Please fill in the protocol (http/https/ws... to determine if it will cross the ingress port) and the reason for the port being open (hybrid deployment needs access?, external access client (kibana/gui...)) in the table below in prep of removing some nodeports in the run up to using an Ingress controller |
Sync with Casablanca Unprotected Interfaces
TODO: add protocol to each port - to determine suitability for HTTP/HTTPS or multi-protocol proxy for ingress
NodePorts are used to allow client applications, that run outside of Kubernetes, access to ONAP components deployed by OOM.
A NodePort maps an externally reachable port to an internal port of an ONAP microservice.
It should be noted that the use of NodePorts is temporary. An alternative solution is currently being scoped for the Dublin Release.
But for now, this page is used to track NodePort assignments.
All ONAP project teams that have microservices that need to provide external access for clients, must update this wiki page to reserve NodePorts and prevent ONAP deployment failures due to NodePort conflicts.
If a service is only accessed by other services within the same kubernetes deployment (ie. databases, backend services with no external northbound APIs) then please DO NOT reserve
a NodePort as they are a very limited resource. The service name and its Internal Port (<service name>.port) should be used instead (ie. vid.8443)
To reserve a NodePort search the table below for the text "FREE_PORT".
If it is determined that an existing reservation is no longer required, please add the text "FREE_PORT" to indicate its availability.
Developer Checklist
Verify unused nodeports
Before using a particular nodeport - verify there is no conflict by deploying the entire system and checking services or the tables below.
Get the nodeport of a particular service
# human readable list kubectl get services --all-namespaces | grep robot # machine readable number kubectl get --namespace onap -o jsonpath="{.spec.ports[0].nodePort}" services robot)
Node Port Reservations 302 prefix
Component (sortable) | Pod | Service name | Protocol http/https/ws... | Node Port | Internal Port | Reason for exposure outside of the internal DNS service name access |
---|---|---|---|---|---|---|
vid | vid | 30200 | 8443 | |||
FREE_PORT | 30201 | 8843 | ||||
sdnc / ccsdk | ccsdk/oran/a1-policy-management-service | http https | 30093 30094 | 9080 9081 | Used ito access A1 Policy Managment service API - used in different ONAP & OSC deployments - including external rApp/client/portal access See ONAP/3GPP & ORAN Alignment: A1 Adapter extensions (Guilin) | |
sdnc | sdnc | 8282 | http port, removed in El Alto. Instead, users should use https node port 30267 | |||
sdnc | sdnc-dgbuilder | 30203 | 3000 | |||
sdc | sdc-be | 30204 | 8443 | |||
sdc | sdc-be | 30205 | 8080 | |||
sdc | sdc-fe | 30206 | 8181 | |||
sdc | sdc-fe | 30207 | 9443 | |||
appc | appc | 8282 | removed in Frankfurt | |||
robot | robot | 30209 | 88 | u:p test:test | ||
aai | aai-modelloader | 30210 | 8080 | |||
appc | appc | 30211 | 9090 | |||
portal | portal-sdk | 30212 | 8443 | |||
portal | portal-app | 30225 | 8443 | |||
policy | policy brmsgw | 30216 | 9989 | |||
policy | drools (dup?) | 30217 | 6969 | |||
policy | pap | 30218 | 9091 | |||
policy | pap | 30219 | 8443 | |||
aai | aai-sparky-be | 30220 | 9517 | |||
policy | drools (dup?) | 30221 | 9696 | |||
dcae | DCAEGEN2 | hv-ves xdcae-hv-ves-collector | 30222 | 6061 | ||
dcae | DCAEGEN2 | 30223 | Reserved for future DCAEapp (12/30 - dcae-datafile-collector usage on this port is removed since El-Alto) | |||
so | so-monitor | 30224 | 9091 | |||
portal | portal-app (ssl) | 30225 | 8443 | |||
