이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 11. Allocating Ports
Abstract
In a fabric environment, Fuse uses TCP/IP ports for communication between containers. If you need to implement a firewall, you must consider these ports and how to handle communication between Fuse containers. You can use the port service to take care of allocating ports for your services, where the port service allocates ports in such a way as to avoid port clashes.
11.1. Ports used in a Fabric Environment
In a Fabric environment, Fuse uses a number of TCP/IP ports for inter-container communication, as listed in the following table.
You can change these ports in configuration files or fabric profiles.
The minimum set of ports needed for a working fabric is the HTTP port (8181) and Zookeeper server port (2181). However, with only these ports open you cannot configure ensemble operation, which relies on a full set of Zookeeper ports, nor can you use any kind of JMX administration.
TCP-IP Ports used in a Fabric environment
| Port | Default Value | Purpose |
|---|---|---|
| Standard SSH | 22 |
To provision containers by using container-create-ssh
|
| Karaf SSH | 8101 | For attaching remote administration clients |
| Zookeeper server | 2181 | For reading the configuration repository |
| ZooKeeper peer | 2888 | For synchronizing the configuration repository |
| ZooKeeper election | 3888 | For coordinating ZooKeeper ensemble roles |
| RMI server | 1099 | For JMX administration operations over RMI |
| RMI registry | 44444 | For JMX administration operations over RMI |
| Standard HTTP | 8181 | Used by the web-based administration console; the default for web services endpoints |
| Standard HTTPS | 8443 | Encrypted; used by the web-based administration console; the default for web services endpoints |
Elasticsearch ports
If you enable the Elasticsearch feature on the Fabric node, the Fabric environment uses two ports that are set by properties that belong to the
io.fabric8.elasticsearch-insight PID. These PID properties are set to corresponding Fabric environment variable values:
http.port = FABRIC8_ES_HTTP_PORT
Transport.tcp.port = FABRIC8_ES_TCP_PORT
To change the ports that Elasticsearch uses, you can customize these port settings for your Fabric profile. For example, if your profile name is
myprofile, you can run the following command to change the HTTP port that Elasticsearch uses from the default value to port 1234:
fabric:profile-edit --pid io.fabric8.elasticsearch-insight/http.port=1234 myprofile
For more information on Fabric profiles, see Section 6.2, “Working with Profiles”.
Managing ports when using a firewall
While Red Hat does not recommend placing firewall restrictions between container hosts in a fabric, sometimes it is unavoidable. To ensure that the fabric works correctly when you configure a firewall, address the following concerns:
- Fuse expects to have access to public Maven repositories using HTTP, in order to satisfy dependencies when applications are deployed. While there may be a need to block incoming connections to Fuse services, blocking outbound connections could be highly problematic, because Fuse will not be able to connect to the repositories it needs. If there is no alternative to blocking outbound connections, then you must either configure an HTTP proxy with Internet access or you must replicate all the artifacts required from the public repositories in a local shared file system.
- You might notice sockets in the LISTENING state other that are not listed in the "TCP-IP Ports used in a Fabric environment table. These sockets are used by services exposed by the JVM for debugging and diagnostic purposes. They typically have machine-generated port numbers. in production set-ups, you do not need to expose these ports in the firewall.
- If you're using a clustered JMS broker setup, then you should make provision for the routing of traffic between brokers, as well as between the brokers and their clients.
- The ZooKeeper ports can change at runtime,for example, when a ZooKeeper ensemble is resized. If you are implementing a firewall, you should make provision for this port change. For example, rather than opening port 2181 for ZooKeeper, you should open a range of ports starting with 2181, if the ensemble is likely to be re-sized before settling on a final configuration.
