starlingx/docs
Code Issues Proposed changes

Update ports list (r8, r7, dsR7)

Browse Source 
Update FW ports list. This list is based off of master. Per conversation with Andre K.,
he will review to indicate which entries shoud be deleted.

- Remove port 8326
- Add port 443 as additional comment.

Change-Id: Idd7716b73400593f759a39bc3801f34ad88e69fb
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
(cherry picked from commit 21d79d87f609bfbd0cec3bf50859ad5b0aeb715e)
This commit is contained in:
Ron Stone 2025-01-08 15:36:45 +00:00
parent e5444eb316
commit 675e478162
2 changed files with 59 additions and 240 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

246
doc/source/dist_cloud/kubernetes/distributed-cloud-ports-reference.rst
View File

@ -11,245 +11,11 @@ function correctly.
.. _distributed-cloud-ports-reference-table-mxl-qhh-blb:
.. table:: Table 1. |prod-dc| port requirements
:widths: auto
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| Protocol | Port | Network | Description | System Controller| Subcloud | Initiator | Destination | Notes |
+==========+=======+=========+==================+==================+==================+==================================================+=====================================+=========================================+
| tcp | 22 | oam | ssh | allowed | allowed | System Controller | Subclouds | For admin login |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 22 | oam | ssh | allowed | allowed | Subclouds | System Controller | For admin login |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 22 | mgmt | ssh | allowed | allowed | System Controller | Subclouds | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 22 | mgmt | ssh | allowed | allowed | Subclouds | System Controller | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 123 | oam | ntp | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 123 | mgmt | ntp | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 161 | oam | snmp | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 161 | mgmt | snmp | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 162 | oam | snmp trap | allowed | allowed | System Controller | Subclouds | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 162 | oam | snmp trap | allowed | allowed | Subclouds | System Controller | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 162 | mgmt | snmp trap | allowed | allowed | System Controller | Subclouds | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 162 | mgmt | snmp trap | allowed | allowed | Subclouds | System Controller | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 162 | oam | snmp trap | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 162 | mgmt | snmp trap | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 389 | oam | openLDAP | blocked(by gnp) | NA | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 389 | mgmt | openLDAP | allowed | NA | System Controller | Subclouds | LDAP service |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 389 | mgmt | openLDAP | allowed | NA | Subclouds | System Controller | LDAP service |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 873 | oam | rsyncd | blocked(by gnp) | blocked(by gnp) | Not used between System Controller and Subclouds | | Used for synchronizing patches among |
| | | | | | | | | nodes |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 873 | mgmt | rsyncd | allowed | allowed | Not used between System Controller and Subclouds | | Used for synchronizing patches among |
| | | | | | | | | nodes |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp/udp | 2049 | oam | nfs | blocked (by gnp) | blocked (by gnp) | Not used between System Controller and Subclouds | | Used for sharing data among nodes |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp/udp | 2049 | mgmt | nfs | allowed | allowed | Not used between System Controller and Subclouds | | Used for sharing data among nodes |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 2222 | oam | sm | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 2222 | mgmt | sm | allowed | NA | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| udp | 2223 | oam | sm | allowed | NA | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 3300 | mgmt | ceph-mon | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 4545 | oam | stx-nfv | allowed(service public endpoint) | Not used between System Controller and Subclouds | | vim-restapi public endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 4545 | mgmt | stx-nfv | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | vim-restapi public endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 4546 | mgmt | stx-nfv | allowed(service admin endpoint) | System Controller | Subclouds |vim-restapi admin endpoint, https enabled|
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 4546 | mgmt | stx-nfv | allowed(service admin endpoint) | Subclouds | System Controller |vim-restapi admin endpoint, https enabled|
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5000 | oam | keystone-api | allowed(service public endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5000 | mgmt | keystone-api | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5001 | mgmt | keystone-api | allowed(service admin endpoint) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5001 | mgmt | keystone-api | allowed(service admin endpoint) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5432 | oam | postgres | blocked (by gnp) | blocked (by gnp) | Not used between System Controller and Subclouds | | postgres db serving port |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5432 | mgmt | postgres | allowed(serving port) | Not used between System Controller and Subclouds | | postgres db serving port |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5491 | oam | patching-api | blocked (by gnp) | blocked (by gnp) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5491 | mgmt | patching-api | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | patching-api internal endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5492 | mgmt | patching-api | allowed(service admin endpoint) | System Controller | Subclouds |patching-api admin endpoint,https enabled|
