Port Usage

The following table lists the ports that must be open between the xCAT management node and the nodes it manages, unless otherwise noted. The xCAT service nodes use the same ports as the management node. A service (or protocol) applies to both AIX and Linux, unless stated otherwise. Service names are typical strings that appear in the /etc/services file, or in firewall/IP filtering logs. Local customization of the /etc/services files, daemon configuration options, like overriding the default port number, and differences in software source implementations, may yield other service information results.

The category of required or optional is difficult to fill in because depending on what function you are running what might be listed here as optional, may actually be required. The Trusted side is behind the firewall, the Non-trusted side is in front of the firewall.

xCAT Port Usage Table

Service Name Port number Protocol Range Required or optional
xcatdport 3001 tcp   required
xcatdport 3001 udp   required
xcatiport 3002 tcp   required
xcatiport 3002 udp   required
xcatlport 3003(default) tcp   optional
echo-udp 7 udp   required
ssh-tcp 22 tcp   required
ssh-udp 22 udp   required
rsync 873 tcp   required
rsync 873 udp   required
domain-tcp 53 tcp   optional
domain-udp 53 udp   optional
bootps 67 udp   required on aix and p-linux
dhcp 67 tcp   required on linux, optional on AIX
dhcpc 68 tcp   required on linux, optional on AIX
bootpc 68 udp   required on AIX
tftp-tcp 69 tcp   required
tftp-udp 69 udp   required
www-tcp 80 tcp   required
www-udp 80 udp   required
kerberos 88 tcp   not supported/used by xCAT anymore
kerberos 88 udp   not supported/used by xCAT anymore
sunrpc-udp 111 udp   required on linux statelite and AIX
shell 514 tcp 1-1023 optional
rsyslogd 514 tcp   required on linux
rsyslogd 514 udp   required on linux
kshell 544 tcp 1-1023 required on AIX
rmc-tcp 657 tcp 1-1023 required for RMC monitoring
rmc-udp 657 udp 1-1023 required for RMC monitoring
conserver 782 tcp   required on the mgmt and service nodes
nim 1058 tcp 1-1023 required on AIX
nfsd-tcp 2049 tcp 1-1023 required on linux statelite and AIX
nfsd-udp 2049 udp 1-1023 required on linux statelite and AIX
pxe 4011 tcp   required for linux
rpc-mount 100005 see Note2   required on linux statelite and AIX
mount-tcp see Note1 tcp   required on linux statelite and AIX
mount-udp see Note1 udp   required on linux statelite and AIX
awk 300 tcp   optional
ipmi 623 tcp   required on x86_64 and p8
ipmi 623 udp   required on x86_64 and p8
snmp 161 tcp   required on Flex
snmp 161 udp   required on Flex
snmptrap 162 tcp   required for snmp monitoring
snmptrap 162 udp   required for snmp monitoring
  • xcatdport

    The port used by the xcatd daemon for client/server communication.

  • xcatiport

    The port used by xcatd to receive install status updates from nodes.

  • xcatlport

    The port used by xcatd to record command log, you can customize it by edit site table, if you don’t configure it, 3003 will be used by default.

  • echo-udp

    Needed by RSCT Topology Services.

  • ssh-udp

    Needed to use ssh. This service defines the protocol for upd. This is required when installing or running updatenode, xdsh,xdcp,psh,pcp through the firewall.

  • rsync

    Need to use updatenode or xdcp to rsync files to the nodes or service nodes.

  • domain-tcp

    Used when Domain Name Services (DNS) traffic from the Non-trusted nodes and the firewall node to a DNS server is explicitly handled by the firewall. Some firewall applications can be configured to explicitly handle all DNS traffic. This for tcp DNS traffic.

  • domain-udp

    Used when Domain Name Services (DNS) traffic from the Non-trusted nodes and the firewall node to a DNS server is explicitly handled by the firewall. Some firewall applications can be configured to explicitly handle all DNS traffic. This for udp DNS traffic.

  • bootps

    Bootp server port needed when installing an Non-trusted AIX or System p node through the firewall. This service is issued by the client to the Management Node , for an install request. It is not required to install the Non-trusted nodes through the firewall or to apply maintenance. This is the reason why the service is considered optional.

  • dhcp

    Needed to install Linux nodes through the firewall. This is the port for the dhcp server. This service defines the protocol for tcp.

  • dhcpc

    Needed to install Linux through the firewall. This is the port for the dhcp client. This service defines the protocol for tcp.

  • bootpc

    Bootp client port needed when installing an Non-trusted AIX or System p node through the firewall. This service is issued by the Management Node back to the client, in response to an install request from the client. It is not required to install the Non-trusted nodes through the firewall or to apply maintenance. This is the reason why the service is considered optional.

  • tftp-tcp

    Needed to install Linux nodes. This service defines the protocol for tcp.

  • tftp-udp

    Needed to install Linux nodes. This service defines the protocol for udp.

  • www-tcp

    Needed to use World Wide Web http.This service defines the protocol for tcp.

  • www-udp

    Needed to use World Wide Web http. This service defines the protocol for udp.

  • kerberos

    Kerberos Version 5 KDC. Needed if running Kerberos Version 5 remote command authentication. This service defines the protocol for tcp.

