Ports
31 views
Skip to first unread message
Marcelo Freitas
May 22, 2015, 9:46:24 PM5/22/15
to tsuru...@googlegroups.com
Hey guys,
Just checking if anybody know which ports I should leave open on the servers. I couldn't find this information very clear. I gathered the information from what I could find in the docs, cloudformation templates, and some assumptions. Can someone give me a hand here? Don't worry about the Mongo / Redis nor SSH ports
tsuru-cloudformation ***********************
Docker Node
4243/tcp (api -> docker?)
4545/tcp (api -> docker?)
API
443/tcp (what if I do not TLS enabled?)
Gandalf
80/tcp
8080/tcp
Docs *************************
Gandalf
8000/tcp
Archive-Server
3232/tcp
API
8080/tcp
My guesses ******************
Docker Registry
5000/tcp
Docker API
2375/tcp
So, I'm OK with the external components I can look up and whatever I configured in the configs, but I got confused about the ports I found in the cloudformation templates. I appreciate any help.
Thanks,
Marcelo
Francisco Souza
May 22, 2015, 11:28:49 PM5/22/15
to tsuru...@googlegroups.com
Hi Marcelo!
On Fri, May 22, 2015 at 10:46 PM, Marcelo Freitas <marce...@gmail.com> wrote:
> Hey guys,
>
> Just checking if anybody know which ports I should leave open on the
> servers. I couldn't find this information very clear. I gathered the
> information from what I could find in the docs, cloudformation templates,
> and some assumptions. Can someone give me a hand here? Don't worry about the
> Mongo / Redis nor SSH ports
>
> tsuru-cloudformation ***********************
>
> Docker Node
> 4243/tcp (api -> docker?)
> 4545/tcp (api -> docker?)
4545 is not needed anymore, and you should use 2375 instead of 4243,
because it's the official Docker port.
> API
> 443/tcp (what if I do not TLS enabled?)
That depends on where you want to bind your API, or if you want to use
an ELB. Then you can use the port 80 in the ELB and the port 8080 in
the instance, and do TLS termination in the load balancer.
> Gandalf
> 80/tcp
> 8080/tcp
You can also choose where to bind Gandalf, and only the tsuru API
needs to access the Gandalf API. Please notice that you need to open
the SSH port to the world (or to the network where developers will run
`git push`).
> Docs *************************
>
> Gandalf
> 8000/tcp
>
> Archive-Server
> 3232/tcp
archive-server needs two ports: one for creating archives (that needs
to be accessible by the Gandalf host), and other for serving the
archives (that need to be accessible by all the hosts running Docker
containers).
But, if you're deploying on EC2, you should use the S3 pre-receive
hook (https://github.com/tsuru/tsuru/blob/master/misc/git-hooks/pre-receive.s3cmd).
> API
> 8080/tcp
>
> My guesses ******************
>
> Docker Registry
> 5000/tcp
Docker Registry is usually 5000, and it's accessed by the tsuru API
and the Docker nodes.
> Docker API
> 2375/tcp
>
> So, I'm OK with the external components I can look up and whatever I
> configured in the configs, but I got confused about the ports I found in the
> cloudformation templates. I appreciate any help.
So, to summarize: there are only two services with official ports,
Docker (2375) and SSH (22, running on the Gandalf host). All the other
ports are fine to be customized, but I understand that you're willing
to know more details about communication betweet components, so here
we go:
- tsuru API manages the cloud, so the machine running it should have
access to everything (except archive-server)
- Docker API is accessed only by the tsuru API
- hipache needs to access the ports that Docker allocates to
containers (default range is 49153~65535)
- Docker nodes also needs to access the Registry API
- Gandalf needs to access archive-server in the write port (usually
3131. archive-server is usually in the same machine as Gandalf)
- Docker hosts need to access archive-server in the read port (usually 3232)
Maybe I took your question to whole different perspective, so please
let me know if there's anything else we should clarify!
