From 3b0b6dadd0e8d3b744a73361aa6e43070be7b724 Mon Sep 17 00:00:00 2001
From: Don Domingo <ddomingo@redhat.com>
Date: Mon, 3 Feb 2014 16:49:33 +1000
Subject: [PATCH] Added XML files for default ports sect and tables

This patch adds XML files for:
- brief overview of firewall configuration
- table listing ports used by main openstack components
- table listing ports used by other services required by OpenStack

The resulting section will be added as an appendix to the Config Ref
Guide.

Change-Id: Ib7edf8f827cd0c31c51a9cbdaff475384960c7ee
Related-Bug: #1261617
---
 doc/config-reference/app_firewalls-ports.xml  |  23 ++++
 doc/config-reference/bk-config-ref.xml        |  33 +++---
 ...able_default-ports-peripheral-services.xml |  61 ++++++++++
 .../table_default-ports-primary-services.xml  | 112 ++++++++++++++++++
 4 files changed, 215 insertions(+), 14 deletions(-)
 create mode 100644 doc/config-reference/app_firewalls-ports.xml
 create mode 100644 doc/config-reference/table_default-ports-peripheral-services.xml
 create mode 100644 doc/config-reference/table_default-ports-primary-services.xml

diff --git a/doc/config-reference/app_firewalls-ports.xml b/doc/config-reference/app_firewalls-ports.xml
new file mode 100644
index 0000000000..495ccf49a9
--- /dev/null
+++ b/doc/config-reference/app_firewalls-ports.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<appendix xmlns="http://docbook.org/ns/docbook"
+    xmlns:xi="http://www.w3.org/2001/XInclude"
+    xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+    xml:id="firewalls-default-ports">
+    <title>Firewalls and default ports</title>
+    <para>On some deployments, such as ones where restrictive
+        firewalls are in place, you might need to manually configure a
+        firewall to permit OpenStack service traffic.</para>
+    <para>To manually configure a firewall, you must permit traffic
+        through the ports that each OpenStack service uses. This table
+        lists the default ports that each OpenStack service
+        uses:</para>
+    <xi:include href="table_default-ports-primary-services.xml"/>
+    <para>To function properly, some OpenStack components depend on
+        other, non-OpenStack services. For example, the OpenStack
+        dashboard uses HTTP for non-secure communication. In this
+        case, you must configure the firewall to allow traffic to and
+        from HTTP.</para>
+    <para>This table lists the ports that other OpenStack components
+        use:</para>
+    <xi:include href="table_default-ports-peripheral-services.xml"/>
+</appendix>
diff --git a/doc/config-reference/bk-config-ref.xml b/doc/config-reference/bk-config-ref.xml
index faf44516f5..f6313189f9 100644
--- a/doc/config-reference/bk-config-ref.xml
+++ b/doc/config-reference/bk-config-ref.xml
@@ -46,7 +46,8 @@
                         <listitem>
                             <para>Removes content addressed in
                                 installation, merges duplicated
-                                content, and revises legacy references.</para>
+                                content, and revises legacy
+                                references.</para>
                         </listitem>
                     </itemizedlist>
                 </revdescription>
@@ -66,9 +67,11 @@
                 <revdescription>
                     <itemizedlist>
                         <listitem>
-                            <para>Moves Block Storage driver configuration information
-                                from the <citetitle>Block Storage Administration Guide</citetitle>
-                                to this reference.</para>
+                            <para>Moves Block Storage driver
+                                configuration information from the
+                                   <citetitle>Block Storage
+                                   Administration Guide</citetitle> to
+                                this reference.</para>
                         </listitem>
                     </itemizedlist>
                 </revdescription>
@@ -78,7 +81,8 @@
                 <revdescription>
                     <itemizedlist>
                         <listitem>
-                            <para>Initial creation of Configuration Reference.</para>
+                            <para>Initial creation of Configuration
+                                Reference.</para>
                         </listitem>
                     </itemizedlist>
                 </revdescription>
@@ -86,21 +90,22 @@
         </revhistory>
     </info>
     <xi:include href="ch_config-overview.xml"/>
-<!-- Identity -->
+    <!-- Identity -->
     <xi:include href="ch_identityconfigure.xml"/>
-<!-- Compute -->
+    <!-- Compute -->
     <xi:include href="ch_computeconfigure.xml"/>
-<!-- Image -->
+    <!-- Image -->
     <xi:include href="ch_imageservice.xml"/>
-<!-- Networking -->
+    <!-- Networking -->
     <xi:include href="ch_networkingconfigure.xml"/>
-<!-- Dashboard -->
+    <!-- Dashboard -->
     <xi:include href="ch_dashboardconfigure.xml"/>
-<!-- Object Storage -->
+    <!-- Object Storage -->
     <xi:include href="ch_objectstorageconfigure.xml"/>
-<!-- Block Storage -->
+    <!-- Block Storage -->
     <xi:include href="ch_blockstorageconfigure.xml"/>
-<!-- Support -->
+    <!-- Appendices -->
+    <xi:include href="app_firewalls-ports.xml"/>
+    <!-- Support -->
     <xi:include href="../common/app_support.xml"/>
-
 </book>
diff --git a/doc/config-reference/table_default-ports-peripheral-services.xml b/doc/config-reference/table_default-ports-peripheral-services.xml
new file mode 100644
index 0000000000..9d1a3f0148
--- /dev/null
+++ b/doc/config-reference/table_default-ports-peripheral-services.xml
@@ -0,0 +1,61 @@
+<?xml version="1.0" encoding="UTF-8"?>
+    <!-- This table was not automatically generated in any way.
+    You can edit it as needed. -->
+<para xmlns="http://docbook.org/ns/docbook" version="5.0">
+    <table rules="all">
+        <caption>Default ports that secondary services related to
