Port Usage
The following table lists the ports that must be open between the xCAT management node and the nodes it manages, unless otherwise noted. The xCAT service nodes use the same ports as the management node. A service (or protocol) applies to both AIX and Linux, unless stated otherwise. Service names are typical strings that appear in the /etc/services file, or in firewall/IP filtering logs. Local customization of the /etc/services files, daemon configuration options, like overriding the default port number, and differences in software source implementations, may yield other service information results.
The category of required or optional is difficult to fill in because depending on what function you are running what might be listed here as optional, may actually be required. The Trusted side is behind the firewall, the Non-trusted side is in front of the firewall.
xCAT Port Usage Table
Service Name |
Port number |
Protocol |
Range |
Required or optional |
---|---|---|---|---|
xcatdport |
3001 |
tcp |
required |
|
xcatdport |
3001 |
udp |
required |
|
xcatiport |
3002 |
tcp |
required |
|
xcatiport |
3002 |
udp |
required |
|
xcatlport |
3003(default) |
tcp |
optional |
|
echo-udp |
7 |
udp |
required |
|
ssh-tcp |
22 |
tcp |
required |
|
ssh-udp |
22 |
udp |
required |
|
rsync |
873 |
tcp |
required |
|
rsync |
873 |
udp |
required |
|
domain-tcp |
53 |
tcp |
optional |
|
domain-udp |
53 |
udp |
optional |
|
bootps |
67 |
udp |
required on aix and p-linux |
|
dhcp |
67 |
tcp |
required on linux, optional on AIX |
|
dhcpc |
68 |
tcp |
required on linux, optional on AIX |
|
bootpc |
68 |
udp |
required on AIX |
|
tftp-tcp |
69 |
tcp |
required |
|
tftp-udp |
69 |
udp |
required |
|
www-tcp |
80 |
tcp |
required |
|
www-udp |
80 |
udp |
required |
|
kerberos |
88 |
tcp |
not supported/used by xCAT anymore |
|
kerberos |
88 |
udp |
not supported/used by xCAT anymore |
|
sunrpc-udp |
111 |
udp |
required on linux statelite and AIX |
|
shell |
514 |
tcp |
1-1023 |
optional |
rsyslogd |
514 |
tcp |
required on linux |
|
rsyslogd |
514 |
udp |
required on linux |
|
kshell |
544 |
tcp |
1-1023 |
required on AIX |
rmc-tcp |
657 |
tcp |
1-1023 |
required for RMC monitoring |
rmc-udp |
657 |
udp |
1-1023 |
required for RMC monitoring |
conserver |
782 |
tcp |
required on the mgmt and service nodes |
|
nim |
1058 |
tcp |
1-1023 |
required on AIX |
nfsd-tcp |
2049 |
tcp |
1-1023 |
required on linux statelite and AIX |
nfsd-udp |
2049 |
udp |
1-1023 |
required on linux statelite and AIX |
pxe |
4011 |
tcp |
required for linux |
|
rpc-mount |
100005 |
see Note2 |
required on linux statelite and AIX |
|
mount-tcp |
see Note1 |
tcp |
required on linux statelite and AIX |
|
mount-udp |
see Note1 |
udp |
required on linux statelite and AIX |
|
awk |
300 |
tcp |
optional |
|
ipmi |
623 |
tcp |
required on x86_64 and p8 |
|
ipmi |
623 |
udp |
required on x86_64 and p8 |
|
snmp |
161 |
tcp |
required on Flex |
|
snmp |
161 |
udp |
required on Flex |
|
snmptrap |
162 |
tcp |
required for snmp monitoring |
|
snmptrap |
162 |
udp |
required for snmp monitoring |
xcatdport
The port used by the xcatd daemon for client/server communication.
xcatiport
The port used by xcatd to receive install status updates from nodes.
xcatlport
The port used by xcatd to record command log, you can customize it by edit site table, if you don’t configure it, 3003 will be used by default.
echo-udp
Needed by RSCT Topology Services.
ssh-udp
Needed to use ssh. This service defines the protocol for upd. This is required when installing or running updatenode, xdsh,xdcp,psh,pcp through the firewall.
rsync
Need to use updatenode or xdcp to rsync files to the nodes or service nodes.
domain-tcp
Used when Domain Name Services (DNS) traffic from the Non-trusted nodes and the firewall node to a DNS server is explicitly handled by the firewall. Some firewall applications can be configured to explicitly handle all DNS traffic. This for tcp DNS traffic.
domain-udp
Used when Domain Name Services (DNS) traffic from the Non-trusted nodes and the firewall node to a DNS server is explicitly handled by the firewall. Some firewall applications can be configured to explicitly handle all DNS traffic. This for udp DNS traffic.
bootps
Bootp server port needed when installing an Non-trusted AIX or System p node through the firewall. This service is issued by the client to the Management Node , for an install request. It is not required to install the Non-trusted nodes through the firewall or to apply maintenance. This is the reason why the service is considered optional.
dhcp
Needed to install Linux nodes through the firewall. This is the port for the dhcp server. This service defines the protocol for tcp.
dhcpc
Needed to install Linux through the firewall. This is the port for the dhcp client. This service defines the protocol for tcp.
bootpc
Bootp client port needed when installing an Non-trusted AIX or System p node through the firewall. This service is issued by the Management Node back to the client, in response to an install request from the client. It is not required to install the Non-trusted nodes through the firewall or to apply maintenance. This is the reason why the service is considered optional.
tftp-tcp
Needed to install Linux nodes. This service defines the protocol for tcp.
