkconfig httpd on
# chkconfig network on
# chkconfig ntpd on
# chkconfig sshd on
# chkconfig oddjobd on
# chkconfig openshift-node-web-proxy on

Note

If you use the kickstart or bash script, the enable_services_on_node function performs these steps.

9.10.1. Configuring PAM

OpenShift Enterprise uses a custom PAM configuration to restrict users who connect to gears using SSH. Only gear login accounts are polyinstantiated; other local users are unaffected.
Run the following commands on the node host (Host 2) to configure PAM:
# sed -i -e 's|pam_selinux|pam_openshift|g' /etc/pam.d/sshd
# for f in "runuser" "runuser-l" "sshd" "su" "system-auth-ac"
do 
	t="/etc/pam.d/$f"
	if ! grep -q "pam_namespace.so" "$t"

	then 
		printf 'session\t\t[default=1 success=ignore]\tpam_succeed_if.so quiet shell = /usr/bin/oo-trap-user\n' >> "$t"
		printf 'session\t\trequired\tpam_namespace.so no_unmount_on_close\n' >> "$t"
	fi
done
Configure the polyinstantiation settings on the node host (Host 2):
# printf '/tmp $HOME/.tmp/ user:iscript=/usr/sbin/oo-namespace-init root,adm\n' > /etc/security/namespace.d/tmp.conf
 printf '/dev/shm tmpfs tmpfs:mntopts=size=5M:iscript=/usr/sbin/oo-namespace-init root,adm\n' > /etc/security/namespace.d/shm.conf
Ultimately, the content for these configuration files should look similar to the following:
# cat /etc/security/namespace.d/tmp.conf
/tmp	$HOME/.tmp/	user:iscript=/usr/sbin/oo-namespace-init root,adm

# cat /etc/security/namespace.d/shm.conf
/dev/shm tmpfs tmpfs:mntopts=size=5M:iscript=/usr/sbin/oo-namespace-init root,adm

Note

If you use the kickstart or bash script, the configure_pam_on_node function performs these steps.