防火墙和默认端口

在某些部署中,例如有限制性防火墙,您可能需要手动配置防火墙以允许OpenStack服务的流量。

要手动配置防火墙,必须允许每个OpenStack服务所使用的端口的流量通过。 此表列出了每个OpenStack服务使用的默认端口:

OpenStack组件默认使用的端口

OpenStack服务

默认端口

应用程序目录 (murano)

8082

Backup Service (Freezer)

9090

Big Data Processing Framework (sahara)

8386

块存储 (cinder)

8776

集群 (senlin)

8777

计算 (nova) 终点

8774

计算服务访问虚机控制台的端口

5900-5999

Compute VNC proxy for browsers (openstack-nova-novncproxy)

6080

Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy)

6081

Container Infrastructure Management (Magnum)

9511

Container Service (Zun)

9517

Data processing service (sahara) endpoint

8386

Database service (Trove)

8779

DNS service (Designate)

9001

High Availability Service (Masakari)

15868

Identity service (keystone) endpoint

5000

Image service (glance) API

9292

Key Manager service (Barbican)

9311

Loadbalancer service (Octavia)

9876

Networking (neutron)

9696

NFV Orchestration service (tacker)

9890

Object Storage (swift)

6000, 6001, 6002

Orchestration (heat) endpoint

8004

Orchestration AWS CloudFormation-compatible API (openstack-heat-api-cfn)

8000

Orchestration AWS CloudWatch-compatible API (openstack-heat-api-cloudwatch)

8778

Placement API (placement)

8003

Proxy port for HTML5 console used by Compute service

6082

Rating service (Cloudkitty)

8889

Registration service (Adjutant)

5050

Resource Reservation service (Blazar)

1234

Root Cause Analysis service (Vitrage)

8999

Shared File Systems service (Manila)

8786

Telemetry alarming service (Aodh)

8042

Telemetry event service (Panko)

8977

Workflow service (Mistral)

8989

To function properly, some OpenStack components depend on other, non-OpenStack services. For example, the OpenStack dashboard uses HTTP for non-secure communication. In this case, you must configure the firewall to allow traffic to and from HTTP.

This table lists the ports that other OpenStack components use:

Default ports that secondary services related to OpenStack components use

服务

Default port

Used by

HTTP

80

OpenStack dashboard (Horizon) when it is not configured to use secure access.

HTTP alternate

8080

OpenStack Object Storage (swift) service.

HTTPS

443

Any OpenStack service that is enabled for SSL, especially secure-access dashboard.

rsync

873

OpenStack Object Storage. Required.

iSCSI target

3260

OpenStack Block Storage. Required when using LVM with iSCSI target (tgt, LIO, iSER)

NVMe-oF target

4420

OpenStack Block Storage. Required when using LVM with NVMe-oF target (nvmet).

MySQL database service

3306

Most OpenStack components.

Message Broker (AMQP traffic)

5672

OpenStack Block Storage, Networking, Orchestration, and Compute.

On some deployments, the default port used by a service may fall within the defined local port range of a host. To check a host’s local port range:

$ sysctl net.ipv4.ip_local_port_range

If a service’s default port falls within this range, run the following program to check if the port has already been assigned to another application:

$ lsof -i :PORT

Configure the service to use a different port if the default port is already being used by another application.