IP ACL Configuration

In addition to the existing ACL parameter available for use with the lbcli create volume or update volume command, there is also the IP ACL parameter.

IP ACL allows support for restricted/non-restricted access to a cluster. In restricted mode (ipacl_explicit_allow), the Lightbits cluster will maintain an allowed list of IPs per volume that allows clients to access this volume. In unrestricted mode, any IP address can be used. This configuration can only be set up during installation.

Refer to the Configuring Global Variables in Ansible section of the Lightbits Installation Guide for additional information on the enable ipacl_explicit_allow flag.
All server-level firewalls except for iptables should be disabled in this mode.

When ipacl_explicit_allow mode is enabled, the following rules are applied:

During installation, Lightbits will block all data-related traffic (nvme/tcp and discovery service ports).
Traffic to the above ports will only be allowed to IPs that are on the allowed list (IPACL).
IO client servers can only connect to access volumes for which their IP is on the allowed list (IPACL).
IO client servers can access all the servers in the cluster if their IP is on at least one volume's allowed list (IPACL).
ipacl_explicit_allow replaces the former enable_iptables configuration.
Upgrading from enable_iptables to ipacl_explicit_allow is not supported.

It is your responsibility to manage the access to the rest of the ports required for the correct operation of the cluster. See the Lightbits Installation Guide for a list of all required ports.

There are two APIs that can cause additional ports to be opened:

Create an admin endpoint. This adds an allow rule in iptables based on the given origin IP address and destination port in the API. For example, it can be used to add rules for other servers to have access to admin ports (REST, gRPC, Exporter).
Create (or update) a volume with the IP ACL flag. The allowed IPs will have access to the NVMe/TCP ports (default: 4420/4421) on the nodes on which the volume data is stored (but not to other cluster nodes), and discovery service port (8009) on all servers in the cluster.

Examples

Create Endpoint

Bash
    
 
$ lbcli create admin-endpoint --port=22 --ips=172.16.123.18Port      IPs22        [172.16.123.18]$ lbcli get admin-endpoint --port=22Port      IPs22        [172.16.123.18]
Copy

Update Endpoint

Bash
    
 
$ lbcli update admin-endpoint --port=22 --ips=172.16.123.18,172.16.123.45Port      IPs22        [172.16.123.18 172.16.123.45]$ lbcli get admin-endpoint --port=22                                      Port      IPs22        [172.16.123.18 172.16.123.45]
Copy

Create Volume

Bash
    
​x
    
$ lbcli create volume --name=acl3 --acl=vol --size=10gib --replica-count=1 --ip-acl=172.16.123.18    ​#in case of Muli Tenancy​$ lbcli -J $JWT create volume --size="10 Gib" --name=vol --acl="acl3" --replica-count=1 --project-name=<Project Name> --ip-acl=172.16.123.18​​Name    UUID   State   Protection State   NSID    Size  Replicas   Compression   ACL   Rebuild Progressacl3      5f69c7d3-e303-4179-8400-59fa073c1229   Creating   Unknown            0         10 GiB    1          false         values:"vol"     $ lbcli get volume --uuid=5f69c7d3-e303-4179-8400-59fa073c1229 -o json{ "state": "Available", "protectionState": "FullyProtected", "replicaCount": 1, "nodeList": [   "69399d2a-3896-5b37-978a-775f3322279b" ], "UUID": "5f69c7d3-e303-4179-8400-59fa073c1229", "nsid": 11, "acl": {   "values": [     "vol"   ] }, "compression": "false", "size": "10737418240", "name": "acl3", "rebuildProgress": "None", "statistics": {   "logicalUsedStorage": "0",   "physicalUsedStorage": "0",   "compressionRatio": 0 }, "IPAcl": {   "values": [     "172.16.123.18"        ← List of IPs allowed to connect the volume   ] }, "ETag": "1", "connectedHosts": [   "vol: 172.16.123.18" ], "sectorSize": 4096, "sourceSnapshotUUID": "", "sourceSnapshotName": ""}
Copy

A -J flag after lbcli indicates that the JWT is not stored in the lbcli configuration file.

Update Volume

Bash
    
$ lbcli update volume --name=acl3 --ip-acl=172.16.123.18,172.16.123.45​# In this command, the JWT is not stored in the lbcli configuration file:$ lbcli -J $JWT update volume --project-name=<Project Name> --name acl3 --ip-acl=172.16.123.18,172.16.123.45​Name      UUID                                   State       Protection State   NSID      Size      Replicas   Compression   ACL             Rebuild Progressacl3      5f69c7d3-e303-4179-8400-59fa073c1229   Available   FullyProtected     11        10 GiB    1          false         values:"vol"    None$ lbcli get volume --uuid=5f69c7d3-e303-4179-8400-59fa073c1229 -o json​# In this command, the JWT is not stored in the lbcli configuration file:$ lbcli -J $JWT get volume  --uuid=5f69c7d3-e303-4179-8400-59fa073c1229  --project-name <Project Name> -o json​{ "state": "Available", "protectionState": "FullyProtected", "replicaCount": 1, "nodeList": [   "69399d2a-3896-5b37-978a-775f3322279b" ], "UUID": "5f69c7d3-e303-4179-8400-59fa073c1229", "nsid": 11, "acl": {   "values": [     "vol"   ] }, "compression": "false", "size": "10737418240", "name": "acl3", "rebuildProgress": "None", "statistics": {   "logicalUsedStorage": "0",   "physicalUsedStorage": "0",   "compressionRatio": 0 }, "IPAcl": {   "values": [     "172.16.123.18",        "172.16.123.45"  ← New IP was added   ] }, "ETag": "2", "connectedHosts": [   "vol: 172.16.123.18",   "vol: 172.16.123.45" ], "sectorSize": 4096, "sourceSnapshotUUID": "", "sourceSnapshotName": ""}
Copy

A -J flag after lbcli indicates that the JWT is not stored in the lbcli configuration file.

Last updated on

Was this page helpful?