If you want to run your croit appliance behind a firewall, you need to make sure that communication with the dependent systems can take place.
#croit Management Node towards the User/Admin
All access is done via HTTP protocol within the storage administrator's browser. Please do not forget that as an administrator you may want SSH access to the Management Node.
#Encrypted access (prefered):
- Port 443/TCP (TLS, initial self-signed certificate)
- Port 8443/TCP (TLS, initial self-signed certificate) for the Websocket
#Unencrypted access (deprecated):
- Port 8080/TCP
- Port 8088/TCP for the Websocket
#croit Management Node towards the Internet
Our croit node brings a lot of services, to make the deployment of Ceph clusters much easier than any other way. This however requires some ports to be opened to let croit receive all required data from external resources.
Note: Targets can use IPv4 or IPv6 whatever is available.
To install the croit software or to install updates, a connection from the docker service to the respository is required.
- Host hub.docker.com on Port 443/TCP (HTTPS/TLS)
- Host api.croit.io on Port 443/TCP (HTTPS/TLS)
#APT Update Service
We run apt-cacher-ng as an apt proxy service to run software Updates on the fly.
- Host ftp.de.debian.org on port 80/TCP (HTTP)
- Host security.debian.org on port 80/TCP (HTTP)
- Host mirror.croit.io on port 80/TCP (HTTP)
#NTP Time Service
To ensure that all hosts have the same time set on all nodes, our container brings NTPd with it.
- Host 0.debian.pool.ntp.org on port 123/UDP and 123/TCP
- Host 1.debian.pool.ntp.org on port 123/UDP and 123/TCP
- Host 2.debian.pool.ntp.org on port 123/UDP and 123/TCP
- Host 3.debian.pool.ntp.org on port 123/UDP and 123/TCP
Only if you use the integration of LDAP to manage user accounts in croit:
- IP of your LDAP Server usually with port 389/TCP or 636/TCP but strongly depending on your LDAP/AD Server
#croit Management Node towards the Ceph Network
Please refrain from setting up a firewall on the network interface from the Management Node to the Ceph Cluster. Otherwise, disruptions and problems are to be expected.
Our container comes with a DHCP server for assigning IP addresses. This enables the PXE boot and is therefore of integral importance. Please note the protocol specific requirement of Broadcast.
- IPv4 Port 67/UDP and 68/UDP
- IPv6 Port 546/UDP and 547/UDP
To transfer the first intelligence into the PXE stack, we transfer a small binary blob right at the beginning of the boot process. If this process fails, the croit PXE boot menu will not appear on the server.
- Port 69/UDP
The operating system image and some settings are transferred via HTTP and HTTPS.
- Port 80/TCP
- Port 443/UDP
To change some settings or restart services, we connect to the servers using SSH
- Port 22/TCP
As Time Series Database go-graphite is used in which metrics are stored. This is used for data ingestion
- Port 23648/UDP
#Log Upload Service
- Port 19531/TCP
#APT Update Service
We configured apt proxy in
/etc/apt/apt.conf.d/01proxy to use
- Port 3142/UDP
- 443/TCP for RadosGW (RGW) services
- 3300/TCP for the messenger v2 protocol
- 6789/TCP for the messenger v1 protocol
- 6800/TCP to 7300/TCP for OSD services
- 3260/TCP and 3260/UDP
- 137-139/TCP and UDP
#From Ceph Storage Nodes to other services
By default we configure the DNS servers to google public DNS resolvers. We strongly recommend to change that in our container config file /config/config.yml and update the list towards your own DNS resolver.
- Host 220.127.116.11 on port 53/UDP and 53/TCP
- Host 18.104.22.168 on port 53/UDP and 53/TCP
- Host 2001:4860:4860::8888 on port 53/UDP and 53/TCP
- Host 2001:4860:4860::8844 on port 53/UDP and 53/TCP