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 5492 | mgmt | patching-api | allowed(service admin endpoint) | Subclouds | System Controller |patching-api admin endpoint,https enabled|
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 15491 | oam | patching-api | allowed(service public endpoint) | Not used between System Controller and Subclouds | | patching-api public endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6385 | oam | sysinv-api | allowed(service public endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6385 | mgmt | sysinv-api | allowed(service public endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6386 | mgmt | sysinv-api | allowed(service public endpoint) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6386 | mgmt | sysinv-api | allowed(service public endpoint) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6443 | oam | K8s API server | allowed | allowed | Not used between System Controller and Subclouds | | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6443 | mgmt | K8s API server | allowed | allowed | Not used between System Controller and Subclouds | | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 6789 | mgmt | ceph-mon | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 6800 | mgmt | ceph-mgr | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 6801 | mgmt | ceph-mgr | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 6802 | mgmt | ceph-mds | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 6803 | mgmt | ceph-mds | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6804 | mgmt | ceph-mds | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 6805 | mgmt | ceph-mds | allowed | allowed | Not used between SystemController and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 7777 | oam | stx-ha (sm) | allowed(service public endpoint) | Not used between System Controller and Subclouds | | sm-api public endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 7777 | mgmt | stx-ha (sm) | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | sm-api public endpoint |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 7778 | mgmt | stx-ha (sm) | allowed(service admin endpoint) | Not used between System Controller and Subclouds | | sm-api admin endpoint, https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp6 | 7999 | mgmt | ceph-mgr | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8080 | oam | horizon http | allowed | blocked(by gnp) | Not used between System Controller and Subclouds | | Not required if using https |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8080 | mgmt | horizon http | allowed | allowed | System Controller | Subclouds | Not required if using https |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8080 | mgmt | horizon http | allowed | allowed | Subclouds | System Controller | Not required if using https |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8119 | oam | stx-distcloud | allowed(service | NA | Not used between System Controller and Subclouds | | dcmanager-api |
| | | | | public endpoint) | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8119 | mgmt | stx-distcloud | allowed(service | NA | Not used between System Controller and Subclouds | | dcmanager-api |
| | | | | public endpoint) | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8120 | mgmt | stx-distcloud | allowed(service | NA | Not used between System Controller and Subclouds | | dcmanager-api, https enabled |
| | | | | public endpoint) | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8219 | mgmt | dcdbsync-api | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8220 | mgmt | dcdbsync-api | allowed(service admin endpoint) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8220 | mgmt | dcdbsync-api | allowed(service admin endpoint) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8443 | oam | horizon https | allowed | blocked(by gnp) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8443 | mgmt | horizon https | allowed | allowed | System Controller | Subclouds | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 8443 | mgmt | horizon https | allowed | allowed | Subclouds | System Controller | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9001 | oam | Docker registry | allowed(serving port) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9001 | oam | Docker registry | allowed(serving port) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9001 | mgmt | Docker registry | allowed(serving port) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9001 | mgmt | Docker registry | allowed(serving port) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9002 | oam | Registry token | allowed(serving port) | System Controller | Subclouds | https enabled |
| | | | server | | | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9002 | oam | Registry token | allowed(serving port) | Subclouds | System Controller | https enabled |
| | | | server | | | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9002 | mgmt | Registry token | allowed(serving port) | System Controller | Subclouds | https enabled |
| | | | server | | | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9002 | mgmt | Registry token | allowed(serving port) | Subclouds | System Controller | https enabled |
| | | | server | | | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9311 | oam | barbican-api | allowed(service public endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9311 | mgmt | barbican-api | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9312 | mgmt | barbican-api | allowed(service admin endpoint) | System Controller |Subclouds | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 9312 | mgmt | barbican-api | allowed(service admin endpoint) | Subclouds |System Controller | https enabled |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 11211 | mgmt | memcached | allowed(keystone cache backend) | Not used between System Controller and Subclouds | | keystone cache backend |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 18002 | oam | stx-fault | allowed(service public endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 18002 | mgmt | stx-fault | allowed(service internal endpoint) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 18003 | mgmt | stx-fault | allowed(service admin endpoint) | System Controller | Subclouds | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 18003 | mgmt | stx-fault | allowed(service admin endpoint) | Subclouds | System Controller | https enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| icmp | NA | oam | icmp | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| icmp | NA | mgmt | icmp | allowed | allowed | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 25491 | oam | dcorch-patch | allowed (service | NA | Not used between System Controller and Subclouds | | dcorch-patch-api-proxy public endpoint |
| | | | -api-proxy | public endpoint) | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 25491 | mgmt | dcorch-patch |allowed(service | NA | Not used between System Controller and Subclouds | | dcorch-patch-api-proxy internal endpoint|
| | | | -api-proxy |internal endpoint)| | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 25492 | mgmt | dcorch-patch | allowed(service | NA | Not used between System Controller and Subclouds | | dcorch-patch-api-proxy admin endpoint |
| | | | -api-proxy | admin endpoint) | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 30001-| mgmt | VIM | allowed | allowed | Not used between System Controller and Subclouds | | |
| | 30004 | | | | | | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 30555 | oam | OIDC Client | blocked(by gnp) | Not used between System Controller and Subclouds | | Only when OIDC app is applied |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 30555 | mgmt | OIDC Client | allowed(serving port) | Not used between System Controller and Subclouds | | Only when OIDC app is applied |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 30556 | oam | DEX OIDC Provider| blocked(by gnp) | Not used between System Controller and Subclouds | | Only when OIDC app is applied |
+----------+-------+---------+------------------+-------------------------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 30556 | mgmt | DEX OIDC Provider| allowed(serving port) | Not used between System Controller and Subclouds | | Only when OIDC app is applied |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31001 | oam | Elastic Dashboard| allowed(NodePort)| NA | System Controller | Subclouds | Only when Analytics is applied, https |
| | | | and API | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31001 | oam | Elastic Dashboard| allowed(NodePort)| NA | Subclouds | System Controller | Only when Analytics is applied, https |
| | | | and API | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31001 | mgmt | Elastic Dashboard| allowed(NodePort)| NA | System Controller | Subclouds | Only when Analytics is applied, https |
| | | | and API | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31001 | mgmt | Elastic Dashboard| allowed(NodePort)| NA | Subclouds | System Controller | Only when Analytics is applied, https |
| | | | and API | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31090-| oam | Kafka Brokers | allowed(NodePort)| NA | Not used between System Controller and Subclouds | | Only when Analytics is applied, https |
| | 31099 | | (NodePort) | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 31090-| mgmt | Kafka Brokers | allowed(NodePort)| NA | Subclouds | System Controller | Only when Analytics is applied, https |
| | 31099 | | (NodePort) | | | | | enabled |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 32000 | oam | Kubernetes | allowed(NodePort)| allowed | Not used between System Controller and Subclouds | | Only when Kubernetes Dashboard |
| | | | dashboard | | | | | is installed |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 32000 | mgmt | Kubernetes | allowed(NodePort)| allowed | Not used between System Controller and Subclouds | | Only when Kubernetes Dashboard |
| | | | dashboard | | | | | is installed |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
| tcp | 32323 | oam | vim-webserver | blocked(by gnp) | blocked(by gnp) | Not used between System Controller and Subclouds | | |
+----------+-------+---------+------------------+------------------+------------------+--------------------------------------------------+-------------------------------------+-----------------------------------------+
.. begin-dc-ports-table
.. csv-table:: Table 1. |prod-dc| port requirements
:file: /shared/FW_PORTS.csv
:header-rows: 1
In addition to these ports, the iDRAC process uses port 443 on subcloud hosts
for HTTPS communications. This port must be available.

53
doc/source/shared/FW_PORTS.csv Normal file
View File

@ -0,0 +1,53 @@
Source,Port,Protocol,Network,Desc,HTTPS,Note
OAM_COMMON,22,TCP,oam,SSH,,For admin login.
SYSTEMCONTROLLER,22,TCP,mgmt, ssh,,Patching API
SUBCLOUD,22,TCP,mgmt or admin, ssh,,For admin login.
OAM_COMMON,123,UDP,oam,NTP,,
SYSTEMCONTROLLER,162,UDP,mgmt, snmp trap,,
SUBCLOUD,162,UDP,mgmt or admin, snmp trap,,
OAM_COMMON,319,UDP,oam,PTP,,precision time protocol (PTP) port
OAM_COMMON,320,UDP,oam,PTP,,precision time protocol (PTP) port
SYSTEMCONTROLLER,389,TCP,mgmt, openLDAP,,LDAP service
SYSTEMCONTROLLER,636,TCP,mgmt, openLDAP,,
OAM_COMMON,2222,UDP,oam,SM,,
OAM_COMMON,2223,UDP,oam,SM,,
OAM_COMMON,4545,TCP,oam,NFV,,vim-restapi public endpoint.
SUBCLOUD,4546,TCP,mgmt or admin, stx-nfv,,
SYSTEMCONTROLLER,4546,TCP,mgmt, stx-nfv,Yes,vim-restapi admin endpoint.
OAM_COMMON,5000,TCP,oam,Keystone,,
SYSTEMCONTROLLER,5001,TCP,mgmt, keystone-api,Yes,
SUBCLOUD,5001,TCP,mgmt or admin, keystone-api,,
SUBCLOUD,5492,TCP,mgmt or admin, patching-api,Yes,Patching API admin endpoint.
SYSTEMCONTROLLER,5492,TCP,mgmt, patching-api,Yes,Patching API admin endpoint.
SYSTEMCONTROLLER,5498,TCP,mgmt, usm-api,Yes,Unified Sofware Management API endpoint
SUBCLOUD,5498,TCP,mgmt or admin, usm-api,Yes,Unified Software Management API endpoint
OAM_COMMON,6385,TCP,oam,Sys Inv,,
SYSTEMCONTROLLER,6386,TCP,mgmt, sysinv-api,Yes,
SUBCLOUD,6386,TCP,mgmt or admin, sysinv-api,Yes,
OAM_COMMON,6443,TCP,oam,Kube API server,Yes,
SYSTEMCONTROLLER,6443,TCP,mgmt, K8s API server,Yes,
OAM_COMMON,7480,TCP,oam,CEPH parameters,,
SYSTEM_CONFIG,7480,,,CEPH parameters,,
OAM_COMMON,7777,TCP,oam,SM API,,sm-api public endpoint.
OAM_COMMON,8080,TCP,oam,Web access,,
OAM_DC,8119,TCP,oam,DC Manager Params API,,
SYSTEMCONTROLLER,8220,TCP,mgmt, dcdbsync-api,Yes,
SUBCLOUD,8220,TCP,mgmt or admin, dcdbsync-api,Yes,
OAM_COMMON,9001,TCP,oam,Docker,Yes,
SUBCLOUD,9001,TCP,mgmt or admin, Docker registry,Yes,
SYSTEMCONTROLLER,9001,TCP,mgmt, Docker registry,Yes,
SUBCLOUD,9002,TCP,mgmt or admin, Registry token server,Yes,
SYSTEMCONTROLLER,9002,TCP,mgmt, Registry token server,Yes,
OAM_COMMON,9002,TCP,oam,Docker,Yes,
OAM_COMMON,9311,TCP,oam,Barbican,,
SUBCLOUD,9312,TCP,mgmt or admin, barbican-api,Yes,
SYSTEMCONTROLLER,9312,TCP,mgmt, barbican-api,Yes,
OAM_COMMON,15491,TCP,oam,Patching,,patching-api public endpoint
OAM_COMMON,15497,TCP,oam,USM,Yes,Unified Software Management API
OAM_COMMON,18002,TCP,oam,Fault Management,,
SYSTEMCONTROLLER,18003,TCP,mgmt, stx-fault,Yes,
SUBCLOUD,18003,TCP,mgmt or admin, stx-fault,Yes,
OAM_DC,25000,TCP,oam,DC Orchestration Identity params API,,DC Orchestration Identity params API
OAM_DC,25491,TCP,oam,DC Orchestration params patch API,,corch-patch-api-proxy public endpoint.
