Appendix: Open Network PortsΒΆ
ClusterWare needs a number of network ports to be open so that critical services can be reached. Which ports are needed depends on the function of a given node. Head nodes serve out many of the cluster infrastructure services, like DNS and DHCP, and hence need a number of ports open. Login or management nodes need fewer ports open since, while admins can run ClusterWare commands on those nodes, they do not host any services themselves. Compute nodes also do not host any services and thus need few ports to be open.
Note
MPI and other communication libraries may have additional requirements on open network ports; these requirements will be highly application-specific, please refer to the vendor's documentation for more information.
It is often convenient to simply open up the internal cluster network to allow all traffic so that compute nodes and heads can easily "talk" to each other. One method is to create a "rich rule" for the cluster subnet that allows all traffic:
firewall-cmd --permanent --zone=public \
--add-rich-rule='rule family=ipv4 source address=192.168.100.0/24 accept'
For clusters with multiple networks, multiple "rich rules" will need to be created.
In more secure environments, admins may want to lock down the network more tightly. The following table shows what ports need to be open on different "types" of nodes. "Open" indicates that the port is required to be open for proper functioning of the cluster. "Opt" indicates a port that may be open or blocked, but note that if it is blocked, then that service may not function fully. As an example, the Chrony tool uses port 123 to keep the system's time in sync; but port 323 is only needed if admins want to do further control of Chrony through the chronyc command-line tool.
Service |
Port |
HEAD |
LOGIN |
NODE |
|---|---|---|---|---|
Apache (httpd) |
801 |
open |
||
443 |
open |
|||
Chrony |
123 |
open |
||
3232 |
opt |
opt |
opt |
|
DHCP |
68 |
open |
||
DNS |
53 |
open |
||
etcd |
52380 |
open |
||
Grafana |
523913 |
local |
||
InfluxDB |
80864 |
local |
opt |
|
iSCSI |
32605 |
opt |
||
SSH |
22 |
open |
open |
open |
Telegraf |
8094 |
open |
||
TFTP |
69 |
open |
||
Slurm |
33066 |
open |
||
68177 |
open |
open |
open |
|
68188 |
open |
open |
||
68199 |
open |
Footnotes
[1] Use of the insecure HTTP protocol on port 80 is deprecated;
admins should switch to HTTPS on port 443.
[2] Port 323 is used by the `chronyc` command-line tool and by
the `chrony` status plugin; if those tools are not being used,
then the port can be disabled. When used, the traffic should
only be on localhost.
[3] The Grafana port must be open for local traffic on the heads.
[4] The InfluxDB port must be open for local traffic on the heads.
On heads and login nodes, it can be opened for debugging or
low-level access to InfluxDB.
[5] iSCSI support is optional; if iSCSI booting is not being used,
then the port can be disabled.
[6] Slurm is an optional package; port 3306 is used
by `slurmdbd` to talk to the SQL database which generally
resides on the same host.
[7] Slurm is an optional package; port 6817 is used
by various tools to communicate with `slurmctld` on the
Slurm controller node.
[8] Slurm is an optional package; port 6818 is used
by `slurmd` on the compute-nodes to receive job information
from the `slurmctld` on the Slurm controller node.
[9] Slurm is an optional package; port 6819 is used
by `slurmdbd` to talk to `slurmctld` which generally
resides on the same host.