有些情况下,可能网络安全限制比较严格,你可能需要手动的配置防火墙来允许OpenStack服务。
为了配置防火墙,必须允许每个OpenStack服务使用的端口通过防火墙,下表列出了各个OpenStack服务默认端口:
| OpenStack service | Default ports | Port type |
|---|---|---|
| Block Storage (cinder) | 8776 | publicurl and adminurl |
| Compute (nova) endpoints | 8774 | publicurl and adminurl |
| Compute API (nova-api) | 8773, 8775 | |
| Compute ports for access to virtual machine consoles | 5900-5999 | |
| Compute VNC proxy for browsers ( openstack-nova-novncproxy) | 6080 | |
| Compute VNC proxy for traditional VNC clients (openstack-nova-xvpvncproxy) | 6081 | |
| Proxy port for HTML5 console used by Compute service | 6082 | |
| Data processing service (sahara) endpoint | 8386 | publicurl and adminurl |
| Identity service (keystone) administrative endpoint | 35357 | adminurl |
| Identity service public endpoint | 5000 | publicurl |
| Image service (glance) API | 9292 | publicurl and adminurl |
| Image service registry | 9191 | |
| Networking (neutron) | 9696 | publicurl and adminurl |
| Object Storage (swift) | 6000, 6001, 6002 | |
| Orchestration (heat) endpoint | 8004 | publicurl and adminurl |
| Orchestration AWS CloudFormation-compatible API (openstack-heat-api-cfn) | 8000 | |
| Orchestration AWS CloudWatch-compatible API (openstack-heat-api-cloudwatch) | 8003 | |
| Telemetry (ceilometer) | 8777 | publicurl and adminurl |
CentOS/rehdat 7下防火墙默认使用firewalld,下面是配置firewalld的方法:#
firewall-cmd --permanent --add-port=5900-5999/tcp
firewall-cmd --permanent --add-port=8773-8777/tcp
firewall-cmd --permanent --add-port=6080-6082/tcp
firewall-cmd --permanent --add-port=8386/tcp
firewall-cmd --permanent --add-port=35357/tcp
firewall-cmd --permanent --add-port=9292/tcp
firewall-cmd --permanent --add-port=9191/tcp
firewall-cmd --permanent --add-port=9696/tcp
firewall-cmd --permanent --add-port=6000-6002/tcp
firewall-cmd --permanent --add-port=8000-8004/tcp
firewall-cmd --reload
OpenStack的一些组件还使用了一些其他的端口,如HTTP、iSCSI、MySQL等。下面是一些相关服务使用的端口:
| Service | Default port | Used by |
|---|---|---|
| HTTP | 80 | OpenStack dashboard (Horizon) when it is not configured to use secure access. |
| HTTP alternate | 8080 | OpenStack Object Storage (swift) service. |
| HTTPS | 443 | Any OpenStack service that is enabled for SSL, especially secure-access dashboard. |
| rsync | 873 | OpenStack Object Storage. Required. |
| iSCSI target | 3260 | OpenStack Block Storage. Required. |
| MySQL database service | 3306 | Most OpenStack components. |
| Message Broker (AMQP traffic) | 5672 | OpenStack Block Storage, Networking, Orchestration, and Compute. |
配置firewalld的方法:#控制节点
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --permanent --add-port=443/tcp
firewall-cmd --permanent --add-port=873/tcp
firewall-cmd --permanent --add-port=3260/tcp
firewall-cmd --permanent --add-port=5672/tcp
firewall-cmd --permanent --add-service=dhcp
firewall-cmd --reload
On some deployments, the default port used by a service may fall within the defined local port range of a host. To check a host’s local port range:
# |
If a service’s default port falls within this range, run the following program to check if the port has already been assigned to another application:
# |
Configure the service to use a different port if the default port is already being used by another application.