Thanks,
Francisco
On Fri, May 22, 2015 at 10:46 PM, Marcelo Freitas <marce...@gmail.com> wrote:
> Hey guys,
>
> Just checking if anybody know which ports I should leave open on the
> servers. I couldn't find this information very clear. I gathered the
> information from what I could find in the docs, cloudformation templates,
> and some assumptions. Can someone give me a hand here? Don't worry about the
> Mongo / Redis nor SSH ports
>
> tsuru-cloudformation ***********************
>
> Docker Node
> 4243/tcp (api -> docker?)
> 4545/tcp (api -> docker?)
because it's the official Docker port.
> API
> 443/tcp (what if I do not TLS enabled?)
an ELB. Then you can use the port 80 in the ELB and the port 8080 in
the instance, and do TLS termination in the load balancer.
> Gandalf
> 80/tcp
> 8080/tcp
You can also choose where to bind Gandalf, and only the tsuru API
needs to access the Gandalf API. Please notice that you need to open
the SSH port to the world (or to the network where developers will run
`git push`).
> Docs *************************
>
> Gandalf
> 8000/tcp
>
> Archive-Server
> 3232/tcp
to be accessible by the Gandalf host), and other for serving the
archives (that need to be accessible by all the hosts running Docker
containers).
But, if you're deploying on EC2, you should use the S3 pre-receive
hook (https://github.com/tsuru/tsuru/blob/master/misc/git-hooks/pre-receive.s3cmd).
> API
> 8080/tcp
>
> My guesses ******************
>
> Docker Registry
> 5000/tcp
and the Docker nodes.
> Docker API
> 2375/tcp
>
> So, I'm OK with the external components I can look up and whatever I
> configured in the configs, but I got confused about the ports I found in the
> cloudformation templates. I appreciate any help.
Docker (2375) and SSH (22, running on the Gandalf host). All the other
ports are fine to be customized, but I understand that you're willing
to know more details about communication betweet components, so here
we go:
- tsuru API manages the cloud, so the machine running it should have
access to everything (except archive-server)
- Docker API is accessed only by the tsuru API
- hipache needs to access the ports that Docker allocates to
containers (default range is 49153~65535)
- Docker nodes also needs to access the Registry API
- Gandalf needs to access archive-server in the write port (usually
3131. archive-server is usually in the same machine as Gandalf)
- Docker hosts need to access archive-server in the read port (usually 3232)
Maybe I took your question to whole different perspective, so please
let me know if there's anything else we should clarify!
Thanks,
Francisco
Marcelo Freitas
May 23, 2015, 5:56:16 PM5/23/15
to tsuru...@googlegroups.com
Hi Francisco,
That's exactly what I wanted to know. I wanted to know about the communication among components. Thanks again.
Can I ask another question? I saw the S3 pre-hook before. So, does that mean I dump the archive-server?
Regards,
Marcelo
Francisco Souza
May 25, 2015, 9:33:07 AM5/25/15
to tsuru...@googlegroups.com
Hi Marcelo,
Exactly! Instead of sending the archives to the archive server, you'd
send them to S3.
The pre-receive hook would automatically generate an archive, upload
it as a public file to a bucket and send the URL to tsuru, so the
container can download the archive. After the application is deployed,
the hook will also delete the archive in S3.
Best,
Francisco
> --
> You received this message because you are subscribed to the Google Groups
> "tsuru" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to tsuru-users...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Exactly! Instead of sending the archives to the archive server, you'd
send them to S3.
The pre-receive hook would automatically generate an archive, upload
it as a public file to a bucket and send the URL to tsuru, so the
container can download the archive. After the application is deployed,
the hook will also delete the archive in S3.
Best,
Francisco
> You received this message because you are subscribed to the Google Groups
> "tsuru" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to tsuru-users...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Marcelo Freitas
May 25, 2015, 10:51:20 AM5/25/15
to tsuru...@googlegroups.com
Great Francisco,
Thank you man,
Marcelo
Reply all
Reply to author
Forward
0 new messages