dmaap | message-router | 30226 | 3905 | |||
dmaap | message-router | 30227 | 3904 | |||
appc | appc-dgbuilder | 30228 | 3000 | CAUTION2: There might me blanks in following data. | ||
aai | aai-modelloader | 30229 | 8443 | CAUTION2: There might me blanks in following data. | ||
appc | appc | 30230 | 8443 | |||
appc | appc | 30231 | 1830 | |||
aai | aai | 30232 | 8080 | |||
aai | aai | 30233 | 8443 | |||
pomba | pomba-kibana | https | 30234 | 5601 | ||
dcae | xdcae-ves-collector | 30235 | 8080 | |||
policy | nexus | 30236 | 8081 | |||
policy | policy-apex-pdp | 30237 | 12345 | |||
aai | aai-graphgraph | 30238 | 8453 | |||
aai | aai-spike | 30239 | 9518 | |||
pomba | pomba-context-builder | 30240 | 9530 | |||
dmaap | dmaap-bc | 30241 | 8080 | |||
dmaap | dmaap-bc | 30242 | 8443 | |||
aaf | aaf-sms | 30243 | 10443 | |||
aaf | aaf-sms-db | 30244 | 8200 | CAUTION2: There might me blanks in following data. | ||
sdnc | sdnc | 30246 | 8280 | Appears to be no longer needed - investigating | ||
dcae | dcae datafile collector | 30245 | 8100 | |||
aaf | aaf-service | 30247 | 8100 | |||
oof | oof-osdf | 30248 | 8698 | |||
pomba | pomba-data-router | 30249 | 9502 | |||
appc | appc-cds | 30250 | 80 | |||
aaf | aaf-gui | 30251 | 8200 | |||
so | so-mariadb | 30252 | 3306 | |||
log | log-kibana | http | 30253 | 5601 | external access from client application | |
log | log-es | http | 30254 | 9200 | external ELK stack for hybrid deployment | |
log | log-ls | http | 30255 | 5044 | external ELK stack for hybrid deployment | |
sdc | sdc-wfd-fe | 30256 | 8080 | |||
sdc | sdc-wfd-be | 30257 | 8080 | |||
policy | clamp | 30258 | 2443 | |||
dmaap | dmaap-dr-prov | http | 30259 | 8080 | external access for multi-site/cluster comms | |
cli | cli | 30260 | 8080 | |||
multicloud | multicloud-azure | 30261 | 9008 | https://gerrit.onap.org/r/#/c/68647/ | ||
dcae | dcae datafile collector | 30262 | 8433 | |||
sdc | sdc-dcae-fe | 30263 | 8183 | |||
sdc | sdc-dcae-fe | 30264 | 9444 | |||
sdc | sdc-dcae-dt | 30265 | 8186 | |||
sdc | sdc-dcae-dt | 30266 | 9446 | |||
sdnc | sdnc | 30267 | 8443 | https port, used for access to OpenDaylight REST interface | ||
aai | aai-crud-service (gizmo) | 30268 | 9520 | |||
dmaap | dmaap-dr-prov | https | 30269 | 8443 | external access for multi-site/cluster comms | |
consul | consul-server-ui | 30270 | 8500 | |||
cli | cli | 30271 | 9090 | |||
sdnc | SDNC GEO (mysql) | 30272 | ||||
sdnc | SDNC GEO (mysql) | 30273 | ||||
nbi | nbi | 30274 | 8443 | |||
oof | oof-has-api | 30275 | 8091 | |||
oof | oof-has-music | 30276 | 8080 | |||
so | so | 30277 | 8080 | see also https://gerrit.onap.org/r/#/c/72433/2 | ||
aai | aai-champ | 30278 | 9522 | |||
aai | aai-babel | 30279 | 9516 | |||
msb | msb-iag | 30280 | 80 | |||
msb | msb-discovery | 30281 | 10081 | |||
msb | msb-eag | 30282 | 80 | |||
msb | msb-iag | 30283 | 443 | |||
msb | msb-eag | 30284 | 443 | |||
msb | msb-consul | 30285 | 8500 | |||
dcae | dcae-redis | 30286 | 6379 | |||
dcae | dcae-redis | 30287 | 16379 | |||
sniro | sniro-emulator | 30288 | 80 | |||
appc | appc-cdt | 30289 | 18080 | |||
clamp | cdash-kibana | 30290 | 5601 | |||
multicloud | multicloud | 30291 | 9001 | No more such nodePort for multicloud | ||
holmes | holmes-rule-mgmt | 30292 | ||||
holmes | holmes-rule-mgmt | 30293 | ||||
multicloud | multicloud-windriver | 30294 | 9005 | No more such nodePort for multicloud | ||
clamp | clamp | 30295 | 8080 | |||
multicloud | multicloud-pike | 30296 | 9007 | No more such nodePort for multicloud | ||
vnfsdk | refrepo | 30297 | 8702 | |||
log | LOG demo target | 30298 | 8080 | |||
pomba | pomba-networkdiscovery | REST | 30299 | 8080 | ||
vvp | vvp | ? | ? | |||
