Introduction
You should visit that page in case that your service account who deploying the Elastifile system does not have the roles/compute.securityAdmin permission.
If this is the case, you will see the following warning message as part of the validation phase:
Elastifile requires 4 different FW rules which are restricted to the cluster operational only:
- elastifile-storage-management-<cluster_hash>
- elastifile-storage-service-<cluster_hash>
- elastifile-ra-service-<cluster_hash>
- elastifile-storage-client-<cluster_hash>
Solution
In order to overcome that scenario, you need to configure the FW rules manually ones.
Please follow the below 'prerequisites' and 'configuration' sections.
Prerequisites
- The user who runs the commands should has the roles/compute.securityAdmin role in the required project.
- Note the cluster hash label by clicking the elastifile management server instance in the GCP console.
Configuration
# The following are examples only. Please modify per your own environment. $ HASH="8b77e1d1" $ PROJECT="support-team-a" $ VPC_NETWORK="snir-network" $ VPC_SUBNET_RANGE="10.164.0.0/20" $ gcloud compute --project=$PROJECT firewall-rules create elastifile-storage-management-$HASH --description="Elastifile Storage Management firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=tcp:22,tcp:53,tcp:80,tcp:443,tcp:10014-10017,udp:53,udp:123,udp:6667,icmp --source-ranges=$VPC_SUBNET_RANGE--source-tags=elastifile-storage-node-$HASH,elastifile-replication-node-$HASH,elastifile-management-node-$HASH --target-tags=elastifile-management-node-$HASH $ gcloud compute --project=$PROJECT firewall-rules create elastifile-storage-service-$HASH --description="Elastifile Storage Service firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=tcp:22,tcp:12121,tcp:10015-10018,tcp:1112-1132,tcp:2221-2241,tcp:8000-9224,tcp:10028,tcp:32768-60999,udp:6667,udp:8000-9224,udp:32768-60999,icmp --source-ranges=$VPC_SUBNET_RANGE --source-tags=elastifile-management-node-$HASH,elastifile-storage-node-$HASH,elastifile-replication-node-$HASH --target-tags=elastifile-storage-node-$HASH $ gcloud compute --project=$PROJECT firewall-rules create elastifile-ra-service-$HASH --description="Elastifile Replication Agent Service firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=tcp:22,tcp:80,tcp:443,tcp:10018,tcp:10015,tcp:10028,tcp:12121,icmp--source-ranges=$VPC_SUBNET_RANGE --source-tags=elastifile-storage-node-$HASH,elastifile-management-node-$HASH --target-tags=elastifile-replication-node-$HASH $ gcloud compute --project=$PROJECT firewall-rules create elastifile-storage-client-$HASH --description="Elastifile Client firewall rules" --direction=INGRESS --priority=1000 --network=$VPC_NETWORK --action=ALLOW --rules=tcp:111,tcp:644,tcp:2049,tcp:4040,tcp:4045,udp:111,udp:644,udp:2049,udp:4040,udp:4045,icmp--source-ranges=$VPC_SUBNET_RANGE --source-tags=elastifile-clients-$HASH,elastifile-replication-node-$HASH --target-tags=elastifile-storage-node-$HASH
* Note that each Elastifile system requires its set of FW rules per its own hash