From ca3c0dc2011b514a21a3828c801e5d15af955e66 Mon Sep 17 00:00:00 2001 From: Gauvain Pocentek Date: Sat, 14 Nov 2015 12:45:44 +0100 Subject: [PATCH] [config-ref] convert app_firewalls-ports.xml to RST Change-Id: I25cd86213397b3d73d1f2c0badf57db41d019779 Implements: blueprint config-ref-rst --- .../source/firewalls-default-ports.rst | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) diff --git a/doc/config-ref-rst/source/firewalls-default-ports.rst b/doc/config-ref-rst/source/firewalls-default-ports.rst index 69589515c6..b9bcf0a5c5 100644 --- a/doc/config-ref-rst/source/firewalls-default-ports.rst +++ b/doc/config-ref-rst/source/firewalls-default-ports.rst @@ -1,3 +1,129 @@ =========================== Firewalls and default ports =========================== + +On some deployments, such as ones where restrictive firewalls are in +place, you might need to manually configure a firewall to permit +OpenStack service traffic. + +To manually configure a firewall, you must permit traffic through the +ports that each OpenStack service uses. This table lists the default +ports that each OpenStack service uses: + +.. list-table:: Default ports that OpenStack components use + :header-rows: 1 + + * - OpenStack service + - Default ports + - Port type + * - Application Catalog (``murano``) + - 8082 + - + * - Block Storage (``cinder``) + - 8776 + - publicurl and adminurl + * - Compute (``nova``) endpoints + - 8774 + - publicurl and adminurl + * - Compute API (``nova-api``) + - 8773, 8775 + - + * - Compute ports for access to virtual machine consoles + - 5900-5999 + - + * - Compute VNC proxy for browsers ( openstack-nova-novncproxy) + - 6080 + - + * - Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy) + - 6081 + - + * - Proxy port for HTML5 console used by Compute service + - 6082 + - + * - Data processing service (``sahara``) endpoint + - 8386 + - publicurl and adminurl + * - Identity service (``keystone``) administrative endpoint + - 35357 + - adminurl + * - Identity service public endpoint + - 5000 + - publicurl + * - Image service (``glance``) API + - 9292 + - publicurl and adminurl + * - Image service registry + - 9191 + - + * - Networking (``neutron``) + - 9696 + - publicurl and adminurl + * - Object Storage (``swift``) + - 6000, 6001, 6002 + - + * - Orchestration (``heat``) endpoint + - 8004 + - publicurl and adminurl + * - Orchestration AWS CloudFormation-compatible API (``openstack-heat-api-cfn``) + - 8000 + - + * - Orchestration AWS CloudWatch-compatible API (``openstack-heat-api-cloudwatch``) + - 8003 + - + * - Telemetry (``ceilometer``) + - 8777 + - publicurl and adminurl + +To function properly, some OpenStack components depend on other, +non-OpenStack services. For example, the OpenStack dashboard uses HTTP +for non-secure communication. In this case, you must configure the +firewall to allow traffic to and from HTTP. + +This table lists the ports that other OpenStack components use: + +.. list-table:: Default ports that secondary services related to OpenStack components use + :header-rows: 1 + + * - Service + - Default port + - Used by + * - HTTP + - 80 + - OpenStack dashboard (``Horizon``) when it is not configured to use secure access. + * - HTTP alternate + - 8080 + - OpenStack Object Storage (``swift``) service. + * - HTTPS + - 443 + - Any OpenStack service that is enabled for SSL, especially secure-access dashboard. + * - rsync + - 873 + - OpenStack Object Storage. Required. + * - iSCSI target + - 3260 + - OpenStack Block Storage. Required. + * - MySQL database service + - 3306 + - Most OpenStack components. + * - Message Broker (AMQP traffic) + - 5672 + - OpenStack Block Storage, Networking, Orchestration, and Compute. + +On some deployments, the default port used by a service may fall within +the defined local port range of a host. To check a host's local port +range: + +:: + + $ sysctl net.ipv4.ip_local_port_range + +If a service's default port falls within this range, run the following +program to check if the port has already been assigned to another +application: + +:: + + $ lsof -i :PORT + +Configure the service to use a different port if the default port is +already being used by another application.