uui | uui | 30398 | 8080 | may be a typo with 30298 - currently using 398 as of 20181125 | ||
uui | uui-server | 30399 | 8082 | |||
There | is | Room above: | There is ROOM Above 31100 | |||
modeling | modeling-etsicatalog | 30301 | 8806 | |||
music | music-api | 30304 | 8443 | music-api | ||
IF POSSIBLE | Leave | 31104-31109 | open | |||
aaf | aaf-service | https/REST(json|xml) | 31110 | 8100 | AAF Main Service | |
aaf | aaf-locator | https/REST(json|xml) | 31111 | 8095 | AAF Locator | |
aaf | aaf-oauth | https/REST(json|xml) | 31112 | 8140 | AAF OAuth2 access | |
aaf | aaf-gui | https/REST(json|xml) | 31113 | 8200 | AAF GUI | |
aaf | aaf-cm | https/REST(json|xml) | 31114 | 8150 | AAF Certificate Manager | |
aaf | aaf-fs | http (Note: Fileserver for CRLs, etc) | 31115 | 8096 | AAF File Server | |
aaf | aaf | HOLD for Future | 31116 31117 31118 | Future AAF Services | ||
aaf | aaf-hello | https/REST(json|xml) | 31119 | 8130 | AAF Hello Sample | |
appc | appc | HOLD for Future | 31200 31201 31202 31203 | |||
oof | optf-model-api | https/REST(json) | 31204 | 8698 | optf model, execution engine. | |
cps | cps | https/REST(json) | 31205 | 8080 | CPS RESTService | Only from Honolulu Release | |
cps-xNf | cps-xNf | https/REST(json) | 31206 | 8080 | CPS xNF RESTService | Only from Honolulu Release |
Node Port Reservations (304 node port prefix range)
This table is for documenting node ports that are reserved outside of a typical ONAP deployment.
Even though the ports listed below may appear in ONAP Helm Charts, they are not used at runtime unless enabled through configuration.
For example, there may be a need to reserve node ports (even temporarily) for use in POC or for demo code, that currently exists in the ONAP codebase.
Component (sortable) | POD | Service name | Protocol (rest/multi-protocol) | Node Port | Internal Port | ||
---|---|---|---|---|---|---|---|
dcae | dcae-pnda-mirror (node the boostrap pod np is named mirror) | 30400 | 80 | ||||
vfc | vfc-nslcm | 30403 | 8403 | vfc-nslcm-port | |||
vfc | vfc-vnflcm | 30411 | 8801 | vfc-vnflcm-port | |||
vfc | vfc-generic-vnfm-driver | 30480 | 8484 | vfc-generic-vnfm-driver | |||
vfc | vfc-redis | 30481 | 8804 | vfc-redis-http-port1 | |||
vfc | vfc-redis | 30482 | 6379 | vfc-redis-http-port2 | |||
vfc | vfc-db | 30483 | 3306 | vfc-db-port | |||
so | so-bpmn-infra | 30404 | 8081 | so-bpmn-port | |||
so | so-bpmn-infra | 30405 | 5005 | so-bpmn-debug | |||
so | so-vnfm-adapter | 30406 | 9092 | ||||
dcae | DCAEGEN2 | xdcae-tca-analytics | 30410 | 11011 | |||
dcae | DCAEGEN2 | 30413 | 8100 | DCAE BBE-ep | |||
dcae | DCAEGEN2 | 30414 | 10443 | DCAE Config Binding Service (https) | |||
dcae | DCAEGEN2 | 30415 | 10000 | DCAE Config Binding Service (http) | |||
dcae | DCAEGEN2 | 30416 | 8080/8687 | DCAE RESTConf collector Service | |||
dcae | DCAEGEN2 | 30417 | 8443 | DCAE VESCollector - Https | |||
dcae | DCAEGEN2 | 30418 | 8080 | DCAE Dashboard (http) | |||
dcae | DCAEGEN2 | 30419 | 8443 | DCAE Dashboard (https) | |||
? | Netbox UI | 30420 | 8080 | ||||
sdc | sdc-wfd-fe | 30431 | 8443 | https://gerrit.onap.org/r/#/c/87116/ | |||
policy | policy-api | 30440 | 6969 | https://gerrit.onap.org/r/#/c/79318/ | |||
policy | policy-xacml-pdp | 30441 | 6969 | https://gerrit.onap.org/r/#/c/81977/ | |||
policy | policy-pap | 30442 | 6969 | ||||
log | log-demonode0 | 30453 | 8080 | ||||
log | log-demonode1 | 30454 | 8080 | ||||
log | log-demonode2 | 30455 | 8080 | ||||
log | log-es SSL | 30456 | |||||
log | log-kb SSL | 30457 | |||||
log | log-ls SSL | 30458 | |||||
sdnc | SDNC GEO | 30461 | |||||
sdnc | SDNC GEO | 30462 | |||||
sdnc | SDNC GEO | 30463 | |||||
sdnc | SDNC GEO | 30464 | |||||
sdnc | SDNC GEO | 30465 | |||||
