Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- work-in-progress doc for an Amazon web services based Gluster deployment secured using VPC and security groups.
- SERVER
- ======
- - Gluster server nodes can only talk to nodes in AWS GLUSTER-SERVER security group and GLUSTER-CLIENT security group on ports explicitly listed in respective GLUSTER-SERVER and GLUSTER-CLIENT security groups.
- - Gluster server nodes must be able to communicate with each other and must accept incoming connections from gluster clients
- - Servers do NOT act as gluster clients
- - Servers must be able to handle an AWS availability zone failure with no disruption
- - Ubuntu 14.04 in AWS VPC, nonroutable private subnet
- CLIENT
- ======
- - Gluster client nodes can only talk to nodes in GLUSTER-SERVER security group on incoming ports explicitly listed in GLUSTER-SERVER security group
- - Clients must be able to read/write data to gluster nodes
- - Clients must be able to seamlessly handle gluster server node failures
- - Clients do NOT act as gluster server nodes
- - Clients do not need to interact with other clients
- - Ubuntu 14.04 in AWS VPC, different nonroutable, private submet from gluster servers
- Security group "GLUSTER-SERVER"
- ===============================
- - Defines incoming ports allowed for gluster server nodes. All gluster server nodes are members of this security group.
- - glusterd management
- - ALLOW INCOMING on port 24007/tcp for all nodes in GLUSTER-SERVER security group
- - ALLOW INCOMING on port 24007/tcp for all nodes in GLUSTER-CLIENT security group
- - ALLOW INCOMING on port 24008/tcp if you use RDMA for $SECURITY_GROUP
- - * Do I need this? How does one know if they're using RDMA?
- - * Does Gluster server use RDMA by default?
- - * Does Gluster client use RDMA by default?
- - * Within AWS, should I use RDMA vs default?
- - glusterfsd bricks (numbering starts at 49152 and increments +1 for each created brick) - below assumes 3 bricks
- - ALLOW INCOMING on port 49152-49155/tcp for all nodes in GLUSTER-SERVER security group
- - ALLOW INCOMING on port 49152-49155/tcp for all nodes in GLUSTER-CLIENT security group
- - NFS (* is this needed for gluster servers?) (since Gluster 3.4)
- - ALLOW INCOMING on port 111/tcp and port 2049/tcp for all nodes in GLUSTER-SERVER security group
- - ALLOW INCOMING on port 111/tcp and port 2049/tcp for all nodes in GLUSTER-CLIENT security group
- - ALLOW INCOMING on port 38468/tcp for all nodes in GLUSTER-SERVER security group for NLM
- - ALLOW INCOMING on port 38468/tcp for all nodes in GLUSTER-CLIENT security group for NLM
- - * Does gluster server use NFS by default?
- - * Does gluster client use NFS by default?
- - * Is NLM required regardless of whether NFS is used?
- - ALLOW OUTBOUND traffic on any port to any host
- Security group "GLUSTER-CLIENT"
- ===============================
- - Defines group of clients who are allowed to access gluster servers nodes in GLUSTER-SERVER security group on ports defined in GLUSTER-SERVER security group
- - * Is there ANY incoming traffic from gluster server nodes in GLUSTER-SERVER security group?
- - ALLOW OUTBOUND traffic on any port to any host
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement