Firewalls und Standardports

On some deployments, such as ones where restrictive firewalls are in place, you might need to manually configure a firewall to permit OpenStack service traffic.

To manually configure a firewall, you must permit traffic through the ports that each OpenStack service uses. This table lists the default ports that each OpenStack service uses:

Von OpenStack Komponenten verwendete Standard-Ports

OpenStack Dienst

Standard-Ports

Anwendungskatalog (murano)

8082

Backup Service (Freezer)

9090

Big Data Processing Framework (sahara)

8386

Block Storage (cinder)

8776

Clusterdienst (senlin)

8777

Compute (nova) Endpunkte

8774

Compute Ports für den Zugriff auf Konsolen der virtuellen Maschinen

5900-5999

Compute VNC proxy for browsers (openstack-nova-novncproxy)

6080

Compute VNC Proxy für traditionelle VNC Clients (openstack-nova-xvpvncproxy)

6081

Container Infrastructure Management (Magnum)

9511

Container Service (Zun)

9517

Data processing Dienst (sahara) Endpunkte

8386

Database service (Trove)

8779

DNS service (Designate)

9001

High Availability Service (Masakari)

15868

Identity service (keystone) endpoint

5000

Image-Dienst (glance) API

9292

Key Manager service (Barbican)

9311

Loadbalancer service (Octavia)

9876

Netzwerk (neutron)

9696

NFV Orchestration service (tacker)

9890

Objekt Storage (swift)

6000, 6001, 6002

Orchestrierung (heat) Endpunkt

8004

Orchestrierung AWS CloudFormation-kompatible API (openstack-heat-api-cfn)

8000

Orchestrierung AWS CloudWatch-kompatible API (openstack-heat-api-cloudwatch)

8778

Placement API (placement)

8003

Proxy Port für HTML5 Konsolen, vom Compute-Dienst verwendet

6082

Rating service (Cloudkitty)

8889

Registration service (Adjutant)

5050

Resource Reservation service (Blazar)

1234

Root Cause Analysedienst (Vitrage)

8999

Shared File Systems service (Manila)

8786

Telemetry alarming service (Aodh)

8042

Telemetry event service (Panko)

8977

Workflow Dienst (Mistral)

8989

To function properly, some OpenStack components depend on other, non-OpenStack services. For example, the OpenStack dashboard uses HTTP for non-secure communication. In this case, you must configure the firewall to allow traffic to and from HTTP.

This table lists the ports that other OpenStack components use:

Default ports that secondary services related to OpenStack components use

Dienst

Standard-Port

Verwenden von

HTTP

80

OpenStack dashboard (Horizon) when it is not configured to use secure access.

HTTP alternativ

8080

OpenStack Object Storage (swift) Dienst.

HTTPS

443

Jeder OpenStack Dienst, der für SSL eingerichtet ist, speziell sicherer Zugang zum Dashboard.

rsync

873

OpenStack Objekt Storage. Erforderlich.

iSCSI Target

3260

OpenStack Block Storage. Required when using LVM with iSCSI target (tgt, LIO, iSER)

NVMe-oF target

4420

OpenStack Block Storage. Required when using LVM with NVMe-oF target (nvmet).

MySQL Datenbankdienst

3306

Die meisten OpenStack Komponenten.

Message Broker (AMQP traffic)

5672

OpenStack Block Storage, Netzwerk, Orchestrierung und Compute.

On some deployments, the default port used by a service may fall within the defined local port range of a host. To check a host’s local port range:

$ sysctl net.ipv4.ip_local_port_range

If a service’s default port falls within this range, run the following program to check if the port has already been assigned to another application:

$ lsof -i :PORT

Konfigurieren Sie den Dienst für einen anderen Port, falls der Standardport bereits von einer anderen Applikation verwendet wird.