This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Configure the network

This group of steps involve configuring the network.

1: Reserved ports
2: Firewall considerations

This group of steps involve configuring the network. These steps differ depending on your installation scenario. A single node installation requires little network configuration, because the single instance of the Vertica server does not need to communication with other nodes in a cluster. For cluster install scenarios, you must make several decisions regarding your configuration.

Vertica supports server configuration with multiple network interfaces. For example, you might want to use one as a private network interface for internal communication among cluster hosts (the ones supplied via the --hosts option to install_vertica) and a separate one for client connections.

Important

Vertica performs best when all nodes are on the same subnet and have the same broadcast address for one or more interfaces. A cluster that has nodes on more than one subnet can experience lower performance due to the network latency associated with a multi-subnet system at high network utilization levels.

Important notes

Network configuration is exactly the same for single nodes as for multi-node clusters, with one special exception. If you install Vertica on a single host machine that is to remain a permanent single-node configuration (such as for development or Proof of Concept), you can install Vertica using localhost or the loopback IP (typically 127.0.0.1) as the value for --hosts. Do not use the hostname localhost in a node definition if you are likely to add nodes to the configuration later.
If you are using a host with multiple network interfaces, configure Vertica to use the address which is assigned to the NIC that is connected to the other cluster hosts.
Use a dedicated gigabit switch. If you do not performance could be severely affected.
Do not use DHCP dynamically-assigned IP addresses for the private network. Use only static addresses or permanently-leased DHCP addresses.

Choose IPv4 or IPv6 addresses for host identification and communications

Vertica supports using either IPv4 or IPv6 IP addresses for identifying the hosts in a database cluster. Vertica uses a single address to identify a host in the database cluster. All the IP addresses used to identify hosts in the cluster must use the same IP family.

The hosts in your database cluster can have both IPv4 and IPv6 network addresses assigned to them. Only one of these addresses is used to identify the node within the cluster. You can use the other addresses to handle client connections or connections to other systems.

You tell Vertica which address family to use when you install it. By default, Vertica uses IPv4 addresses for hosts. If you want the nodes in your database to use IPv6 addresses, add the --ipv6 option to the arguments you pass to the install_vertica script.

Note

You cannot change the address family a database cluster uses after you create it. For example, suppose you created a Vertica database using IPv4 addresses to identify the hosts in your cluster. Then you cannot later change the hosts to use an IPv6 address for internal communications.

In most cases, the address family you select does not impact how your database functions. However, there are a few exceptions:

Use IPv4 addresses to identify the nodes in your cluster if you want to use the Management Console to manage your database. Currently, the MC does not support databases that use IPv6 addresses.
If you select IPv6 addressing for your cluster, it automatically uses point-to-point networking mode.
Currently, AWS is the only cloud platform on which Vertica supports IPv6 addressing. To use IPv6 on AWS, you must identify cluster hosts using IP addresses instead of host names. The AWS DNS does not support resolving host names to IPv6.
If you only assign IPv6 addresses to the hosts in your database cluster, you may have problems interfacing to other systems that do not support IPv6.

Part of the information you pass to the install script is the list of hosts it will use to form the Vertica cluster. If you use host names in this list instead of IP addresses, ensure that the host names resolve to the IP address family you want to use for your cluster. For example, if you want your cluster to use IPv6 addresses, ensure your DNS or /etc/hosts file resolves the host names to IPv6 addresses.

You can configure DNS to return both IPv4 and IPv6 addresses for a host name. In this case, the installer uses the IPv4 address unless you supply the --ipv6 argument. If you use /etc/hosts for host name resolution (which is the best practice), host names cannot resolve to both IPv4 and IPv6 addresses.

Optionally run spread on a separate control network

If your query workloads are network intensive, you can use the --control-network parameter with the install_vertica script (see Install Vertica with the installation script) to allow spread communications to be configured on a subnet that is different from other Vertica data communications.

The --control-network parameter accepts either the default value or a broadcast network IP address (for example, 192.168.10.255 ).

