Added section for Compute node firewall config

Added a new section to the Config Reference on what ports to open on each compute node (and how). Upon consultation, it seems that adding a port config section in each component chapter is a better way to address bug#1261617. I'll submit follow-up patches adding a firewall configuration section to each Config Ref Guide chapter/component if this patch gets merged. Change-Id: Ie53e73b7cd2ec7af81f264338a4676952dd168e1 Partial-Bug: #1261617
2014-01-30 11:41:30 +10:00 · 2014-01-30 11:41:30 +10:00 · a4465257c1
commit a4465257c1
parent 2bfbfd3cc4
2 changed files with 57 additions and 0 deletions
--- a/doc/common/section_compute_config-firewalls.xml
+++ b/doc/common/section_compute_config-firewalls.xml
@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<section xmlns="http://docbook.org/ns/docbook"
+    xmlns:xi="http://www.w3.org/2001/XInclude"
+    xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
+    xml:id="default_ports">
+    <title>Compute service node firewall requirements</title>
+    <para>
+        Virtual machine console connections, whether direct or
+        through a proxy, are received on ports <literal>5900</literal>
+        to <literal>5999</literal>.
+    </para>
+    <para>
+        You must configure the firewall on the service node to enable
+        network traffic on these ports. On the server that hosts the
+        Compute service, log in as <systemitem>root</systemitem> and
+        complete the following procedure:
+    </para>
+    <procedure>
+        <step>
+            <para>
+                Edit the <filename>/etc/sysconfig/iptables</filename>
+                file.
+            </para>
+        </step>
+        <step>
+            <para>
+                Add an INPUT rule that allows TCP traffic on ports
+                that range from <literal>5900</literal> to
+                <literal>5999</literal>:
+            </para>
+            <programlisting language="ini">-A INPUT -p tcp -m multiport --dports 5900:5999 -j ACCEPT</programlisting>
+            <para>
+                The new rule must appear before any INPUT rules that
+                REJECT traffic.
+            </para>
+        </step>
+        <step>
+            <para>
+                Save the changes to the
+                <filename>/etc/sysconfig/iptables</filename> file.
+            </para>
+        </step>
+        <step>
+            <para>
+                Restart the <systemitem>iptables</systemitem> service
+                to ensure that the change takes effect.
+            </para>
+<screen><prompt>$</prompt> <userinput>service iptables restart</userinput></screen>
+        </step>
+    </procedure>
+    <para>
+        The <systemitem>iptables</systemitem> firewall
+        now enables incoming connections to the Compute
+        services. Repeat this process for each Compute node.
+    </para>
+    </section>
--- a/doc/config-reference/ch_computeconfigure.xml
+++ b/doc/config-reference/ch_computeconfigure.xml
@ -86,6 +86,7 @@
  </section>
  <!-- End of configuring resize -->
  <xi:include href="compute/section_compute-configure-db.xml"/>
+  <xi:include href="../common/section_compute_config-firewalls.xml"/>
  <!-- Oslo rpc mechanism (such as, Rabbit, Qpid, ZeroMQ) -->
  <xi:include href="../common/section_rpc.xml"/>
  <xi:include href="../common/section_compute_config-api.xml"/>