openstack/openstack-manuals
Code Issues Proposed changes
cdbf99aa92
openstack-manuals/doc/common/section_compute_config-firewalls.xml
Don Domingo a4465257c1 Added section for Compute node firewall config 
Added a new section to the Config Reference on what ports to open on
each compute node (and how). Upon consultation, it seems that adding
a port config section in each component chapter is a better way to
address bug#1261617.

I'll submit follow-up patches adding a firewall configuration section
to each Config Ref Guide chapter/component if this patch gets merged.

Change-Id: Ie53e73b7cd2ec7af81f264338a4676952dd168e1
Partial-Bug: #1261617
2014-02-04 09:47:40 +10:00

57 lines
2.1 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="default_ports">
<title>Compute service node firewall requirements</title>
<para>
Virtual machine console connections, whether direct or
through a proxy, are received on ports <literal>5900</literal>
to <literal>5999</literal>.
</para>
<para>
You must configure the firewall on the service node to enable
network traffic on these ports. On the server that hosts the
Compute service, log in as <systemitem>root</systemitem> and
complete the following procedure:
</para>
<procedure>
<step>
<para>
Edit the <filename>/etc/sysconfig/iptables</filename>
file.
</para>
</step>
<step>
<para>
Add an INPUT rule that allows TCP traffic on ports
that range from <literal>5900</literal> to
<literal>5999</literal>:
</para>
<programlisting language="ini">-A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT</programlisting>
<para>
The new rule must appear before any INPUT rules that
REJECT traffic.
</para>
</step>
<step>
<para>
Save the changes to the
<filename>/etc/sysconfig/iptables</filename> file.
</para>
</step>
<step>
<para>
Restart the <systemitem>iptables</systemitem> service
to ensure that the change takes effect.
</para>
<screen><prompt>$</prompt> <userinput>service iptables restart</userinput></screen>
</step>
</procedure>
<para>
The <systemitem>iptables</systemitem> firewall
now enables incoming connections to the Compute
services. Repeat this process for each Compute node.
</para>
</section>
View Git Blame Copy Permalink