Firewalling

If you want to run your croit appliance behind a firewall, you need to make sure that communication with the dependent systems can take place.

#croit Management Node towards the User/Admin

All access is done via HTTP protocol within the storage administrator's browser. Please do not forget that as an administrator you may want SSH access to the Management Node.

#Encrypted access (prefered):

  • Port 443/TCP (TLS, initial self-signed certificate)
  • Port 8443/TCP (TLS, initial self-signed certificate) for the Websocket

#Unencrypted access (deprecated):

  • Port 8080/TCP
  • Port 8088/TCP for the Websocket

#croit Management Node towards the Internet

Our croit node brings a lot of services, to make the deployment of Ceph clusters much easier than any other way. This however requires some ports to be opened to let croit receive all required data from external resources.

Note: Targets can use IPv4 or IPv6 whatever is available.

#Container Updates

To install the croit software or to install updates, a connection from the docker service to the respository is required.

  • Host hub.docker.com on Port 443/TCP (HTTPS/TLS)

#Backend Service

  • Host api.croit.io on Port 443/TCP (HTTPS/TLS)

#APT Update Service

We run apt-cacher-ng as an apt proxy service to run software Updates on the fly.

  • Host ftp.de.debian.org on port 80/TCP (HTTP)
  • Host security.debian.org on port 80/TCP (HTTP)
  • Host mirror.croit.io on port 80/TCP (HTTP)

#NTP Time Service

To ensure that all hosts have the same time set on all nodes, our container brings NTPd with it.

  • Host 0.debian.pool.ntp.org on port 123/UDP and 123/TCP
  • Host 1.debian.pool.ntp.org on port 123/UDP and 123/TCP
  • Host 2.debian.pool.ntp.org on port 123/UDP and 123/TCP
  • Host 3.debian.pool.ntp.org on port 123/UDP and 123/TCP

#LDAP Auth

Only if you use the integration of LDAP to manage user accounts in croit:

  • IP of your LDAP Server usually with port 389/TCP or 636/TCP but strongly depending on your LDAP/AD Server

#croit Management Node towards the Ceph Network

Please refrain from setting up a firewall on the network interface from the Management Node to the Ceph Cluster. Otherwise, disruptions and problems are to be expected.

#DHCP Service

Our container comes with a DHCP server for assigning IP addresses. This enables the PXE boot and is therefore of integral importance. Please note the protocol specific requirement of Broadcast.

  • IPv4 Port 67/UDP and 68/UDP
  • IPv6 Port 546/UDP and 547/UDP

#TFTP Service:

To transfer the first intelligence into the PXE stack, we transfer a small binary blob right at the beginning of the boot process. If this process fails, the croit PXE boot menu will not appear on the server.

  • Port 69/UDP

#Backend Service:

The operating system image and some settings are transferred via HTTP and HTTPS.

  • Port 80/TCP
  • Port 443/UDP

#SSH Service

To change some settings or restart services, we connect to the servers using SSH

  • Port 22/TCP

#Graphite Service

As Time Series Database go-graphite is used in which metrics are stored. This is used for data ingestion

  • Port 23648/UDP

#Log Upload Service

To provide a centralized log view, we use systemd-journald-remote and systemd-journald-upload

  • Port 19531/TCP

#APT Update Service

We configured apt proxy in /etc/apt/apt.conf.d/01proxy to use

  • Port 3142/UDP

#Ceph Services

  • 443/TCP for RadosGW (RGW) services
  • 3300/TCP for the messenger v2 protocol
  • 6789/TCP for the messenger v1 protocol
  • 6800/TCP to 7300/TCP for OSD services

#iSCSI Services

  • 3260/TCP and 3260/UDP

#SMB Services

  • 137-139/TCP and UDP
  • 445/TCP

#From Ceph Storage Nodes to other services

#DNS Service

By default we configure the DNS servers to google public DNS resolvers. We strongly recommend to change that in our container config file /config/config.yml and update the list towards your own DNS resolver.

  • Host 8.8.8.8 on port 53/UDP and 53/TCP
  • Host 8.8.4.4 on port 53/UDP and 53/TCP
  • Host 2001:4860:4860::8888 on port 53/UDP and 53/TCP
  • Host 2001:4860:4860::8844 on port 53/UDP and 53/TCP