이 콘텐츠는 선택한 언어로 제공되지 않습니다.
1.3. Configuring the iptables Firewall to Allow Cluster Components
Note
The ideal firewall configuration for cluster components depends on the local environment, where you may need to take into account such considerations as whether the nodes have multiple network interfaces or whether off-host firewalling is present. The example here, which opens the ports that are generally required by a Pacemaker cluster, should be modified to suit local conditions.
Table 1.1, “Ports to Enable for High Availability Add-On” shows the ports to enable for the Red Hat High Availability Add-On and provides an explanation for what the port is used for. You can enable all of these ports by means of the
firewalld
daemon by executing the following commands.
#firewall-cmd --permanent --add-service=high-availability
#firewall-cmd --add-service=high-availability
Port | When Required |
---|---|
TCP 2224
|
Required on all nodes (needed by the
pcsd Web UI and required for node-to-node communication)
It is crucial to open port 2224 in such a way that
pcs from any node can talk to all nodes in the cluster, including itself. When using the Booth cluster ticket manager or a quorum device you must open port 2224 on all related hosts, such as Booth arbiters or the quorum device host.
|
TCP 3121
|
Required on all nodes if the cluster has any Pacemaker Remote nodes
Pacemaker's
crmd daemon on the full cluster nodes will contact the pacemaker_remoted daemon on Pacemaker Remote nodes at port 3121. If a separate interface is used for cluster communication, the port only needs to be open on that interface. At a minimum, the port should open on Pacemaker Remote nodes to full cluster nodes. Because users may convert a host between a full node and a remote node, or run a remote node inside a container using the host's network, it can be useful to open the port to all nodes. It is not necessary to open the port to any hosts other than nodes.
|
TCP 5403
|
Required on the quorum device host when using a quorum device with
corosync-qnetd . The default value can be changed with the -p option of the corosync-qnetd command.
|
UDP 5404
|
Required on corosync nodes if
corosync is configured for multicast UDP
|
UDP 5405
|
Required on all corosync nodes (needed by
corosync )
|
TCP 21064
|
Required on all nodes if the cluster contains any resources requiring DLM (such as
clvm or GFS2 )
|
TCP 9929, UDP 9929
|
Required to be open on all cluster nodes and booth arbitrator nodes to connections from any of those same nodes when the Booth ticket manager is used to establish a multi-site cluster.
|