Support Questions

Find answers, ask questions, and share your expertise

Nifi Site To Site Input port not seen by RPG

avatar
New Contributor

Hello,

  I've looked everywhere and can't seem to find any posts about resolving this issue. I set this same type of config in Google Cloud and it works fine. However, something is wrong with our configuration in our environment and I can't seem to figure it out but I think it's some type of bug.
Any suggestions are appreciated.
 
Here's the scenario:
Overview: 
  We have a nifi cluster (2 nodes), we have enabled all of the Site-to-Site settings on both nifi nodes.
 
# Site to Site properties
nifi.remote.input.host=abcd
nifi.remote.input.secure=false
nifi.remote.input.socket.port=1234
nifi.remote.input.http.enabled=true
nifi.remote.input.http.transaction.ttl=30 sec
nifi.remote.contents.cache.expiration=30 secs
 
However, the minifi-app.log keeps getting the following errors when we try to start the flow.
2020-12-14 19:19:19,595 INFO [main] o.apache.nifi.controller.FlowController Not enabling RAW Socket Site-to-Site functionality because nifi.remote.input.socket.port is not set
2020-12-14 19:19:19,595 INFO [main] o.apache.nifi.controller.FlowController Not enabling HTTP(S) Site-to-Site functionality because the 'nifi.remote.input.http.enabled' property is not true
 
However, if I look at the RPG in Nifi, it doesn't show any error saying that the site "is not configured for site to site communication". If I change the nifi.remote.input.socket.port to 'ABC', then the RPG in the Nifi UI shows the error message "not configured for site to site". Therefore, it seems as though Nifi knows it is configured for site to site but minifi doesn't believe so. I am seeing some communication between Minifi and Nifi via the nifi-api but nothing for site to site.
Therefore, the main question is what would make minifi not recognize that the nifi RPG is configured for RAW site to site communication?
 
Another odd issue on the Nifi side is that when I create an RPG and an Input port and then I try to connect a GenerateFlowFile processor to the RPG, I get an error stating that "no input ports are available". We have 2 other environments plus my GCP environment that does not get that error when I do the exact same thing.
We have gone over the Nifi node settings to try to ensure that clustering is setup properly and we think it looks good and other process groups are working fine (that don't use RPG's).
We've restarted the nifi services multiple times.
Another note is that we have the Java Minifi 0.5.0 running on Windows and the Nifi nodes are Linux.
 
Please let me know if I can provide any other information.
2 ACCEPTED SOLUTIONS

avatar
Master Mentor

@Lyoung 

 

The NiFi client (NiFi or MiNiFi instance running the Remote Process Group (RPG)) has not control over the connection with the server (NiFi configured with Remote input or Output ports).

The RPG is provided with a http or https address of one or more target NiFi nodes in a NiFi cluster).
A background thread connects to that target NiFi to fetch Site-To-Site (S2S) details. If the target is https enabled, a mutual TLS handshake will happen. This means the client must have a keystore and truststore configured in the nifi.properties (NiFi) or config.yaml (MiNiFi) that can successfully be used to mutually authenticate with the target NiFi server.

The server side NiFi must have the properties you listed configured:
nifi.remote.input.host=<must be set to hostname of NiFi on which you are configuring this property. This is the hostname returned to client in the S2S details.  Be careful that what ever you set heer does not resolve to localhost.>
nifi.remote.input.secure=false (this tells client if connection is secure or unsecure. If false, the "nifi.web.http.port" property must be set and the URL used in the RPG must be  "http://<target nifi>:<http port>/nifii".  If set to true, the "nifi.web.https.port" property must be set and the URL used in the RPG must be  "https://<target nifi>:<https port>/nifii"
nifi.remote.input.socket.port=<This is the RAW port that will be used to actually send or receive the FlowFiles from remote Input or Output ports on target NiFi node(s).  If this property is not set on the target NiFi node(s), RAW transport protocol will not be supported. (S2S details are always fetched over HTTP)>
nifi.remote.input.http.enabled=true. <This properties states whether the "http" transport protocol can be used for sending the FlowFiles.>
nifi.remote.input.http.transaction.ttl=30 sec
nifi.remote.contents.cache.expiration=30 secs

 

Based on the log output shared it sounds like above properties were not set on the Target NiFi node(s). Did you set them on client NiFi (NiFi actually running the RPG)?

