Provide information and instructions on default ports and firewall rules

Keystone's default port as assigned by IANA is 35357. It is therefore possible that keystone will fail to start because some application has a socket open on port 35357, due to :

$ sysctl -a | grep ip_local_port_range
net.ipv4.ip_local_port_range = 32768 61000

on some systems

This issue is particularly important on distributions implementing restrictive firewall rules by default... e.g., RHEL.

Example: https://twiki.cern.ch/twiki/bin/view/LCG/LCGPortTable

Hi Tom, Matt,

First-time contributor here.

Below is a list of ports that, as far as I can tell, are used by each Openstack component (by default):

443 Dashboard
5000, 35357 Identity (keystone)
5900-5999 Compute (nova) ports for access to virtual machine consoles
6080 Compute VNC proxy for browsers (openstack-nova-novncproxy service)
6081 Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy service)
6082 Proxy port for HTML5 console used by Compute service
6000, 6001, 6002 Object Storage (swift)
8776 Block Storage (cinder)
9292 Image API (glance)
9696 Networking (neutron)

Next is a list of ports used by services related to or required by some OpenStack components:

80 HTTP (for when Dashboard is not configured to use secure access)
443 HTTPS (when enabling SSL for any service, particularly for secure-access Dashboard)
873 rsync (essential for Object Storage)
3260 iSCSI target (required for Block Storage)
3306 MySQL database service (default)
5666 Nagios
5672 Message Broker (AMQP traffic)

Sources: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/4/html-single/Installation_and_Configuration_Guide/index.html
https://ask.openstack.org/en/question/6433/openstack-services-and-port/

Just to confirm: on each component chapter, I'll add a short bit on what rules to add to /etc/sysconfig/iptables in order to open these ports in case they're closed via security policy. Let me know if there's anything else to add; I'll submit a patch soon.

Fix proposed to branch: master
Review: https://review.openstack.org/70035

Hi Don,

Glad to see a new contributor... and one taking on a rather complicated bug! I found your patch in the review queue and realized I wasn't subscribed to this bug. Oops! Anyway, your list of ports looks mostly complete. However, I think you should consider the following additional ports:

Glance on 9191
Nova on 8773, 8774, and 8775
Ceilometer on 8777
Swift on 8080
Heat on 8000, 8003, 8004

Matt

Thanks for the added info, Matt. I'll be adding the firewall config information over a series of follow-up patches once the first, proposed one gets merged. By the last patch each component/chapter in the Config Reference Guide should have a series of new "Firewall Config" sections.

Also added XML files for tables containing the default port information in a different patch (https://review.openstack.org/#/c/70655/), but have yet to add them to any specific book. Will likely add it as an amendment or follow-up patch once the upstream editors weigh in on where it should go.

The tables contain the added ports listed by Matt.

Reviewed: https://review.openstack.org/70655
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=3b0b6dadd0e8d3b744a73361aa6e43070be7b724
Submitter: Jenkins
Branch: master

commit 3b0b6dadd0e8d3b744a73361aa6e43070be7b724
Author: Don Domingo <email address hidden>
Date: Mon Feb 3 16:49:33 2014 +1000

    Added XML files for default ports sect and tables

    This patch adds XML files for:
    - brief overview of firewall configuration
    - table listing ports used by main openstack components
    - table listing ports used by other services required by OpenStack

    The resulting section will be added as an appendix to the Config Ref
    Guide.

    Change-Id: Ib7edf8f827cd0c31c51a9cbdaff475384960c7ee
    Related-Bug: #1261617

Note about Keystone's port in comment 1 was not included in docs?

Don, did you want to circle back on the note about when keystone service may fail to start?

Fix proposed to branch: master
Review: https://review.openstack.org/99240

The aforementioned patch adds information on how to check a host's local port range, and how to check if a port is already in use. I reckon we don't need to single out keystone as in Comment 1, since it could happen to any service depending on the configured local port range.

Reviewed: https://review.openstack.org/99240
Committed: https://git.openstack.org/cgit/openstack/openstack-manuals/commit/?id=1e9c49e02be457a1544beb0eca08853c17ffbf8f
Submitter: Jenkins
Branch: master

commit 1e9c49e02be457a1544beb0eca08853c17ffbf8f
Author: Don Domingo <email address hidden>
Date: Wed Jun 11 11:00:46 2014 +1000

    Add note regarding local port range

    It is possible for the default port of a service (in particular,
    keystone's administrative endpoint) to fall within a host's local
    port range. This patch reminds users of this, and adds instructions
    on how to:

    - check a host's' port range
    - check whether a port is already in use

    Change-Id: If57d186153b4ffb8367d685a09675880b4fdaa04
    Partial-Bug: #1261617