| Summary: | [RFE] Update documentation Configure firewall and network flows for Openstack 8 | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Edu Alcaniz <ealcaniz> |
| Component: | documentation | Assignee: | Martin Lopes <mlopes> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | RHOS Documentation Team <rhos-docs> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 8.0 (Liberty) | CC: | ccharron, dsneddon, ealcaniz, gchenuet, jcoufal, jschluet, mlopes, rcernin, rhos-docs, srevivo |
| Target Milestone: | ga | Keywords: | Documentation, FutureFeature, ZStream |
| Target Release: | 8.0 (Liberty) | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-06-19 04:37:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | |||
| Bug Blocks: | 1350510 | ||
|
Description
Edu Alcaniz
2016-09-07 10:44:48 UTC
I found this link, https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/paged/configuration-reference/appendix-b-firewalls-and-default-ports Let me attach to the case if it is enough. The full list of ports used by the OpenStack services will change slightly as services are refactored, or new services are added. The canonical list of ports that are used for configuring iptables on the controllers is maintained in the TripleO Heat templates, in the file puppet/hieradata/controller.yaml.
Here is the relevant content from that file for OSP 9 GA, for instance:
# firewall
tripleo::firewall::firewall_rules:
'101 mongodb_config':
port: 27019
'102 mongodb_sharding':
port: 27018
'103 mongod':
port: 27017
'104 mysql galera':
port:
- 873
- 3306
- 4444
- 4567
- 4568
- 9200
'105 ntp':
port: 123
proto: udp
'106 vrrp':
proto: vrrp
'107 haproxy stats':
port: 1993
'108 redis':
port:
- 6379
- 26379
'109 rabbitmq':
port:
- 5672
- 35672
'110 ceph':
port:
- 6789
- '6800-6810'
'111 keystone':
port:
- 5000
- 13000
- 35357
- 13357
'112 glance':
port:
- 9292
- 9191
- 13292
'113 nova':
port:
- 6080
- 13080
- 8773
- 3773
- 8774
- 13774
- 8775
'114 neutron server':
port:
- 9696
- 13696
'115 neutron dhcp input':
proto: 'udp'
port: 67
'116 neutron dhcp output':
proto: 'udp'
chain: 'OUTPUT'
port: 68
'118 neutron vxlan networks':
proto: 'udp'
port: 4789
'119 cinder':
port:
- 8776
- 13776
'120 iscsi initiator':
port: 3260
'121 memcached':
port: 11211
'122 swift proxy':
port:
- 8080
- 13808
'123 swift storage':
port:
- 873
- 6000
- 6001
- 6002
'124 ceilometer':
port:
- 8777
- 13777
'125 heat':
port:
- 8000
- 13800
- 8003
- 13003
- 8004
- 13004
'126 horizon':
port:
- 80
- 443
'127 snmp':
port: 161
proto: 'udp'
'128 aodh':
port:
- 8042
- 13042
'129 gnocchi-api':
port:
- 8041
- 13041
'130 pacemaker tcp':
proto: 'tcp'
dport:
- 2224
- 3121
- 21064
'131 pacemaker udp':
proto: 'udp'
dport: 5405
'132 sahara':
dport:
- 8386
- 13386
I've updated the OSP9 guide with the output from comment 3: https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/single/configure-firewall-rules-for-red-hat-openstack-platform-director Working on equivalent for OSP8. relevant section for OSP8 from puppet/hieradata/controller.yaml
# firewall
tripleo::firewall::firewall_rules:
'101 mongodb_config':
port: 27019
'102 mongodb_sharding':
port: 27018
'103 mongod':
port: 27017
'104 mysql galera':
port:
- 873
- 3306
- 4444
- 4567
- 4568
- 9200
'105 ntp':
port: 123
proto: udp
'106 vrrp':
proto: vrrp
'107 haproxy stats':
port: 1993
'108 redis':
port:
- 6379
- 26379
'109 rabbitmq':
port:
- 5672
- 35672
'110 ceph':
port:
- 6789
- '6800-6810'
'111 keystone':
port:
- 5000
- 13000
- 35357
- 13357
'112 glance':
port:
- 9292
- 9191
- 13292
'113 nova':
port:
- 6080
- 13080
- 8773
- 3773
- 8774
- 13774
- 8775
'114 neutron server':
port:
- 9696
- 13696
'115 neutron dhcp input':
proto: 'udp'
port: 67
'116 neutron dhcp output':
proto: 'udp'
chain: 'OUTPUT'
port: 68
'118 neutron vxlan networks':
proto: 'udp'
port: 4789
'119 cinder':
port:
- 8776
- 13776
'120 iscsi initiator':
port: 3260
'121 memcached':
port: 11211
'122 swift proxy':
port:
- 8080
- 13808
'123 swift storage':
port:
- 873
- 6000
- 6001
- 6002
'124 ceilometer':
port:
- 8777
- 13777
'125 heat':
port:
- 8000
- 13800
- 8003
- 13003
- 8004
- 13004
'126 horizon':
port:
- 80
- 443
'127 snmp':
port: 161
proto: 'udp'
Based on OSP7 KCS article (https://access.redhat.com/solutions/2204341) I created a new one for OSP8: Could some one check this new article? https://access.redhat.com/solutions/2718021 Dan Sneddon has approved draft. Published guide here: https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/single/configure-firewall-rules-for-red-hat-openstack-platform-director/ Hi Edu, The osp8 version of the guide has been published here: https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/single/configure-firewall-rules-for-red-hat-openstack-platform-director/ It should also soon be visible on the docs landing page: https://access.redhat.com/documentation/en/red-hat-openstack-platform/?version=8 (In reply to Martin Lopes from comment #14) > Hi Edu, > > The osp8 version of the guide has been published here: > https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/ > single/configure-firewall-rules-for-red-hat-openstack-platform-director/ > > It should also soon be visible on the docs landing page: > https://access.redhat.com/documentation/en/red-hat-openstack-platform/ > ?version=8 Thanks so much martin. Lets wait for Matias check Thank you Martin and Edu! I'll compare the document with the network flow analysis I did and I'll back to you as soon as possible. Regards, Matias Martin, Thank you so much for the article. Customers also are asking for the "network flow" between components. That's why I did the following draft: https://access.redhat.com/solutions/2718021 Could you or Dan check this article? To summarise the changes: 1. Published fw guide: https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/single/configure-firewall-rules-for-red-hat-openstack-platform-director/ 2. Robin created https://access.redhat.com/solutions/2718021 |