OAM_DC,25497,TCP,oam,DC Orchestration USM params API,,DC Orchestration USM params API
OAM_DC,26385,TCP,oam,DC Orchestration sys-inv params API,,DC Orchestration params patch API
1 Source Port Protocol Network Desc HTTPS Note
2 OAM_COMMON 22 TCP oam SSH For admin login.
3 SYSTEMCONTROLLER 22 TCP mgmt ssh Patching API
4 SUBCLOUD 22 TCP mgmt or admin ssh For admin login.
5 OAM_COMMON 123 UDP oam NTP
6 SYSTEMCONTROLLER 162 UDP mgmt snmp trap
7 SUBCLOUD 162 UDP mgmt or admin snmp trap
8 OAM_COMMON 319 UDP oam PTP precision time protocol (PTP) port
9 OAM_COMMON 320 UDP oam PTP precision time protocol (PTP) port
10 SYSTEMCONTROLLER 389 TCP mgmt openLDAP LDAP service
11 SYSTEMCONTROLLER 636 TCP mgmt openLDAP
12 OAM_COMMON 2222 UDP oam SM
13 OAM_COMMON 2223 UDP oam SM
14 OAM_COMMON 4545 TCP oam NFV vim-restapi public endpoint.
15 SUBCLOUD 4546 TCP mgmt or admin stx-nfv
16 SYSTEMCONTROLLER 4546 TCP mgmt stx-nfv Yes vim-restapi admin endpoint.
17 OAM_COMMON 5000 TCP oam Keystone
18 SYSTEMCONTROLLER 5001 TCP mgmt keystone-api Yes
19 SUBCLOUD 5001 TCP mgmt or admin keystone-api
20 SUBCLOUD 5492 TCP mgmt or admin patching-api Yes Patching API admin endpoint.
21 SYSTEMCONTROLLER 5492 TCP mgmt patching-api Yes Patching API admin endpoint.
22 SYSTEMCONTROLLER 5498 TCP mgmt usm-api Yes Unified Sofware Management API endpoint
23 SUBCLOUD 5498 TCP mgmt or admin usm-api Yes Unified Software Management API endpoint
24 OAM_COMMON 6385 TCP oam Sys Inv
25 SYSTEMCONTROLLER 6386 TCP mgmt sysinv-api Yes
26 SUBCLOUD 6386 TCP mgmt or admin sysinv-api Yes
27 OAM_COMMON 6443 TCP oam Kube API server Yes
28 SYSTEMCONTROLLER 6443 TCP mgmt K8s API server Yes
29 OAM_COMMON 7480 TCP oam CEPH parameters
30 SYSTEM_CONFIG 7480 CEPH parameters
31 OAM_COMMON 7777 TCP oam SM API sm-api public endpoint.
32 OAM_COMMON 8080 TCP oam Web access
33 OAM_DC 8119 TCP oam DC Manager Params API
34 SYSTEMCONTROLLER 8220 TCP mgmt dcdbsync-api Yes
35 SUBCLOUD 8220 TCP mgmt or admin dcdbsync-api Yes
36 OAM_COMMON 9001 TCP oam Docker Yes
37 SUBCLOUD 9001 TCP mgmt or admin Docker registry Yes
38 SYSTEMCONTROLLER 9001 TCP mgmt Docker registry Yes
39 SUBCLOUD 9002 TCP mgmt or admin Registry token server Yes
40 SYSTEMCONTROLLER 9002 TCP mgmt Registry token server Yes
41 OAM_COMMON 9002 TCP oam Docker Yes
42 OAM_COMMON 9311 TCP oam Barbican
43 SUBCLOUD 9312 TCP mgmt or admin barbican-api Yes
44 SYSTEMCONTROLLER 9312 TCP mgmt barbican-api Yes
45 OAM_COMMON 15491 TCP oam Patching patching-api public endpoint
46 OAM_COMMON 15497 TCP oam USM Yes Unified Software Management API
47 OAM_COMMON 18002 TCP oam Fault Management
48 SYSTEMCONTROLLER 18003 TCP mgmt stx-fault Yes
49 SUBCLOUD 18003 TCP mgmt or admin stx-fault Yes
50 OAM_DC 25000 TCP oam DC Orchestration Identity params API DC Orchestration Identity params API
51 OAM_DC 25491 TCP oam DC Orchestration params patch API corch-patch-api-proxy public endpoint.
52 OAM_DC 25497 TCP oam DC Orchestration USM params API DC Orchestration USM params API
53 OAM_DC 26385 TCP oam DC Orchestration sys-inv params API DC Orchestration params patch API