From 1e9c49e02be457a1544beb0eca08853c17ffbf8f Mon Sep 17 00:00:00 2001
From: Don Domingo <ddomingo@redhat.com>
Date: Wed, 11 Jun 2014 11:00:46 +1000
Subject: [PATCH] Add note regarding local port range

It is possible for the default port of a service (in particular,
keystone's administrative endpoint) to fall within a host's local
port range. This patch reminds users of this, and adds instructions
on how to:

- check a host's' port range
- check whether a port is already in use

Change-Id: If57d186153b4ffb8367d685a09675880b4fdaa04
Partial-Bug: #1261617
---
 doc/config-reference/app_firewalls-ports.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/doc/config-reference/app_firewalls-ports.xml b/doc/config-reference/app_firewalls-ports.xml
index 495ccf49a9..8271448798 100644
--- a/doc/config-reference/app_firewalls-ports.xml
+++ b/doc/config-reference/app_firewalls-ports.xml
@@ -20,4 +20,14 @@
     <para>This table lists the ports that other OpenStack components
         use:</para>
     <xi:include href="table_default-ports-peripheral-services.xml"/>
+    <para>On some deployments, the default port used by a service
+        may fall within the defined local port range of a host. To
+        check a host's local port range:</para>
+        <screen><prompt>$</prompt> <userinput>sysctl -a | grep ip_local_port_range</userinput></screen>
+        <para>If a service's default port falls within this range, run
+        the following program to check if the port has already been
+        assigned to another application:</para>
+        <screen><prompt>$</prompt> <userinput>lsof -i :<replaceable>PORT</replaceable></userinput></screen>
+        <para>Configure the service to use a different port if the
+        default port is already being used by another application.</para>
 </appendix>