b4a76b229c
Table has not been maintained for a while and needed adjustments in terms of the available services along with used ports. Table was made on best effort basis, which means that only most known services were filled in and some might be still missing. Closes-Bug: #1915979 Change-Id: Icca93386f7c52c22472892f6e82fb82744c54832
4.2 KiB
Firewalls and default ports
On some deployments, such as ones where restrictive firewalls are in place, you might need to manually configure a firewall to permit OpenStack service traffic.
To manually configure a firewall, you must permit traffic through the ports that each OpenStack service uses. This table lists the default ports that each OpenStack service uses:
| OpenStack service | Default ports |
|---|---|
Application Catalog (murano) |
8082 |
Backup Service (Freezer) |
9090 |
Big Data Processing Framework (sahara) |
8386 |
Block Storage (cinder) |
8776 |
Clustering (senlin) |
8777 |
Compute (nova) endpoints |
8774 |
| Compute ports for access to virtual machine consoles | 5900-5999 |
| Compute VNC proxy for browsers (openstack-nova-novncproxy) | 6080 |
| Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy) | 6081 |
Container Infrastructure Management (Magnum) |
9511 |
Container Service (Zun) |
9517 |
Data processing service (sahara) endpoint |
8386 |
Database service (Trove) |
8779 |
DNS service (Designate) |
9001 |
High Availability Service (Masakari) |
15868 |
Identity service (keystone) endpoint |
5000 |
Image service (glance) API |
9292 |
Key Manager service (Barbican) |
9311 |
Loadbalancer service (Octavia) |
9876 |
Networking (neutron) |
9696 |
NFV Orchestration service (tacker) |
9890 |
Object Storage (swift) |
6000, 6001, 6002 |
Orchestration (heat) endpoint |
8004 |
Orchestration AWS CloudFormation-compatible API
(openstack-heat-api-cfn) |
8000 |
Orchestration AWS CloudWatch-compatible API
(openstack-heat-api-cloudwatch) |
8778 |
Placement API (placement) |
8003 |
| Proxy port for HTML5 console used by Compute service | 6082 |
Rating service (Cloudkitty) |
8889 |
Registration service (Adjutant) |
5050 |
Resource Reservation service (Blazar) |
1234 |
Root Cause Analysis service (Vitrage) |
8999 |
Shared File Systems service (Manila) |
8786 |
Telemetry alarming service (Aodh) |
8042 |
Telemetry event service (Panko) |
8977 |
Workflow service (Mistral) |
8989 |
To function properly, some OpenStack components depend on other, non-OpenStack services. For example, the OpenStack dashboard uses HTTP for non-secure communication. In this case, you must configure the firewall to allow traffic to and from HTTP.
This table lists the ports that other OpenStack components use:
| Service | Default port | Used by |
|---|---|---|
| HTTP | 80 | OpenStack dashboard (Horizon) when it is not configured
to use secure access. |
| HTTP alternate | 8080 | OpenStack Object Storage (swift) service. |
| HTTPS | 443 | Any OpenStack service that is enabled for SSL, especially secure-access dashboard. |
| rsync | 873 | OpenStack Object Storage. Required. |
| iSCSI target | 3260 | OpenStack Block Storage. Required. |
| MySQL database service | 3306 | Most OpenStack components. |
| Message Broker (AMQP traffic) | 5672 | OpenStack Block Storage, Networking, Orchestration, and Compute. |
On some deployments, the default port used by a service may fall within the defined local port range of a host. To check a host's local port range:
$ sysctl net.ipv4.ip_local_port_rangeIf a service's default port falls within this range, run the following program to check if the port has already been assigned to another application:
$ lsof -i :PORTConfigure the service to use a different port if the default port is already being used by another application.