Recommended ACL Ports and Protocols

The table below provides a comprehensive list of IP ports utilized by Lightbits storage nodes and their connected clients.

Source (Initiator)	Destination (Listener)	Interface	Purpose	Protocol	Port[s]	Detailed Description
Management Servers	Lightbits Storage	Management* or Data	SSH Terminal	TCP (SSH)	22	Lightbits servers are managed via SSH through a Linux shell (between Lightbits servers, plus management servers and within the Lightbits cluster), Encryption: Per SSH Configuration Authentication: Yes (SSH Password or SSH Key)
Lightbits Storage	Lightbits Storage	Management* or Data	SSH Terminal	TCP (SSH)	22	Lightbits servers are managed via SSH through a Linux shell (between Lightbits servers, plus management servers and within the Lightbits cluster). Note: Cross-Lightbits server SSH communication is not required for a successful Ansible installation. Encryption: Per SSH Configuration Authentication: Yes (SSH Password or SSH Key)
Management Servers	Lightbits Storage	Management* or Data	API	TCP (HTTPS)	443	Management CLI (between clients and management servers and Lightbits servers, plus between Lightbits servers). Encryption: TLS Authentication: Yes (jwt)
Clients	Lightbits Storage	Management* or Data	API	TCP (HTTPS)	443	Management CLI (between clients and management servers and Lightbits servers, plus between Lightbits servers). Encryption: TLS Authentication: Yes (jwt)
Lightbits Storage	Lightbits Storage	Management* or Data	API	TCP (HTTPS)	443	Management CLI (between clients and management servers and Lightbits servers, plus between Lightbits servers). Encryption: TLS Authentication: Yes (jwt)
Lightbits Storage	Lightbits Storage	Data	etcd	TCP (ETCD)	2379	etcd client port (between Lightbits services to etcd). Encryption: mTLS Authentication: Yes (SSL certs))
Lightbits Storage	Lightbits Storage	Data	etcd	TCP (ETCD)	2380	etcd peer port (between Lightbits servers). Encryption: mTLS Authentication: Yes (SSL certs)
Management Servers	Grafana, Prometheus	Management	UI Access	TCP (HTTP)	3000, 9090	To access the Grafana UI, port 3000 is used. To access the Prometheus UI, port 9090 is used. Encryption: No Authentication: No
Prometheus Server	Lightbits Storage	Management	Monitoring Metrics	TCP (HTTP)	8090	Exporter port (between Lightbits servers and Prometheus servers), scraped via the /metrics endpoint, Encryption: No Authentication: No
Prometheus Server	Lightbits Storage	Management	Monitoring Metrics	TCP (HTTPS)	443	Prometheus scraping via the /metrics endpoint. Encryption: TLS Authentication: No
Prometheus Server	SMTP Server	Management	Alerts	SMTP or SMTPS	25 or 587 or 465	For use with alertmanager, on a Prometheus server to send SMTP alerts over port 25 (SMTP unencrypted), port 587 (SMTPS encrypted), or port 465 (legacy SMTP encrypted). Encryption: No for 25. Yes TLS for 587 and 465 Authentication: Yes
Management Servers	Alertmanager	Management	Alerts	TCP (HTTP)	9,093	For a management server to be able to access the Alertmanager UI. Encryption: No Authentication: No
Clients (Connect to Lightbits Volumes)	Lightbits Storage	Data	NVME + Discovery Traffic	TCP (NVME + NVME Discovery)	4420, 8009	Duroslight port on 4420 (between clients and Lightbits servers), plus Discovery-client on 8009 - the client initiates a volume connection and the volume discovery with Lightbits servers. Encryption: No Authentication: No
Lightbits Storage	Lightbits Storage	Data	Lightbits Replica Traffic	TCP (Lightbits Protocol)	22226	Replicator port (between Lightbits servers) - data replication between Lightbits servers. Encryption: No Authentication: No
Lightbits Storage	Lightbits Storage	*Management or Data**	cluster-manager debug	TCP (HTTP)	4000	Cluster-Manager (localhost) go profile for debugging (not required). Note: This debug port is localhost only. However, to be future proof, open between Lightbits servers. Encryption: No Authentication: No
Lightbits Storage	Lightbits Storage	Management* or Data	node-manager debug	TCP (HTTP)	4001	Node-Manager (between Lightbits servers) go profile for debugging (not required). Note: This debug port is not localhost and needs to be able to work between clusters. Encryption: No Authentication: No
Lightbits Storage	Lightbits Storage	*Management or Data**	discovery-service debug	TCP (HTTP)	6060	Discovery-Service (localhost) go profile for debugging (not required). Note: This debug port is localhost only. However, to be future proof, open between Lightbits servers. Encryption: No Authentication: No
Lightbits Storage	Lightbits Storage	*Management or Data**	duroslight debug	TCP (HTTP)	9180	Introduced in 3.4.1, Duroslight debug info (localhost) for Prometheus via the /metrics endpoint - for debugging (not required). Notes: This debug port is localhost only. However, to be future proof, open between Lightbits servers. If in dual instance, also open port 9181. Encryption: No Authentication: No
Ansible Installation Host	Lightbits Storage	Management	SSH for Ansible Installation	TCP (SSH)	22	Ansible (between installation host and Lightbits servers). Port 22 for SSH. Encryption: Per SSH Configuration Authentication: Yes (SSH Password or SSH Key)
Lightbits Storage	Repos	Management	RPM Repo Access for Prerequisites	TCP (HTTP[S])	80, 443	Yum/Dnf for prerequisites (between Lightbits servers plus online repositories). Encryption: SSL / Depends on the Online Repositories You Connect To Authentication: No
Lightbits Storage	Repos	Management	RPM Repo Access for Prerequisites	TCP (HTTP[S])	80, 443	Yum/Dnf for installation, plus upgrade (between Lightbits servers plus online repositories). Encryption: SSL / Depends on the Online Repositories You Connect To Authentication: No
Lightbits Storage	Time Server	Management	Time Sync	UDP (NTP/CHRONY)	123, 323	NTP = 123 UDP (between Lightbits servers plus Timeserver). Chrony = 123 and 323 UDP. Encryption: No Authentication: No
Lightbits Storage	DHCP Server	Management	DHCP	UDP (DHCP)	68	Open this port if the server networking is configured via DHCP. Encryption: No Authentication: No
Lightbits Storage	Lightbits Storage	Management	Node manager	TCP	4007	grpc port for communication between the Node manager to the cluster manager. Encryption: mTLS Authentication: Yes (SSL certs)