sdnc | SDNC GEO | 30466 | |||||
dcae | DCAEGEN2 | 30470 | 162 | Snmptrap (test purpose) | |||
dcae | DCAEGEN2 | 30471 | Reserved | ||||
dcae | DCAEGEN2 | 30472 | Reserved | ||||
dcae | DCAEGEN2 | 30473 | 8080 | DCAE MOD UI (HTTP) for Frankfurt release | |||
dcae | DCAEGEN2 | 30474 | 8443 | Reserved for DCAE MOD UI (HTTPs) post Frankfurt release | |||
dcae | MUSIC | 30475 | |||||
dcae | MUSIC | 30476 | 8080 | ||||
dcae | MUSIC | 30477 | |||||
dcae | Datalake-admin-ui | 30479 | 80 | Datalake configuration protal. | |||
dcae | Datalake-feeder | 30408 | 1680 | Datalake control and exposure APIs. | |||
multicloud | multicloud-starlingx | 30485 | 9009 | ||||
multicloud | multicloud-thinkcloud | 30486 | 9010 | ||||
multicloud | multicloud-fcaps | 30487 | 9011 | ||||
multicloud | multicloud-artifactbroker | 30488 | 9014 | ||||
multicloud | multicloud-tentative | 30489 | |||||
multicloud | multicloud-k8s | 30498 | 9015 | ||||
dmaap | DMaap tentative | 30490 | https://lists.onap.org/g/onap-discuss/topic/new_nodeports_for_the_dmaap/29582628?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,29582628 | ||||
dmaap | DMaap tentative | 30491 | |||||
dmaap | DMaap tentative | 30492 | |||||
dmaap | dmaap-dr-node | http | 30493 | 8080 | external access for multi-site/cluster comms | ||
dmaap | dmaap-dr-node | https | 30494 | 8443 | external access for multi-site/cluster comms | ||
multicloud | multicloud-service-assurance | 30495 | 9009 | Only from Dublin Release | |||
multicloud | multicloud-service-assurance (tentative) | 30496 | 9010 | Only from Dublin Release | |||
cds | cds-ui | 30497 | 3000 | Dublin onwards. | |||
cds | blueprint-processor | 30499 | 8080 | Dublin onwards. | |||
awx | awx-web | 30478 | 80 | Dublin onwards. |
This port does not seem to be configurable from a Helm Chart.
Mike Elliott will raise issue to see if it can be made configurable within either the 302 or 304 ranges.
25 Comments
Hao Kuang
Hi, What's process of adding new TargetPort under SDNC? Do we just pick 30300 after 30299(AFF) directly?
Beili Zhou
Hao Kuang there are un-used port in 302xx, such as 30246 - 30249, 30259 - 30259 and etc. We shall just pick one of those 302 prefix number, As they are available, it would be easier for the sdnc deployment yaml file.
Hao Kuang
Yeap, I understand this and I am not sure the reason that some of the numbers are not used between 30200 - 30299. And also, do we have to apply to someone for a number or just pick a unused one then update this page?
Mandeep Khinda
The range thing is sort of an artificial requirement to separate "instances" of OOM on the same physical box. I would just go through the range and find the first unused port. I think 30221 was available.
K8s can auto-pick nodeports for you if you leave it out but the first crack at this used pre-determined ports so that operators could control firewall rules for security reasons. There are probably better ways of handling external access into the K8s cluster that need to be explored!
Hao Kuang
Yeap, you are right.
Thanks for the info. So we are going to use 30221 temporarily
Alexis de Talhouët
No, please don't use 30221, I have a patch outstanding using it, see https://gerrit.onap.org/r/#/c/25547/3/kubernetes/policy/templates/all-services.yaml
Hao Kuang
Sure. You may need to update this wiki like 30221 (Code is being reviewed=> https://gerrit.onap.org/r/#/c/25547/3/kubernetes/policy/templates/all-services.yaml). I will choose 30246.
Rahul G
AAI UI does not seem to have an external port?
http://aai.api.simpledemo.onap.org:9517/services/aai/webapp/index.html#/viewInspect
Is there a way to configure it in an ONAP installation? We want to access the ONAP portal outside of VNC.
