證券,金融或者對網絡環境要求較嚴格,開放網絡中端口訪問都需要安全審計的公司太扯淡。不過從安全考慮,還是很有必要的。
複雜網絡中部署CS中需要調試網絡連通性以便保證通信正常。
下面是官方給出的CS常用端口:
管理服務器:
8080: 主界面 / 授權API端口
8096: 用戶/客戶端連接CS管理端 (不可靠的)
8787: CloudStack (Tomcat) debug socket
9090: Cloudstack羣集 管理服務接口
45219: JMX console
系統VM代理通信 - 必須在管理服務器上打開
3922: 安全系統的安全通信端口
8250: 系統VM與管理服務器未加密的通信端口
MySQL Server
3306: MySQL 服務
虛擬化平臺
22/443: XenServer, XAPI
22: KVM
443: vCenter
外部端口:
53: DNS
111/2049: NFS與SSVM通信
860/3260: iSCSI軟件連接器通信端口
7080: AWS API server
另外附上管理端(management server)和系統虛擬機(system VM's)監聽的端口和開放的服務:
管理服務器:
Interface | Port | Process | Config File | Note | |
---|---|---|---|---|---|
1 | * | 3306 | mysqld | /etc/my.cnf | MySQL database, the port should be protected. |
2 | * | 8080 | tomcat | Default Web Console HTTP Port | |
3 | * | 8250 | tomcat | simulator.properties | MS-Agent Communication |
4 | * | 7080 | tomcat | server.xml | AWSAPI |
5 | * | 9090 | tomcat | db.properties | MS-MS Communication |
6 | * | 20400 | tomcat | server.xml | AJP Connector |
7 | * | 45219 | tomcat | tomcat6.conf | JMX Port (no authentication) |
8 | * | other high end ports | tomcat |
虛擬路由器: 虛擬路由器有3個接口,分別連接到:公共網絡,來賓網絡和 cloud link local network
Interface | Port | Process | Note | |
---|---|---|---|---|
1 | Guest | 53 | dnsmasq | |
2 | Guest | 80 | apache2 | |
3 | Guest | 443 | apache2 | |
4 | Guest | 8080 | socat | password server: /opt/cloud/bin/serve_password.sh |
5 | Link Local | 3922 | sshd | |
6 | * | 35999 | haproxy | does haproxy need to listen on all interfaces? |
CPVM: CPVM有3個接口,並且連接到:公共網絡,管理網絡和cloud link local network
Interface | Port | Process | Config File | Note | |
---|---|---|---|---|---|
1 | * | 443 | java | Console Proxy Listening Port | |
2 | * | 8001 | java | /usr/local/cloud/systemvm/conf/consoleproxy.properties | Deprecated. Console proxy internal port for management server to get current load status of a running proxy(this will be obsolete since load report is done via secure agent/management server channel) |
3 | Link Local | 3922 | sshd |
SSVM: SSVM有4個接口,並且連接到:公共網絡,管理網絡,存儲網絡和 cloud link local network
Interface | Port | Process | Note | |
---|---|---|---|---|
1 | * | 111 | rpc.portmap | Should be closed if not needed or limited to internal interfaces |
2 | * | high end port | rpc.statd | Should be closed if not needed or limited to internal interfaces |
3 | public | 80 | apache2 | zone-to-zone copy over http |
4 | public | 443 | apache2 | zone-to-zone copy over https |
5 | Link Local | 3922 | sshd |