Appendix: Open Network PortsΒΆ

ClusterWare needs a number of network ports to be open so that critical services can be reached. Which ports are needed depends on the function of a given node. Head nodes serve out many of the cluster infrastructure services, like DNS and DHCP, and hence need a number of ports open. Login or management nodes need fewer ports open since, while admins can run ClusterWare commands on those nodes, they do not host any services themselves. Compute nodes also do not host any services and thus need few ports to be open.

Note

MPI and other communication libraries may have additional requirements on open network ports; these requirements will be highly application-specific, please refer to the vendor's documentation for more information.

It is often convenient to simply open up the internal cluster network to allow all traffic so that compute nodes and heads can easily "talk" to each other. One method is to create a "rich rule" for the cluster subnet that allows all traffic:

firewall-cmd --permanent --zone=public \
   --add-rich-rule='rule family=ipv4 source address=192.168.100.0/24 accept'

For clusters with multiple networks, multiple "rich rules" will need to be created.

In more secure environments, admins may want to lock down the network more tightly. The following table shows what ports need to be open on different "types" of nodes. "Open" indicates that the port is required to be open for proper functioning of the cluster. "Opt" indicates a port that may be open or blocked, but note that if it is blocked, then that service may not function fully. As an example, the Chrony tool uses port 123 to keep the system's time in sync; but port 323 is only needed if admins want to do further control of Chrony through the chronyc command-line tool.

Service

Port

HEAD

LOGIN

NODE

Apache (httpd)

801

open

443

open

Chrony

123

open

3232

opt

opt

opt

DHCP

68

open

DNS

53

open

etcd

52380

open

Grafana

523913

local

InfluxDB

80864

local

opt

iSCSI

32605

opt

SSH

22

open

open

open

Telegraf

8094

open

TFTP

69

open

Slurm

33066

open

68177

open

open

open

68188

open

open

68199

open

Footnotes
  [1] Use of the insecure HTTP protocol on port 80 is deprecated;
      admins should switch to HTTPS on port 443.
  [2] Port 323 is used by the `chronyc` command-line tool and by
      the `chrony` status plugin; if those tools are not being used,
      then the port can be disabled. When used, the traffic should
      only be on localhost.
  [3] The Grafana port must be open for local traffic on the heads.
  [4] The InfluxDB port must be open for local traffic on the heads.
      On heads and login nodes, it can be opened for debugging or
      low-level access to InfluxDB.
  [5] iSCSI support is optional; if iSCSI booting is not being used,
      then the port can be disabled.
  [6] Slurm is an optional package; port 3306 is used
      by `slurmdbd` to talk to the SQL database which generally
      resides on the same host.
  [7] Slurm is an optional package; port 6817 is used
      by various tools to communicate with `slurmctld` on the
      Slurm controller node.
  [8] Slurm is an optional package; port 6818 is used
      by `slurmd` on the compute-nodes to receive job information
      from the `slurmctld` on the Slurm controller node.
  [9] Slurm is an optional package; port 6819 is used
      by `slurmdbd` to talk to `slurmctld` which generally
      resides on the same host.