tftp-udp
Needed to install Linux nodes. This service defines the protocol for udp.
www-tcp
Needed to use World Wide Web http.This service defines the protocol for tcp.
www-udp
Needed to use World Wide Web http. This service defines the protocol for udp.
kerberos
Kerberos Version 5 KDC. Needed if running Kerberos Version 5 remote command authentication. This service defines the protocol for tcp.
kerberos
Kerberos Version 5 KDC. Needed if running Kerberos Version 5 remote command authentication. This service defines the protocol for udp.
sunrpc-udp
The portmapper service. Needed when installing a Non-trusted node through the firewall. Specifically required mount request that takes place during node install.
shell
Used when rsh/rcp is enabled for Standard (std) authentication protocol. Needed for xdsh operations when using rsh for remote commands.
rsyslogd
Used for system log monitoring. This is for tcp protocol.
rsyslogd
Used for system log monitoring. This is for udp protocol.
kshell
Used rsh/rcp is enabled for Kerberos authentication. Not currently supported in xCAT. Network Installation Management client traffic generated by an Non-trusted node during node boot/shutdown. Required if using NIM. AIX only.
rmc-tcp
Resource Monitoring and Control (RMC) used for hardware monitoring, key exchange. This is for tcp protocol.
rmc-udp
Resource Monitoring and Control (RMC) used for hardware monitoring, key exchange. This is for udp protocol.
conserver
Required on the xCAT management node and service nodes. This service defines the protocol for tcp.
nfsd-tcp
Needed to use the AIX mount command. This service defines the protocol for tcp. Required when installing an Non-trusted node through the firewall. Needed when an installp is issued on an Non-trusted node and the resource exists on the Trusted side.
nfsd-udp
Needed to use the AIX mount command. This service defines the protocol for udp. Required when installing an Non-trusted node through the firewall.
pxe
Needed to install System x nodes through the firewall. This is the port for the PXE boot server. This service defines the protocol for tcp.
rpc-mount
Remote Procedure Call (RPM) used in conjunction with NFS mount request. See note 2. ssh-tcp Needed to use ssh. This service defines the protocol for tcp. This is required when installing or running updatenode through the firewall.
mount-tcp
Needed to use the AIX mount command. This service defines the protocol for tcp. Required when installing an Non-trusted node through the firewall. Needed when installp is issued on an Non-trusted node and the resource exists on the Trusted side. Needed to run updatenode command. See note 1.
mount-udp
Needed to use the AIX mount command. This service defines the protocol for udp. Needed when installp is issued on an Non-trusted node and the resource exists on the Trusted side. Needed to run updatenode command. See note 1.
awk
For awk communication during node discovery.
impi
For ipmi traffic.
snmp
For SNMP communication to blade chassis.
snmptrap
For SNMP communication to blade chassis.
Note 1 - AIX mount
On AIX, the mountd port range is usually determined at the time of the mount request. Part of the communication flow within a mount command is to query the remote mountd server and find out what ports it is using. The mountd ports are selected dynamically each time the mountd server is initialized. Therefore, the port numbers will vary from one boot to another, or when mountd is stopped and restarted.
Unfortunately, this causes a problem when used through a firewall, as no rule can be defined to handle traffic with a variable primary port. To create a service for mountd (server) traffic that has a fixed port, and one that can be trapped by a rule, you will need to update the /etc/services file on the host that is the target of the mount with new mountd entries for TCP and UDP, where the port numbers are known to be unused (free). The mountd TCP and UDP ports must be different. Any free port number is valid. The mountd must be stopped and started to pick up the new port values.
For example, issuing a mount request on Non-trusted node X, whose target is the Management Server, that is,
mount ms2112:/images /images
would require that the /etc/services file on ms2112 be updated with something similar to the following:
mountd 33333/tcp mountd 33334/udp
For mountd to detect its new port values you must stop and start rpc.mountd. The stopping and starting of mountd takes place on the same host where the /etc/services file mountd updates were made. In the above example, ms2112’s mountd is stopped and started. You can verify that mountd is using the new port definitions by issuing the rpcinfo command.
This procedure shows how to change ports used by mountd:
lssrc -s rpc.mountd
Produces output similar to:
Subsystem Group PID Status rpc.mountd nfs 12404 active
Then
rpcinfo -p ms2112 | grep mount
Produces output similar to:
100005 1 udp 37395 mountd 100005 2 udp 37395 mountd 100005 3 udp 37395 mountd 100005 1 tcp 34095 mountd 100005 2 tcp 34095 mountd 100005 3 tcp 34095 mountd
Then
stopsrc -s rpc.mount
Produces output similar to:
0513-044 The rpc.mountd Subsystem was requested to stop.
Update /etc/services with new mountd entries.
Note: Make a backup copy of /etc/services before making changes.
grep mountd /etc/services
Produces output similar to:
mountd 33333/tcp mountd 33334/udp
Then
startsrc -s rpc.mountd
Produces output similar to:
0513-059 The rpc.mountd Subsystem has been started. Subsystem PID is 19536.
Then
rpcinfo -p ms2112 | grep mount
Produces output similar to:
100005 1 udp 33334 mountd 100005 2 udp 33334 mountd 100005 3 udp 33334 mountd 100005 1 tcp 33333 mountd 100005 2 tcp 33333 mountd 100005 3 tcp 33333 mountd
Note 2
The rpc-mount service differs from the other service definitions in the following way. There is no associated protocol, because by definition it is UDP based. There is no source port.