Configure SSH

Verify that root can use Secure Shell (SSH) to log in (ssh) to all hosts that are included in the cluster. SSH (SSH client) is a program for logging into a remote machine and for running commands on a remote machine.
If you do not already have SSH installed on all hosts, log in as root on each host and install it before installing Vertica. You can download a free version of the SSH connectivity tools from OpenSSH.
Make sure that /dev/pts is mounted. Installing Vertica on a host that is missing the mount point /dev/pts could result in the following error when you create a database:

TIMEOUT ERROR: Could not login with SSH. Here is what SSH said:Last login: Sat Dec 15 18:05:35 2007 from v_vmart_node0001

Allow passwordless SSH access for the dbadmin user

The dbadmin user must be authorized for passwordless ssh. In typical installs, you won't need to change anything; however, if you set up your system to disallow passwordless login, you'll need to enable it for the dbadmin user. See Enable secure shell (SSH) logins.

1 - Reserved ports

The install_vertica script checks that required ports are open and available to Vertica. The installer reports any issues with identifier N0020.

You can also verify that ports required by Vertica are not in use by running the following command as the root user and comparing it with the ports required, as shown below:

$ ss -atupn

Firewall requirements

Vertica requires several ports to be open on the local network. Vertica does not recommend placing a firewall between nodes (all nodes should be behind a firewall), but if you must use a firewall between nodes, ensure the following ports are available:

Port	Protocol	Service	Notes
22	TCP	sshd	Required by Administration tools and the Management Console Cluster Installation wizard.
4803	TCP	Spread	Client connections
4803	UDP	Spread	Daemon-to-daemon connections
4804	UDP	Spread	Daemon-to-daemon connections
5433	TCP	Vertica	Vertica clients (vsql, ODBC, JDBC, etc)
5433	UDP	Vertica	Vertica Spread monitoring and MC cluster import
5434	TCP	Vertica	Intra- and inter-cluster communication. Vertica opens the Vertica client port +1 (5434 by default) for intra-cluster communication, such as during a plan. If the port +1 from the default client port is not available, then Vertica opens a random port for intra-cluster communication.
5444	TCP	Vertica Management Console	MC-to-node and node-to-node (agent) communications port. See Changing MC or agent ports.
5450	TCP	Vertica Management Console	Port used to connect to MC from a web browser and allows communication from nodes to the MC application/web server. See Connecting to Management Console.
5554	TCP	Node Management Agent	Node Management Agent
6543	UDP	Spread	Monitor-to-daemon connection
8443	TCP	HTTPS	HTTPS service. To change the port, use HTTPServerPortOffset.

2 - Firewall considerations

Vertica requires multiple ports be open between nodes.

Vertica requires multiple ports be open between nodes. You may use a firewall (IP Tables) on Redhat/CentOS and Ubuntu/Debian based systems. Note that firewall use is not supported on SuSE systems and that SuSE systems must disable the firewall. The installer reports issues found with your IP tables configuration with the identifiers N0010 for (systems that use IP Tables) and N011 (for SuSE systems).

The installer checks the IP tables configuration and issues a warning if there are any configured rules or chains. The installer does not detect if the configuration may conflict with Vertica. It is your responsibility to verify that your firewall allows traffic for Vertica as described in Reserved ports.

Note

The installer does not check NAT entries in iptables.

You can modify your firewall to allow for Vertica network traffic, or you can disable the firewall if your network is secure. Note that firewalls are not supported for Vertica systems running on SuSE.

Important

You may encounter the N0010 issue even when the firewall is disabled. If this occurs, you can workaround this issue and install Vertica by ignoring installer WARN messages. To do this, install (or update) with a failure threshold of FAIL. For example, /opt/vertica/sbin/install_vertica --failure-threshold FAIL <other install options...>.

Red Hat and CentOS systems:

To disable the system firewall, run the following command as root or sudo:

# systemctl mask firewalld
# systemctl disable firewalld
# systemctl stop firewalld

Ubuntu and Debian systems

For details on how to configure iptables and allow specific ports to be open, see the platform-specific documentation for your platform:

Debian: https://wiki.debian.org/iptables
Ubuntu: https://help.ubuntu.com/12.04/serverguide/firewall.html.

Note

Ubuntu uses the ufw program to manage iptables.

To disable iptables on Debian, run the following command as root or sudo:


$ /etc/init.d/iptables stop

$ update-rc.d -f iptables remove

To disable iptables on Ubuntu, run the following command:

$ sudo ufw disable

SuSE systems

The firewall must be disabled on SUSE systems. To disable the firewall on SuSE systems, run the following command:

# /sbin/SuSEfirewall2 off