+            OpenStack components use</caption>
+        <col width="25%"/>
+        <col width="25%"/>
+        <col width="50%"/>
+        <thead>
+            <tr>
+                <th>Service</th>
+                <th>Default port</th>
+                <th>Used by</th>
+            </tr>
+        </thead>
+        <tbody>
+            <tr>
+                <td>HTTP</td>
+                <td>80</td>
+                <td>OpenStack dashboard (<literal>Horizon</literal>)
+                    when it is not configured to use secure
+                    access.</td>
+            </tr>
+            <tr>
+                <td>HTTP alternate</td>
+                <td>8080</td>
+                <td>OpenStack Object Storage
+                    (<literal>swift</literal>) service.</td>
+            </tr>
+            <tr>
+                <td>HTTPS</td>
+                <td>443</td>
+                <td>Any OpenStack service that is enabled for SSL,
+                    especially secure-access dashboard.</td>
+            </tr>
+            <tr>
+                <td>rsync</td>
+                <td>873</td>
+                <td>OpenStack Object Storage. Required.</td>
+            </tr>
+            <tr>
+                <td>iSCSI target</td>
+                <td>3260</td>
+                <td>OpenStack Block Storage. Required.</td>
+            </tr>
+            <tr>
+                <td>MySQL database service</td>
+                <td>3306</td>
+                <td>Most OpenStack components.</td>
+            </tr>
+            <tr>
+                <td>Message Broker (AMQP traffic)</td>
+                <td>5672</td>
+                <td>OpenStack Block Storage, Networking,
+                    Orchestration, and Compute.</td>
+            </tr>
+        </tbody>
+    </table>
+</para>
diff --git a/doc/config-reference/table_default-ports-primary-services.xml b/doc/config-reference/table_default-ports-primary-services.xml
new file mode 100644
index 0000000000..40794fd39e
--- /dev/null
+++ b/doc/config-reference/table_default-ports-primary-services.xml
@@ -0,0 +1,112 @@
+<?xml version="1.0" encoding="UTF-8"?>
+     <!-- This table was not automatically generated in any way.
+     You can edit it as needed. -->
+<para xmlns="http://docbook.org/ns/docbook" version="5.0">
+    <table rules="all">
+        <caption>Default ports that OpenStack components use</caption>
+        <col width="50%"/>
+        <col width="25%"/>
+        <col width="25%"/>
+        <thead>
+            <tr>
+                <th>OpenStack service</th>
+                <th>Default ports</th>
+                <th>Port type</th>
+            </tr>
+        </thead>
+        <tbody>
+            <tr>
+                <td>Block Storage (<literal>cinder</literal>)</td>
+                <td>8776</td>
+                <td>publicurl and adminurl</td>
+            </tr>
+            <tr>
+                <td>Compute (<literal>nova</literal>) endpoints</td>
+                <td>8774</td>
+                <td>publicurl and adminurl</td>
+            </tr>
+            <tr>
+                <td>Compute API (<literal>nova-api</literal>)</td>
+                <td>8773, 8775</td>
+                <td/>
+            </tr>
+            <tr>
+                <td>Compute ports for access to virtual machine
+                    consoles</td>
+                <td>5900-5999</td>
+                <td/>
+            </tr>
+            <tr>
+                <td>Compute VNC proxy for browsers (
+                        <systemitem>openstack-nova-novncproxy</systemitem>)</td>
+                <td>6080</td>
+            </tr>
+            <tr>
+                <td>Compute VNC proxy for traditional VNC clients
+                        (<systemitem>openstack-nova-xvpvncproxy</systemitem>)</td>
+                <td>6081</td>
+                <td/>
+            </tr>
+            <tr>
+                <td>Proxy port for HTML5 console used by Compute
+                    service</td>
+                <td>6082</td>
+                <td/>
+            </tr>
+            <tr>
+                <td>Identity Service (<literal>keystone</literal>)
+                    administrative endpoint</td>
+                <td>35357</td>
+                <td>adminurl</td>
+            </tr>
+            <tr>
+                <td>Identity Service public endpoint</td>
+                <td>5000</td>
+                <td>publicurl</td>
+            </tr>
+            <tr>
+                <td>Image Service (<literal>glance</literal>) API</td>
+                <td>9292</td>
+                <td>publicurl and adminurl</td>
+            </tr>
+            <tr>
+                <td>Image Service registry</td>
+                <td>9191</td>
+                <td/>
+            </tr>
+            <tr>
+                <td>Networking (<literal>neutron</literal>)</td>
+                <td>9696</td>
+                <td>publicurl and adminurl</td>
+            </tr>
+            <tr>
+                <td>Object Storage (<literal>swift</literal>)</td>
+                <td>6000, 6001, 6002</td>
+                <td/>
+            </tr>
+            <tr>
+                <td>Orchestration (<literal>heat</literal>)
+                    endpoint</td>
+                <td>8004</td>
+                <td>publicurl and adminurl</td>
+            </tr>
+            <tr>
+                <td>Orchestration AWS CloudFormation-compatible API
+                        (<literal>openstack-heat-api-cfn</literal>)</td>
+                <td>8000</td>
+                <td/>
+            </tr>
+            <tr>
+                <td>Orchestration AWS CloudWatch-compatible API
+                        (<literal>openstack-heat-api-cloudwatch</literal>)</td>
+                <td>8003</td>
+                <td/>
+            </tr>
+            <tr>
+                <td>Telemetry (<literal>ceilometer</literal>)</td>
+                <td>8777</td>
+                <td>publicurl and adminurl</td>
+            </tr>
+        </tbody>
+    </table>
+</para>