In addition to the Target NiFi S2S details above for each target NiFi node being returned to client, the details will also include the FlowFile load on each node, Remote input ports that client has been authorized to use, and Remote Output ports that the client has been authorized to use.  If the target server side NiFi node(s) are unsecured then there will be no authorization set for ports, all clients would have access to all remote input/output ports.

Also keep in mind that any changes to NiFi's/MiNiFi's configuration files would require a restart of the service before they would be applied.

Aside from above, I would need to see screenshots and nifi.properties/config.yaml configs of both your  client and server side of this S2S connection to help further.

Hope this helps,

Matt

View solution in original post

avatar
New Contributor

Hi Matt,

  Thank you for the details. Let me go over your reply and the settings one more time and get back to you. Thanks again.

 

Lee

View solution in original post

2 REPLIES 2

avatar
Master Mentor

@Lyoung 

 

The NiFi client (NiFi or MiNiFi instance running the Remote Process Group (RPG)) has not control over the connection with the server (NiFi configured with Remote input or Output ports).

The RPG is provided with a http or https address of one or more target NiFi nodes in a NiFi cluster).
A background thread connects to that target NiFi to fetch Site-To-Site (S2S) details. If the target is https enabled, a mutual TLS handshake will happen. This means the client must have a keystore and truststore configured in the nifi.properties (NiFi) or config.yaml (MiNiFi) that can successfully be used to mutually authenticate with the target NiFi server.

The server side NiFi must have the properties you listed configured:
nifi.remote.input.host=<must be set to hostname of NiFi on which you are configuring this property. This is the hostname returned to client in the S2S details.  Be careful that what ever you set heer does not resolve to localhost.>
nifi.remote.input.secure=false (this tells client if connection is secure or unsecure. If false, the "nifi.web.http.port" property must be set and the URL used in the RPG must be  "http://<target nifi>:<http port>/nifii".  If set to true, the "nifi.web.https.port" property must be set and the URL used in the RPG must be  "https://<target nifi>:<https port>/nifii"
nifi.remote.input.socket.port=<This is the RAW port that will be used to actually send or receive the FlowFiles from remote Input or Output ports on target NiFi node(s).  If this property is not set on the target NiFi node(s), RAW transport protocol will not be supported. (S2S details are always fetched over HTTP)>
nifi.remote.input.http.enabled=true. <This properties states whether the "http" transport protocol can be used for sending the FlowFiles.>
nifi.remote.input.http.transaction.ttl=30 sec
nifi.remote.contents.cache.expiration=30 secs

 

Based on the log output shared it sounds like above properties were not set on the Target NiFi node(s). Did you set them on client NiFi (NiFi actually running the RPG)?

In addition to the Target NiFi S2S details above for each target NiFi node being returned to client, the details will also include the FlowFile load on each node, Remote input ports that client has been authorized to use, and Remote Output ports that the client has been authorized to use.  If the target server side NiFi node(s) are unsecured then there will be no authorization set for ports, all clients would have access to all remote input/output ports.

Also keep in mind that any changes to NiFi's/MiNiFi's configuration files would require a restart of the service before they would be applied.

Aside from above, I would need to see screenshots and nifi.properties/config.yaml configs of both your  client and server side of this S2S connection to help further.

Hope this helps,

Matt

avatar
New Contributor

Hi Matt,

  Thank you for the details. Let me go over your reply and the settings one more time and get back to you. Thanks again.

 

Lee