Skip to content

Securing ClusterControl

This guide provides ways to secure your ClusterControl installation.

Firewall and security group

Depending on the deployment options, ClusterControl might disable firewalls to minimize the possibilities of failure during the cluster deployment. Once the process is completed, it is important to secure the ClusterControl node and the database cluster. We recommend users to isolate their database infrastructure from the public Internet and just whitelist the known hosts or networks to connect to the database cluster.

ClusterControl requires ports used by the following services to be opened/enabled:

  • ICMP (echo reply/request)
  • SSH (default is 22)
  • HTTPS (default is 443)
  • MySQL (default is 3306)
  • CMON RPC (default is 9500)
  • CMON RPC-TLS (default is 9501)
  • CMON Events (default is 9510)
  • CMON SSH (default is 9511)
  • CMON Cloud (default is 9518)
  • Streaming port for database backup through netcat/socat (default is 9999)
  • ClusterControl Proxy (default is 19501) - For ClusterControl Ops-C

SSH

SSH is very critical for ClusterControl. It must be possible to SSH from the ClusterControl server to the other nodes in the cluster without a password, thus the database nodes must accept the SSH port configured in the CMON configuration file. Following best practices are recommended:

  • Permit very few people in the organization to access the servers. The fewer the better.
  • Lockdown SSH access so it is not possible to SSH into the nodes from any other server than the ClusterControl server.
  • Lockdown the ClusterControl server so that it is not possible to SSH into it directly from the outside world.

File permission

CMON configuration and log files contain sensitive information e.g mysql_password or sudo where it stores the user’s password. Ensure the CMON configuration file, e.g /etc/cmon.cnf and /etc/cmon.d/cmon_{clusterid}.cnf (if exists) have permission 700 while CMON log files, e.g /var/log/cmon.log and /var/log/cmon_{clusterid}.log has 740 and both are owned by root.

HTTPS

By default, the installation script installs and configures a self-signed certificate for ClusterControl GUI. You can access it by pointing your browser to https://{ClusterControl_host}/. If you would like to use a properly signed SSL certificate, replace the tls_cert and tls_key path inside /usr/share/ccmgr/ccmgr.yaml and restart the ClusterControl Proxy service. Details at ClusterControl Proxy → Configure Custom SSL Certificates.

Copyright © 2014-2025 Severalnines AB. All rights reserved.

Severalnines and ClusterControl are registered trademarks in the US, UK, and EU. The 3rd-party trademarks on this site are property of their respective owners and are used for referential purposes only.

Made with Material for MkDocs