2016년 6월 4일 토요일

Openstack - List of ports which must be opened in the firewall

I must confess that when testing new Openstack releases on a variety of different Linux distros (RHEL, Fedora, Ubuntu) I often disable the firewall in the interests of expediency. While this might be OK for internal testing in a lab environment or while preparing a Proof of Concept (PoC) for a client, this is definitely a bad habit that is unacceptable for a production environment.

I recently did a Devstack install on Ubuntu 15.10 to test upstream Openstack compatibility with the Sheepdog distributed storage backend. This time I left the firewall running (ufw, aka uncomplicated firewall for Ubuntu) and opened the ports necessary for Openstack to run.

Before I present the list of ports which must be opened, note that you can find all these port numbers in the conf files for Glance, Cinder, Nova, Keystone, etc. in /etc/glance/glance-api.conf, /etc/nova/nova.conf, /etc/cinder/cinder.conf, and so on.

In the conf files, many ports will be commented out. For example, it is possible to connect Nova Compute with Amazon EC2 so it can launch instances from AWS. To do so, you would have to open TCP port 8773 in your firewall on your compute node, but this is commented out by default in nova.conf.

Here is the list of ports I have compiled. All ports are TCP unless specified otherwise:

AMQP/RabbitMQ: 5672 (5671 if rabbitmq uses SSL auth)
Ceilometer: 8777
Ceilometer: udp_port=4952
Cinder: sheepdog_store_port=7000
Cinder: 8776
Glance: 9292
Glance glance-api.conf: registry_port=9191
Neutron: 9696
Nova novncproxy: 6080
Nova ec2_port: 8773 (commented out by default)
Nova metadata: 8775 (commented out by default)
Nova iSCSI target: 3260 (commented out by default)
Nova nova.virt.xenapi.image.bittorrent: 6881~6891 (commented out by default)
Nova redis host: 6379 (commented out by default)
Neutron ovs_neutron_plugin.ini: vxlan_udp_port=4789
Nova s3_port=3333 (commented out by default)
...
(there are more, but those ports are optional)

I have written a simple bash script that can be used to open the necessary ports in ufw. You can find the script at the following URL:

https://gitlab.com/gojun077/openstack-conf/blob/master/ufw_openstack.sh

#!/bin/bash
# ufw_openstack.sh
# Created by Jun Go gojun077@gmail.com
# Last Updated 2016-05-25

# Script that will open ports needed by Openstack in
# UFW Firewall

# This script should be run as root

#################
#   TCP PORTS
#################
AMQP=5672
CEILOM=8777
CINDER=8776
GLANCE=9292
GLANCEREG=9191
NEUTRON=9696
NOVNCPROX=6080
#NOVAEC2=8773
#NOVAMETA=8775
#NOVAISCSI=3260
#NOVAREDIS=6379
#NOVAS3=3333
SHEEPDOG=7000

#################
#   UDP PORTS
#################
CEILUDP=4952
OVSNEUTRONVXLAN=4789

TCPPORTS=($AMQP
   $CEILOM
   $CINDER
   $GLANCE
   $GLANCEREG
   $NEUTRON
   $NOVNCPROX
   $SHEEPDOG
  )

UDPPORTS=($CEILUDP
   $OVSNEUTRONVXLAN
   )

for i in ${TCPPORTS[*]}; do
  ufw allow "$i"/tcp
done

for j in ${UDPPORTS[*]}; do
  ufw allow "$j"/udp
done

# List Open Ports
ufw status