Hide Forgot
Description of problem: Customers were looking for documentation how to configure firewall and network flow for Openstack 8 It exists a document for OSP 9 https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/paged/configure-firewall-rules-for-red-hat-openstack-platform-director/ and some for OSP 7 https://access.redhat.com/solutions/2192561 but nothing for OSP8. Could you write down and publish officially.
I found this link, https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/paged/configuration-reference/appendix-b-firewalls-and-default-ports Let me attach to the case if it is enough.
The full list of ports used by the OpenStack services will change slightly as services are refactored, or new services are added. The canonical list of ports that are used for configuring iptables on the controllers is maintained in the TripleO Heat templates, in the file puppet/hieradata/controller.yaml. Here is the relevant content from that file for OSP 9 GA, for instance: # firewall tripleo::firewall::firewall_rules: '101 mongodb_config': port: 27019 '102 mongodb_sharding': port: 27018 '103 mongod': port: 27017 '104 mysql galera': port: - 873 - 3306 - 4444 - 4567 - 4568 - 9200 '105 ntp': port: 123 proto: udp '106 vrrp': proto: vrrp '107 haproxy stats': port: 1993 '108 redis': port: - 6379 - 26379 '109 rabbitmq': port: - 5672 - 35672 '110 ceph': port: - 6789 - '6800-6810' '111 keystone': port: - 5000 - 13000 - 35357 - 13357 '112 glance': port: - 9292 - 9191 - 13292 '113 nova': port: - 6080 - 13080 - 8773 - 3773 - 8774 - 13774 - 8775 '114 neutron server': port: - 9696 - 13696 '115 neutron dhcp input': proto: 'udp' port: 67 '116 neutron dhcp output': proto: 'udp' chain: 'OUTPUT' port: 68 '118 neutron vxlan networks': proto: 'udp' port: 4789 '119 cinder': port: - 8776 - 13776 '120 iscsi initiator': port: 3260 '121 memcached': port: 11211 '122 swift proxy': port: - 8080 - 13808 '123 swift storage': port: - 873 - 6000 - 6001 - 6002 '124 ceilometer': port: - 8777 - 13777 '125 heat': port: - 8000 - 13800 - 8003 - 13003 - 8004 - 13004 '126 horizon': port: - 80 - 443 '127 snmp': port: 161 proto: 'udp' '128 aodh': port: - 8042 - 13042 '129 gnocchi-api': port: - 8041 - 13041 '130 pacemaker tcp': proto: 'tcp' dport: - 2224 - 3121 - 21064 '131 pacemaker udp': proto: 'udp' dport: 5405 '132 sahara': dport: - 8386 - 13386
I've updated the OSP9 guide with the output from comment 3: https://access.redhat.com/documentation/en/red-hat-openstack-platform/9/single/configure-firewall-rules-for-red-hat-openstack-platform-director Working on equivalent for OSP8.
relevant section for OSP8 from puppet/hieradata/controller.yaml # firewall tripleo::firewall::firewall_rules: '101 mongodb_config': port: 27019 '102 mongodb_sharding': port: 27018 '103 mongod': port: 27017 '104 mysql galera': port: - 873 - 3306 - 4444 - 4567 - 4568 - 9200 '105 ntp': port: 123 proto: udp '106 vrrp': proto: vrrp '107 haproxy stats': port: 1993 '108 redis': port: - 6379 - 26379 '109 rabbitmq': port: - 5672 - 35672 '110 ceph': port: - 6789 - '6800-6810' '111 keystone': port: - 5000 - 13000 - 35357 - 13357 '112 glance': port: - 9292 - 9191 - 13292 '113 nova': port: - 6080 - 13080 - 8773 - 3773 - 8774 - 13774 - 8775 '114 neutron server': port: - 9696 - 13696 '115 neutron dhcp input': proto: 'udp' port: 67 '116 neutron dhcp output': proto: 'udp' chain: 'OUTPUT' port: 68 '118 neutron vxlan networks': proto: 'udp' port: 4789 '119 cinder': port: - 8776 - 13776 '120 iscsi initiator': port: 3260 '121 memcached': port: 11211 '122 swift proxy': port: - 8080 - 13808 '123 swift storage': port: - 873 - 6000 - 6001 - 6002 '124 ceilometer': port: - 8777 - 13777 '125 heat': port: - 8000 - 13800 - 8003 - 13003 - 8004 - 13004 '126 horizon': port: - 80 - 443 '127 snmp': port: 161 proto: 'udp'
Based on OSP7 KCS article (https://access.redhat.com/solutions/2204341) I created a new one for OSP8: Could some one check this new article? https://access.redhat.com/solutions/2718021
Dan Sneddon has approved draft. Published guide here: https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/single/configure-firewall-rules-for-red-hat-openstack-platform-director/
Hi Edu, The osp8 version of the guide has been published here: https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/single/configure-firewall-rules-for-red-hat-openstack-platform-director/ It should also soon be visible on the docs landing page: https://access.redhat.com/documentation/en/red-hat-openstack-platform/?version=8
(In reply to Martin Lopes from comment #14) > Hi Edu, > > The osp8 version of the guide has been published here: > https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/ > single/configure-firewall-rules-for-red-hat-openstack-platform-director/ > > It should also soon be visible on the docs landing page: > https://access.redhat.com/documentation/en/red-hat-openstack-platform/ > ?version=8 Thanks so much martin. Lets wait for Matias check
Thank you Martin and Edu! I'll compare the document with the network flow analysis I did and I'll back to you as soon as possible. Regards, Matias
Martin, Thank you so much for the article. Customers also are asking for the "network flow" between components. That's why I did the following draft: https://access.redhat.com/solutions/2718021 Could you or Dan check this article?
To summarise the changes: 1. Published fw guide: https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/single/configure-firewall-rules-for-red-hat-openstack-platform-director/ 2. Robin created https://access.redhat.com/solutions/2718021