Ports used by PowerVC
This topic lists ports used by PowerVC for inbound and outbound traffic. This topic also lists the local ports PowerVC uses on the management server.
The host must be reserved for PowerVC and the operating system on which it runs. No additional software must be installed on the management server.
No firewall configuration is
done by default during PowerVC
installation. The -c firewall install option can be used to do some rough automatic
firewall configuration, disabling firewalld and enabling iptables with PowerVC-specific rules on the PowerVC management system. However, this is
not generally recommended. Appropriate firewall configuration can be complex and specific to your
environment, so the recommended approach is to configure your firewall manually based on the
information given in the following table. Also, note that even with -c firewall,
additional firewall configuration might be necessary on network firewalls or registered compute
hosts, which PowerVC does not touch, or
if PowerVC is upgraded to a newer
version that introduces additional port requirements. For production environments, consult your
system and firewall administrators.
- If you are having connectivity issues, the firewall is likely causing the problem. Only apply firewall rules to external facing devices, like br-ex. Do not apply them against the internal devices such as br-tun, br-int, tap devices or others. To determine whether the firewall is the problem, disable the firewall for a short time and if connectivity is restored, that indicates that the rules are incorrect.
- Restarting firewalld services resets the iptable settings configured by PowerVC. This happens when you have already
run
./install -c firewalloption.
Ports used on the management server
| Traffic direction | Port | Usage | Protocol |
|---|---|---|---|
| Inbound | 80 (1) | Apache HTTPD Web Server | TCP (HTTP) |
| Inbound | 443 | Apache HTTPD Web Server | TCP (HTTPS) |
| Inbound | 873 | swift | TCP (HTTPS) |
| Inbound | 5000 | keystone | TCP (HTTPS) |
| Inbound | 5470 | bumblebee | TCP (HTTPS) |
| Inbound | 5671 | rabbitmq | TCP (AMQPS) |
| Inbound | 8041 | gnocchi | TCP (HTTPS) |
| Inbound | 8080 | swift | TCP (HTTPS) |
| Inbound | 8428 | validator | TCP (HTTPS) |
| Inbound | 8774 | nova | TCP (HTTPS) |
| Inbound | 8778 | panko | TCP (HTTPS) |
| Inbound | 8998 | clerk | TCP (HTTPS) |
| Inbound | 9000 | cinder | TCP (HTTPS) |
| Inbound | 9292 | glance | TCP (HTTPS) |
| Inbound | 9696 | neutron | TCP (HTTPS) |
| Inbound | 35357 | keystone | TCP (HTTPS) |
| Outbound | Allow ICMP | ping | ICMP |
| Outbound | 22 | Brocade and Cisco Fibre Channel switches, and the IBM® Storwize® family PowerVM® NovaLink hosts |
TCP (SSH) |
| Outbound | 389 | LDAP client | TCP and UDP (LDAP) |
| Outbound | 443 |
HMC Brocade HTTPS |
TCP (SSH) |
| Outbound | 636 | LDAP client | LDAPS |
| Outbound | 5989 | EMC PowerMax | TCP (HTTPS) |
| Outbound | 5901 | NovaLink console | TCP (RFB) |
| Outbound | 8452 | IBM DS8000® | TCP (HTTPS) |
| Outbound | 12443 | HMC | HTTPS |
|
|||
Ports used by PowerVC on the management server
The ports listed in the following table are used by PowerVC on the management server. These are used internally and are neither inbound nor outbound.
| Port | Usage |
|---|---|
| 1883 | MQTT clients without and with TLS |
| 2181 | zookeeper |
| 2224 | pacemaker |
| 2888 | zookeeper |
| 3888 | zookeeper |
| 3121 | pacemaker |
| 4369 | epmd |
| 4444 | galera |
| 4567 | galera |
| 4568 | galera |
| 5403 | pacemaker |
| 5405 | pacemaker and corosync |
| 6080 | nova-novncproxy |
| 6200 | swift-object-service |
| 6201 | swift-container-service |
| 6202 | swift-account-service |
| 7869 | lim |
| 7870 | vemkd |
| 7871 | pem |
| 7872 | egosc |
| 8002 | ui-server |
| 8081 | zookeeper |
| 8780 | placement |
| 8883 | MQTT clients without and with TLS |
| 9001 | haproxy |
| 9200, 9202-9214 | haproxy health check |
| 9191 | glance-registry |
| 9929 | pacemaker |
| 11211 | memcached |
| 15672 | rabbitmqadmin |
| 15674 | STOMP-over-WebSockets clients |
| 15675 | MQTT-over-WebSockets clients |
| 15692 | Prometheus metrics |
| 21064 | pacemaker |
| 25671 | rabbitmq-dist |
| 25672 | rabbitmq-dist |
| 27017 | mongodb |
| 35672-35682 | Used by CLI tools (Erlang distribution client ports) |
| 50110 | DB and galera |
| 61613-61614 | STOMP clients without and with TLS |
Ports used on NovaLink managed hosts
For PowerVC to successfully register a NovaLink host, the NovaLink host's firewall must allow inbound traffic for port 22. All other ports in the following table are also required for proper operation.
| Traffic direction | Port | Usage | Protocol |
|---|---|---|---|
| Inbound | Allow ICMP | ping | ICMP |
| Inbound | 22 | Secure shell | TCP (SSH) |
| Inbound | 5901 | NovaLink console | TCP (RFB) |
| Outbound | 5000 | keystone | TCP (HTTPS) |
| Outbound | 5671 | rabbitmq | TCP (AMQPS) |
| Outbound | 8080 | swift | TCP (HTTPS) |
| Outbound | 8774 | nova | TCP (HTTPS) |
| Outbound | 9000 | cinder | TCP (HTTPS) |
| Outbound | 9292 | glance | TCP (HTTPS) |
| Outbound | 9696 | neutron | TCP (HTTPS) |
Ports used by PowerVC monitoring services
PowerVC uses the below mentioned ports on the monitoring services. These ports are used for inter-service communication and must be open for both inbound and outbound traffic between all controller nodes of the PowerVC cluster. In addition, Kibana has an outbound client port that must be open to any nodes web clients that wish to connect to it.
| Port | Usage | Protocol |
|---|---|---|
| 5044 | logstash-filebeat connection | TCP (UDP) |
| 5601 | kibana client port (outbound only) | TCP (HTTPS) |
| 8443 | kibana application port | TCP (UDP) |
| 9201 | elasticsearch-logstash connection | TCP (HTTPS) |
| 9301 | elasticsearch application port | TCP (UDP) |
| 9601 | logstash application port | TCP (UDP) |
Ports used by PowerVC compute plane node
PowerVC uses the below mentioned ports on compute plane node.
| Port | Usage | Protocol |
|---|---|---|
| 2224 | management nodes and compute plane ( Both inbound and outbound) | TCP |
| 2224 | pacemaker_pcsd communication | TCP |
| 3121 | pacemaker_remote | TCP |