Bolded text represents optional ports/protocols.
The Interface column specifies which interface type the connection will work across. Astricks specifies the preferred or more common path or use case.
Management Servers refers to any host or server that will be used as an SSH client (port 22) to connect to Lightbits. This can also be used with the API over port 443.
Client refers to any server where a Lightbits volume is connected (i.e., you can see it with the nvme list).
A server can stand as a client, management server, and Prometheus/Grafana/monitoring server. It can have multiple functions. Only the Lightbits servers should be separate servers.
All TCP traffic is bidirectional, but it has an initial direction. Source refers to the initiator.
Check the server's open ports with the commands below, to make sure that non-Lightbits services are properly considered:
sudo netstat -ntlp - shows the TCP listeners on a server.
sudo netstat -nulp - shows the UDP listeners on a server.
With a typical Dual Instance deployment, the second instance gets a new IP. However, it uses the same ports for all communication. The duroslight debug port will also be open on port 9181.
With Dual Instance Single IP, the second instance uses the same IP. It uses different ports for other instances. Add these ports for this configuration: duroslight 4421 + replicator 22227 + duroslight debug 9181.
For yum/dnf, it will use port 80 or 443, depending on how the repositories are configured.
In the above configuration, the Lightbits Monitoring solution is used, which installs Grafana and Prometheus containers on the same server.
Optionally, to help with troubleshooting, allow ICMP between the Lightbits server, clients, and other servers that participate.

Last updated on

Was this page helpful?