Merge "[install-guide] Moves firewall doc to install-guide"
This commit is contained in:
commit
8eb706f0af
138
doc/install-guide/source/firewalls-default-ports.rst
Normal file
138
doc/install-guide/source/firewalls-default-ports.rst
Normal file
@ -0,0 +1,138 @@
|
|||||||
|
===========================
|
||||||
|
Firewalls and default ports
|
||||||
|
===========================
|
||||||
|
|
||||||
|
On some deployments, such as ones where restrictive firewalls are in
|
||||||
|
place, you might need to manually configure a firewall to permit
|
||||||
|
OpenStack service traffic.
|
||||||
|
|
||||||
|
To manually configure a firewall, you must permit traffic through the
|
||||||
|
ports that each OpenStack service uses. This table lists the default
|
||||||
|
ports that each OpenStack service uses:
|
||||||
|
|
||||||
|
.. list-table:: Default ports that OpenStack components use
|
||||||
|
:header-rows: 1
|
||||||
|
|
||||||
|
* - OpenStack service
|
||||||
|
- Default ports
|
||||||
|
- Port type
|
||||||
|
* - Application Catalog (``murano``)
|
||||||
|
- 8082
|
||||||
|
-
|
||||||
|
* - Block Storage (``cinder``)
|
||||||
|
- 8776
|
||||||
|
- publicurl and adminurl
|
||||||
|
* - Clustering (``senlin``)
|
||||||
|
- 8778
|
||||||
|
- publicurl and adminurl
|
||||||
|
* - Compute (``nova``) endpoints
|
||||||
|
- 8774
|
||||||
|
- publicurl and adminurl
|
||||||
|
* - Compute API (``nova-api``)
|
||||||
|
- 8773, 8775
|
||||||
|
-
|
||||||
|
* - Compute ports for access to virtual machine consoles
|
||||||
|
- 5900-5999
|
||||||
|
-
|
||||||
|
* - Compute VNC proxy for browsers ( openstack-nova-novncproxy)
|
||||||
|
- 6080
|
||||||
|
-
|
||||||
|
* - Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy)
|
||||||
|
- 6081
|
||||||
|
-
|
||||||
|
* - Proxy port for HTML5 console used by Compute service
|
||||||
|
- 6082
|
||||||
|
-
|
||||||
|
* - Data processing service (``sahara``) endpoint
|
||||||
|
- 8386
|
||||||
|
- publicurl and adminurl
|
||||||
|
* - Identity service (``keystone``) administrative endpoint
|
||||||
|
- 35357
|
||||||
|
- adminurl
|
||||||
|
* - Identity service public endpoint
|
||||||
|
- 5000
|
||||||
|
- publicurl
|
||||||
|
* - Image service (``glance``) API
|
||||||
|
- 9292
|
||||||
|
- publicurl and adminurl
|
||||||
|
* - Image service registry
|
||||||
|
- 9191
|
||||||
|
-
|
||||||
|
* - Networking (``neutron``)
|
||||||
|
- 9696
|
||||||
|
- publicurl and adminurl
|
||||||
|
* - Object Storage (``swift``)
|
||||||
|
- 6000, 6001, 6002
|
||||||
|
-
|
||||||
|
* - Orchestration (``heat``) endpoint
|
||||||
|
- 8004
|
||||||
|
- publicurl and adminurl
|
||||||
|
* - Orchestration AWS CloudFormation-compatible API (``openstack-heat-api-cfn``)
|
||||||
|
- 8000
|
||||||
|
-
|
||||||
|
* - Orchestration AWS CloudWatch-compatible API (``openstack-heat-api-cloudwatch``)
|
||||||
|
- 8003
|
||||||
|
-
|
||||||
|
* - Root Cause Analysis service (``Vitrage``)
|
||||||
|
- 8999
|
||||||
|
-
|
||||||
|
* - Telemetry (``ceilometer``)
|
||||||
|
- 8777
|
||||||
|
- publicurl and adminurl
|
||||||
|
* - Workflow service (``Mistral``)
|
||||||
|
- 8989
|
||||||
|
-
|
||||||
|
|
||||||
|
To function properly, some OpenStack components depend on other,
|
||||||
|
non-OpenStack services. For example, the OpenStack dashboard uses HTTP
|
||||||
|
for non-secure communication. In this case, you must configure the
|
||||||
|
firewall to allow traffic to and from HTTP.
|
||||||
|
|
||||||
|
This table lists the ports that other OpenStack components use:
|
||||||
|
|
||||||
|
.. list-table:: Default ports that secondary services related to OpenStack components use
|
||||||
|
:header-rows: 1
|
||||||
|
|
||||||
|
* - Service
|
||||||
|
- Default port
|
||||||
|
- Used by
|
||||||
|
* - HTTP
|
||||||
|
- 80
|
||||||
|
- OpenStack dashboard (``Horizon``) when it is not configured to use secure access.
|
||||||
|
* - HTTP alternate
|
||||||
|
- 8080
|
||||||
|
- OpenStack Object Storage (``swift``) service.
|
||||||
|
* - HTTPS
|
||||||
|
- 443
|
||||||
|
- Any OpenStack service that is enabled for SSL, especially secure-access dashboard.
|
||||||
|
* - rsync
|
||||||
|
- 873
|
||||||
|
- OpenStack Object Storage. Required.
|
||||||
|
* - iSCSI target
|
||||||
|
- 3260
|
||||||
|
- OpenStack Block Storage. Required.
|
||||||
|
* - MySQL database service
|
||||||
|
- 3306
|
||||||
|
- Most OpenStack components.
|
||||||
|
* - Message Broker (AMQP traffic)
|
||||||
|
- 5672
|
||||||
|
- OpenStack Block Storage, Networking, Orchestration, and Compute.
|
||||||
|
|
||||||
|
On some deployments, the default port used by a service may fall within
|
||||||
|
the defined local port range of a host. To check a host's local port
|
||||||
|
range:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ sysctl net.ipv4.ip_local_port_range
|
||||||
|
|
||||||
|
If a service's default port falls within this range, run the following
|
||||||
|
program to check if the port has already been assigned to another
|
||||||
|
application:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ lsof -i :PORT
|
||||||
|
|
||||||
|
Configure the service to use a different port if the default port is
|
||||||
|
already being used by another application.
|
@ -11,4 +11,5 @@
|
|||||||
overview.rst
|
overview.rst
|
||||||
environment.rst
|
environment.rst
|
||||||
launch-instance.rst
|
launch-instance.rst
|
||||||
|
firewalls-default-ports.rst
|
||||||
common/appendix.rst
|
common/appendix.rst
|
||||||
|
Loading…
Reference in New Issue
Block a user