How to set JGroups ports for protocols in EAP 7.1 ?

Solution Verified - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7.1+

Issue

  • I need to configure IPTABLES or a Firewall for an EAP cluster, what are the required JGroups ports ?
  • I see a WARN message if a ha profile is started in EAP 7.1, if the JGroups subsystem is configured like we have in EAP6 as below :
WFLYCTL0028: Attribute 'socket-binding' in the resource at address '/subsystem=jgroups/stack=udp/protocol=FD_SOCK' is deprecated, and may be removed in future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
  • Legacy versions configure the FD_SOCK protocol ports by a socket-binding like followed, but this is not working with EAP 7.1
  <protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/>
  ...
   <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
       ...
        <socket-binding name="jgroups-udp-fd" interface="private" port="54200"/>

Resolution

  • All protocols will bind to the same interface as the transport. Ports are selected randomly.
  • To have fixed ports properties can be set to use a specific range as below :
<protocol type="FD_SOCK">
  <property name="client_bind_port">50100</property>
  <property name="start_port">50000</property>
  <property name="port_range">0</property>
</protocol>
  • That means the above config uses 50100 to listen to socket connections from remote nodes and 50000 to establish connections to remote nodes.
  • If you have multiple instances at the same machine you need to have a port_range > 0 to allow it, the range is 0 by default.
  • Note that client_bind_port is rarely configured. It is only needed if a firewall filters based on client IP, which is not a widely used firewall configuration.

Root Cause

  • There are no longer socket-bindings needed for the FD_SOCK protocol. The ports are selected randomly and the former socket-binding was only used to choose the interface.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments