[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IDDBrasil #FOI-513125]: Fwd: INPE access authorization

Subject: [IDDBrasil #FOI-513125]: Fwd: INPE access authorization
Date: Thu, 27 Dec 2012 09:48:27 -0700

Hi Waldenio,

re:
> Here are CPTEC/INPE we have 2 machines working as "top-relays":
> idd.cptec.inpe.br and tigge-ldm.cptec.inpe.br
> These machines receive data from US and redistribute them to
> South-American users.
> 
> For simplicity, seems that the entire domain "cptec.inpe.br" has been
> authorized on idd.unidata LDM server.

Correct.

re:
> This always worked well, but now it started to cause some issues...
> 
> As the number of LDM/GEMPAK users increase in CPTEC, now we have
> "random" LDM servers being installed in CPTEC are requesting data
> directly from idd.unidata. This is an unwanted and unneeded thing,
> because these "internal users" should get LDM data directly in our
> internal LDM cluster.

We agree completely.

re:
> This overload our external network and may be causing issues on the IDD
> statistics reporting.
> 
> please, could the "cptec.inpe.br" authorization be removed keeping
> authorization only for a limited number of servers ?
> The first 2 are the "official ones", and the others are failover options,
> just in case.
> 
> idd.cptec.inpe.br
> tigge-ldm.cptec.inpe.br
> clusterpre.cptec.inpe.br
> mopora.cptec.inpe.br
> teju5.cptec.inpe.br

We can do this, but the real solution is an implementation of a policy
in CPTEC that requires LDM configurations to request from your toplevel
relays.  I say this because someone at CPTEC must be adding the REQUEST(s)
to the ~ldm/etc/ldmd.conf file for new installations there -- new LDM
installations have _no_ REQUEST(s) included by default.

The change you are requesting will not take place immediately.  I
will modify the ldmd.conf file that is used by all idd.unidata.ucar.edu
cluster nodes today.  The ALLOWs that they contain will take effect
the next time the LDM is restarted on each cluster node.  We do not
like to do this often since there are hundreds of active connections
that are broken on a restart, and, the cluster has to re-balance
the load among active nodes that are acting as real servers.  If restarts
of the cluster nodes are not timed correctly, an imbalance can occur
which, in turn, could result in poorer service to sites REQUESTing
data.  Again, the "real" solution is for CPTEC to implement a policy
that new LDM installations only REQUEST from the CPTEC toplevel relay
machines.

Cheers,

Tom
--
****************************************************************************
Unidata User Support                                    UCAR Unidata Program
(303) 497-8642                                                 P.O. Box 3000
address@hidden                                   Boulder, CO 80307
----------------------------------------------------------------------------
Unidata HomePage                       http://www.unidata.ucar.edu
****************************************************************************


Ticket Details
===================
Ticket ID: FOI-513125
Department: Support IDD Brasil
Priority: Normal
Status: Closed

Prev by Date: Re: [ldm-users] ldmping and checking connections
Next by Date: [IDDBrasil #FOI-513125]: Fwd: INPE access authorization
Previous by thread: Re: [ldm-users] ldmping and checking connections
Next by thread: [IDDBrasil #FOI-513125]: Fwd: INPE access authorization
Index(es):
- Date
- Thread