Hi Marcelo!
On Fri, May 22, 2015 at 10:46 PM, Marcelo Freitas <
marce...@gmail.com> wrote:
> Hey guys,
>
> Just checking if anybody know which ports I should leave open on the
> servers. I couldn't find this information very clear. I gathered the
> information from what I could find in the docs, cloudformation templates,
> and some assumptions. Can someone give me a hand here? Don't worry about the
> Mongo / Redis nor SSH ports
>
> tsuru-cloudformation ***********************
>
> Docker Node
> 4243/tcp (api -> docker?)
> 4545/tcp (api -> docker?)
4545 is not needed anymore, and you should use 2375 instead of 4243,
because it's the official Docker port.
> API
> 443/tcp (what if I do not TLS enabled?)
That depends on where you want to bind your API, or if you want to use
an ELB. Then you can use the port 80 in the ELB and the port 8080 in
the instance, and do TLS termination in the load balancer.
> Gandalf
> 80/tcp
> 8080/tcp
You can also choose where to bind Gandalf, and only the tsuru API
needs to access the Gandalf API. Please notice that you need to open
the SSH port to the world (or to the network where developers will run
`git push`).
> Docs *************************
>
> Gandalf
> 8000/tcp
>
> Archive-Server
> 3232/tcp
archive-server needs two ports: one for creating archives (that needs
to be accessible by the Gandalf host), and other for serving the
archives (that need to be accessible by all the hosts running Docker
containers).
But, if you're deploying on EC2, you should use the S3 pre-receive
hook (
https://github.com/tsuru/tsuru/blob/master/misc/git-hooks/pre-receive.s3cmd).
> API
> 8080/tcp
>
> My guesses ******************
>
> Docker Registry
> 5000/tcp
Docker Registry is usually 5000, and it's accessed by the tsuru API
and the Docker nodes.
> Docker API
> 2375/tcp
>
> So, I'm OK with the external components I can look up and whatever I
> configured in the configs, but I got confused about the ports I found in the
> cloudformation templates. I appreciate any help.
So, to summarize: there are only two services with official ports,
Docker (2375) and SSH (22, running on the Gandalf host). All the other
ports are fine to be customized, but I understand that you're willing
to know more details about communication betweet components, so here
we go:
- tsuru API manages the cloud, so the machine running it should have
access to everything (except archive-server)
- Docker API is accessed only by the tsuru API
- hipache needs to access the ports that Docker allocates to
containers (default range is 49153~65535)
- Docker nodes also needs to access the Registry API
- Gandalf needs to access archive-server in the write port (usually
3131. archive-server is usually in the same machine as Gandalf)
- Docker hosts need to access archive-server in the read port (usually 3232)
Maybe I took your question to whole different perspective, so please
let me know if there's anything else we should clarify!
Thanks,
Francisco