  • kerberos

    Kerberos Version 5 KDC. Needed if running Kerberos Version 5 remote command authentication. This service defines the protocol for udp.

  • sunrpc-udp

    The portmapper service. Needed when installing a Non-trusted node through the firewall. Specifically required mount request that takes place during node install.

  • shell

    Used when rsh/rcp is enabled for Standard (std) authentication protocol. Needed for xdsh operations when using rsh for remote commands.

  • rsyslogd

    Used for system log monitoring. This is for tcp protocol.

  • rsyslogd

    Used for system log monitoring. This is for udp protocol.

  • kshell

    Used rsh/rcp is enabled for Kerberos authentication. Not currently supported in xCAT. Network Installation Management client traffic generated by an Non-trusted node during node boot/shutdown. Required if using NIM. AIX only.

  • rmc-tcp

    Resource Monitoring and Control (RMC) used for hardware monitoring, key exchange. This is for tcp protocol.

  • rmc-udp

    Resource Monitoring and Control (RMC) used for hardware monitoring, key exchange. This is for udp protocol.

  • conserver

    Required on the xCAT management node and service nodes. This service defines the protocol for tcp.

  • nfsd-tcp

    Needed to use the AIX mount command. This service defines the protocol for tcp. Required when installing an Non-trusted node through the firewall. Needed when an installp is issued on an Non-trusted node and the resource exists on the Trusted side.

  • nfsd-udp

    Needed to use the AIX mount command. This service defines the protocol for udp. Required when installing an Non-trusted node through the firewall.

  • pxe

    Needed to install System x nodes through the firewall. This is the port for the PXE boot server. This service defines the protocol for tcp.

  • rpc-mount

    Remote Procedure Call (RPM) used in conjunction with NFS mount request. See note 2. ssh-tcp Needed to use ssh. This service defines the protocol for tcp. This is required when installing or running updatenode through the firewall.

  • mount-tcp

    Needed to use the AIX mount command. This service defines the protocol for tcp. Required when installing an Non-trusted node through the firewall. Needed when installp is issued on an Non-trusted node and the resource exists on the Trusted side. Needed to run updatenode command. See note 1.

  • mount-udp

    Needed to use the AIX mount command. This service defines the protocol for udp. Needed when installp is issued on an Non-trusted node and the resource exists on the Trusted side. Needed to run updatenode command. See note 1.

  • awk

    For awk communication during node discovery.

  • impi

    For ipmi traffic.

  • snmp

    For SNMP communication to blade chassis.

  • snmptrap

    For SNMP communication to blade chassis.

Note 1 - AIX mount

On AIX, the mountd port range is usually determined at the time of the mount request. Part of the communication flow within a mount command is to query the remote mountd server and find out what ports it is using. The mountd ports are selected dynamically each time the mountd server is initialized. Therefore, the port numbers will vary from one boot to another, or when mountd is stopped and restarted.

Unfortunately, this causes a problem when used through a firewall, as no rule can be defined to handle traffic with a variable primary port. To create a service for mountd (server) traffic that has a fixed port, and one that can be trapped by a rule, you will need to update the /etc/services file on the host that is the target of the mount with new mountd entries for TCP and UDP, where the port numbers are known to be unused (free). The mountd TCP and UDP ports must be different. Any free port number is valid. The mountd must be stopped and started to pick up the new port values.

For example, issuing a mount request on Non-trusted node X, whose target is the Management Server, that is,

mount ms2112:/images /images

would require that the /etc/services file on ms2112 be updated with something similar to the following:

mountd 33333/tcp mountd 33334/udp

For mountd to detect its new port values you must stop and start rpc.mountd. The stopping and starting of mountd takes place on the same host where the /etc/services file mountd updates were made. In the above example, ms2112’s mountd is stopped and started. You can verify that mountd is using the new port definitions by issuing the rpcinfo command.

This procedure shows how to change ports used by mountd:

lssrc -s rpc.mountd

Produces output similar to:

Subsystem Group PID Status rpc.mountd nfs 12404 active

Then

rpcinfo -p ms2112 | grep mount

Produces output similar to:

100005 1 udp 37395 mountd 100005 2 udp 37395 mountd 100005 3 udp 37395 mountd 100005 1 tcp 34095 mountd 100005 2 tcp 34095 mountd 100005 3 tcp 34095 mountd

Then

stopsrc -s rpc.mount

Produces output similar to:

0513-044 The rpc.mountd Subsystem was requested to stop.

Update /etc/services with new mountd entries.

Note: Make a backup copy of /etc/services before making changes.

grep mountd /etc/services

Produces output similar to:

mountd 33333/tcp mountd 33334/udp

Then

startsrc -s rpc.mountd

Produces output similar to:

0513-059 The rpc.mountd Subsystem has been started. Subsystem PID is 19536.

Then

rpcinfo -p ms2112 | grep mount

Produces output similar to:

100005 1 udp 33334 mountd 100005 2 udp 33334 mountd 100005 3 udp 33334 mountd 100005 1 tcp 33333 mountd 100005 2 tcp 33333 mountd 100005 3 tcp 33333 mountd

Note 2

The rpc-mount service differs from the other service definitions in the following way. There is no associated protocol, because by definition it is UDP based. There is no source port.