fa7f5e0e15
Similar to the iSCSI port that requires a firewall rule when using Cinder LVM driver with an iSCSI target we also require port 4420 to be allowed when using LVM with the NVMe-oF target. This patch adds the 4420 port to the list of required ports and clarifies a bit the iSCSI one, since it's only required when using LVM with iSCSI, not always. Change-Id: I499f1916eadc0f99558e529be6cc49576224c8f5
145 lines
4.3 KiB
ReStructuredText
145 lines
4.3 KiB
ReStructuredText
===========================
|
|
Firewalls and default ports
|
|
===========================
|
|
|
|
On some deployments, such as ones where restrictive firewalls are in
|
|
place, you might need to manually configure a firewall to permit
|
|
OpenStack service traffic.
|
|
|
|
To manually configure a firewall, you must permit traffic through the
|
|
ports that each OpenStack service uses. This table lists the default
|
|
ports that each OpenStack service uses:
|
|
|
|
.. list-table:: Default ports that OpenStack components use
|
|
:header-rows: 1
|
|
|
|
* - OpenStack service
|
|
- Default ports
|
|
* - Application Catalog (``murano``)
|
|
- 8082
|
|
* - Backup Service (``Freezer``)
|
|
- 9090
|
|
* - Big Data Processing Framework (``sahara``)
|
|
- 8386
|
|
* - Block Storage (``cinder``)
|
|
- 8776
|
|
* - Clustering (``senlin``)
|
|
- 8777
|
|
* - Compute (``nova``) endpoints
|
|
- 8774
|
|
* - Compute ports for access to virtual machine consoles
|
|
- 5900-5999
|
|
* - Compute VNC proxy for browsers (openstack-nova-novncproxy)
|
|
- 6080
|
|
* - Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy)
|
|
- 6081
|
|
* - Container Infrastructure Management (``Magnum``)
|
|
- 9511
|
|
* - Container Service (``Zun``)
|
|
- 9517
|
|
* - Data processing service (``sahara``) endpoint
|
|
- 8386
|
|
* - Database service (``Trove``)
|
|
- 8779
|
|
* - DNS service (``Designate``)
|
|
- 9001
|
|
* - High Availability Service (``Masakari``)
|
|
- 15868
|
|
* - Identity service (``keystone``) endpoint
|
|
- 5000
|
|
* - Image service (``glance``) API
|
|
- 9292
|
|
* - Key Manager service (``Barbican``)
|
|
- 9311
|
|
* - Loadbalancer service (``Octavia``)
|
|
- 9876
|
|
* - Networking (``neutron``)
|
|
- 9696
|
|
* - NFV Orchestration service (``tacker``)
|
|
- 9890
|
|
* - Object Storage (``swift``)
|
|
- 6000, 6001, 6002
|
|
* - Orchestration (``heat``) endpoint
|
|
- 8004
|
|
* - Orchestration AWS CloudFormation-compatible API (``openstack-heat-api-cfn``)
|
|
- 8000
|
|
* - Orchestration AWS CloudWatch-compatible API (``openstack-heat-api-cloudwatch``)
|
|
- 8778
|
|
* - Placement API (``placement``)
|
|
- 8003
|
|
* - Proxy port for HTML5 console used by Compute service
|
|
- 6082
|
|
* - Rating service (``Cloudkitty``)
|
|
- 8889
|
|
* - Registration service (``Adjutant``)
|
|
- 5050
|
|
* - Resource Reservation service (``Blazar``)
|
|
- 1234
|
|
* - Root Cause Analysis service (``Vitrage``)
|
|
- 8999
|
|
* - Shared File Systems service (``Manila``)
|
|
- 8786
|
|
* - Telemetry alarming service (``Aodh``)
|
|
- 8042
|
|
* - Telemetry event service (``Panko``)
|
|
- 8977
|
|
* - Workflow service (``Mistral``)
|
|
- 8989
|
|
|
|
To function properly, some OpenStack components depend on other,
|
|
non-OpenStack services. For example, the OpenStack dashboard uses HTTP
|
|
for non-secure communication. In this case, you must configure the
|
|
firewall to allow traffic to and from HTTP.
|
|
|
|
This table lists the ports that other OpenStack components use:
|
|
|
|
.. list-table:: Default ports that secondary services related to OpenStack components use
|
|
:header-rows: 1
|
|
|
|
* - Service
|
|
- Default port
|
|
- Used by
|
|
* - HTTP
|
|
- 80
|
|
- OpenStack dashboard (``Horizon``) when it is not configured to use secure access.
|
|
* - HTTP alternate
|
|
- 8080
|
|
- OpenStack Object Storage (``swift``) service.
|
|
* - HTTPS
|
|
- 443
|
|
- Any OpenStack service that is enabled for SSL, especially secure-access dashboard.
|
|
* - rsync
|
|
- 873
|
|
- OpenStack Object Storage. Required.
|
|
* - iSCSI target
|
|
- 3260
|
|
- OpenStack Block Storage. Required when using LVM with iSCSI target (tgt, LIO, iSER)
|
|
* - NVMe-oF target
|
|
- 4420
|
|
- OpenStack Block Storage. Required when using LVM with NVMe-oF target (nvmet).
|
|
* - MySQL database service
|
|
- 3306
|
|
- Most OpenStack components.
|
|
* - Message Broker (AMQP traffic)
|
|
- 5672
|
|
- OpenStack Block Storage, Networking, Orchestration, and Compute.
|
|
|
|
On some deployments, the default port used by a service may fall within
|
|
the defined local port range of a host. To check a host's local port
|
|
range:
|
|
|
|
.. code-block:: console
|
|
|
|
$ sysctl net.ipv4.ip_local_port_range
|
|
|
|
If a service's default port falls within this range, run the following
|
|
program to check if the port has already been assigned to another
|
|
application:
|
|
|
|
.. code-block:: console
|
|
|
|
$ lsof -i :PORT
|
|
|
|
Configure the service to use a different port if the default port is
|
|
already being used by another application.
|