Michael O'Brien
as of 20180910
onap aai-sparky-be NodePort
10.43
.
52.5
<none>
9517
:
30220
/TCP
Michael O'Brien
reserved the 3rd last nodeport remaining on 302nn - https://lists.onap.org/g/onap-discuss/topic/oom_nodeport_30258_unused/23746671?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,23746671
30258 for the log demo RI service
Michael O'Brien
gave 30258 to clamp - see https://lists.onap.org/g/onap-discuss/topic/oom_helm_install_local_onap/25193376?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,25193376
and
OOM-1364 - Getting issue details... STATUS
Priyanshu Agarwal
How to reserve ports in range of 304nn and make it work in ONAP environment?
I tried reserving ports here but in ONAP deployment; the default ONAP prefix of 302nn replaced my custom prefix and the pod got failed in startup.
Michael Arrastia
We are trying to create a Helm Chart for the new AAI Spike microservice. We need to allocate a nodePort in the range 302 but this is now exhausted. By chance we have come across an unused port 77 reserved for OOF-HAS-2. Please could we use port 77 if it is not needed for OOF? Thank you.
Michael O'Brien
That 77 port is reserved for OOF - you will likely need to get the next one in 304xx
OOM-1366 - Getting issue details... STATUS
Michael O'Brien
Mike, 302 ports are free now - see https://lists.onap.org/g/onap-discuss/topic/spike_nodeportprefix/25502174?p=,,,20,0,0,0::recentpostdate%2Fsticky,,,20,2,0,25502174
Michael O'Brien
Ports are OK after clamp fix
1 hour (both sets of DCAEGEN2 secondary orchestration went through) - on a 256G single AWS VM (with override - Cloud Native Deployment#Changemax-podsfromdefault110podlimit)
Michael O'Brien
20180906:1200 port status - with 58 to 77 fix for SO-984 - Getting issue details... STATUS
Michael O'Brien
USECASEUI-149 - Getting issue details... STATUS
Michael O'Brien
Jonathan,
Noticed your 311xx nodeports – do you really want all of these? You already have allocations for your some ports in the 302 port range – at least gui and service, db usually is not exposed externally – this would leave just locator, oauth and cm needing ports.
Unless you would like to free up the older 302 ports under aaf and use the new 311 prefix exclusively.
Also could you post the jira or patch when it comes up for the ports so we can cross-reference – thank you
/michael
aaf-sms
30243
10443
aaf-sms-db
30244
8200
aaf-service
30247
8100
aaf-gui
30251
8200
There
is
Room above:
There is ROOM Above 31100
aaf-locator
31100
8095
AAF Locator
aaf-service
31101
8100
AAF Main Service
aaf-oauth
31101
8130
AAF OAuth2 access
aaf-gui
31102
8200
AAF GUI
aaf-cm
31103
8150
AAF Certificate Manager
IF POSSIBLE
Leave
31104-31109
open
Jack Lucas
I'm looking to reserve a single port for the DCAEGEN2 config binding service, which needs to externalized for multi-site operation. The instructions say to search for "FREE_PORT", but there aren't any ports marked as "FREE_PORT". The first table is "Node Port Reservations 302 prefix", but it also has ports in the 303 and 311 ranges. I'm confused. What is the available port range, and how I should I reserve a port? I'm guessing that maybe 30302 is available or 31110, but I'm not sure.
Vijay Venkatesh Kumar
30415-30417 looked open; assigned for DCAE. CBS could use one of them in Dublin (pls update the corresponding row)
Priyanshu Agarwal
Hi Michael O'Brien, Borislav Glozman,
We would need to reserve 2 more ports for HTTPS connection on sdc-wfd-be and sdc-wfd-fe pods. All the existing nodeport for sdc are from 302 prefix but now I see none of the port in 302 range seems available. Is it ok to reserve some ports from 304 range and some from 302 range for such a use case?
Eric Debeau
I believe that we should reduce the number of NodePorts and accept NodePort only when some criteria are respected.
Alignment with Security committee is also important.
Michael O'Brien
conflict resolution required for 30286 in https://jira.onap.org/browse/MULTICLOUD-594
Ilana Paktor
Borislav Glozman and Michael O'Brien
I am adding the updates to support https for the wfd-be and wfd-fe and need a ports for https. see https://gerrit.onap.org/r/c/oom/+/98535
please let me know what i can use and whether it should go into a different range?