If you want to run your croit appliance behind a firewall, you need to make sure that communication with the dependent systems can take place.
CROIT MANAGEMENT NODE TOWARDS THE USER/ADMIN
All access is done via HTTP protocol within the storage administrator’s browser. Please do not forget that as an administrator you may want SSH access to the Management Node.
ENCRYPTED ACCESS (PREFERED):
- Port 443/TCP (TLS, initial self-signed certificate)
- Port 8443/TCP (TLS, initial self-signed certificate) for the Websocket
UNENCRYPTED ACCESS (DEPRECATED):
- Port 8080/TCP
- Port 8088/TCP for the Websocket
CROIT MANAGEMENT NODE TOWARDS THE INTERNET
Our croit node brings a lot of services, to make the deployment of Ceph clusters much easier than any other way. This however requires some ports to be opened to let croit receive all required data from external resources.
Note: Targets can use IPv4 or IPv6 whatever is available.
CONTAINER UPDATES
To install the croit software or to install updates, a connection from the docker service to the repository is required.
- Host hub.docker.com on Port 443/TCP (HTTPS/TLS)
BACKEND SERVICE
- Host api.croit.io on Port 443/TCP (HTTPS/TLS)
APT UPDATE SERVICE
We run apt-cacher-ng as an apt proxy service to run software Updates on the fly.
- Host ftp.de.debian.org on port 80/TCP (HTTP)
- Host security.debian.org on port 80/TCP (HTTP)
- Host mirror.croit.io on port 80/TCP (HTTP)
NTP TIME SERVICE
To ensure that all hosts have the same time set on all nodes, our container brings NTPd with it.
- Host 0.debian.pool.ntp.org on port 123/UDP and 123/TCP
- Host 1.debian.pool.ntp.org on port 123/UDP and 123/TCP
- Host 2.debian.pool.ntp.org on port 123/UDP and 123/TCP
- Host 3.debian.pool.ntp.org on port 123/UDP and 123/TCP
LDAP AUTH
Only if you use the integration of LDAP to manage user accounts in croit:
- IP of your LDAP Server usually with port 389/TCP or 636/TCP but strongly depending on your LDAP/AD Server
CROIT MANAGEMENT NODE TOWARDS THE CEPH NETWORK
Please refrain from setting up a firewall on the network interface from the Management Node to the Ceph Cluster. Otherwise, disruptions and problems are to be expected.
DHCP SERVICE
Our container comes with a DHCP server for assigning IP addresses. This enables the PXE boot and is therefore of integral importance. Please note the protocol specific requirement of Broadcast.
- IPv4 Port 67/UDP and 68/UDP
- IPv6 Port 546/UDP and 547/UDP
TFTP SERVICE:
To transfer the first intelligence into the PXE stack, we transfer a small binary blob right at the beginning of the boot process. If this process fails, the croit PXE boot menu will not appear on the server.
- Port 69/UDP
BACKEND SERVICE:
The operating system image and some settings are transferred via HTTP and HTTPS.
- Port 80/TCP
- Port 443/TCP
SSH SERVICE
To change some settings or restart services, we connect to the servers using SSH
- Port 22/TCP
GRAPHITE SERVICE
As Time Series Database go-graphite is used in which metrics are stored. This is used for data ingestion
- Port 23648/UDP
LOG UPLOAD SERVICE
To provide a centralized log view, we use systemd-journald-remote and systemd-journald-upload
- Port 19531/TCP
APT UPDATE SERVICE
We configured apt proxy in /etc/apt/apt.conf.d/01proxy
to use
- Port 3142/TCP
CEPH SERVICES
- 443/TCP for RadosGW (RGW) services
- 3300/TCP for the messenger v2 protocol
- 6789/TCP for the messenger v1 protocol
- 6800/TCP to 7300/TCP for OSD services
ISCSI SERVICES
- 3260/TCP and 3260/UDP
SMB SERVICES
- 137-139/TCP and UDP
- 445/TCP
CEPH TO CEPH NETWORK
Please refrain from setting up a firewall on the network interface from the Management Node to the Ceph Cluster. Otherwise, disruptions and problems are to be expected.
CEPH SERVICES
- 3300/TCP for the messenger v2 protocol
- 6789/TCP for the messenger v1 protocol
- 6800/TCP to 7300/TCP for OSD services
FROM CEPH STORAGE NODES TO OTHER SERVICES
DNS SERVICE
By default we configure the DNS servers to google public DNS resolvers. We strongly recommend to change that in our container config file /config/config.yml and update the list towards your own DNS resolver.
- Host 8.8.8.8 on port 53/UDP and 53/TCP
- Host 8.8.4.4 on port 53/UDP and 53/TCP
- Host 2001:4860:4860::8888 on port 53/UDP and 53/TCP
- Host 2001:4860:4860::8844 on port 53/UDP and 53/TCP
Contact us!
croit GmbH
Freseniusstrasse 31h
81247 Munich
Germany
croit North America Inc
150 North Michigan Avenue
35th Floor
Chicago
IL 60601