Follow

Port Requirements for Zenoss 5.x

Applies To

  • Zenoss Resource Manager 5.x

Tested On

  • Zenoss Resource Manager 5.x

This article describes the network ports and protocols that must be enabled for a Zenoss 5.x instance with Control Center to function properly. The exact requirements for a specific Zenoss installation depend on how its components are distributed and/or replicated from the Zenoss master server, and what classes of devices are being monitored. In most cases, the port numbers used by Zenoss daemons are set by their configuration file(s) in $ZENHOME/etc, although some monitoring templates use a configuration property to specify the target port on monitored devices.

Note that the ports listed in this document do not include ports for additional services/daemons beyond the default set. When additional services or daemons are added to extend Resource Manager capabilities, administrators must identify any additional ports that may need to be opened.

Procedure

Docker and firewalld Start Order

Because Docker adds a set of netfilter NAT rules for the Docker subnet and port forwards for the isvcs containers, the startup order for firewallD and Docker is important. If the order is incorrect, Docker might not function correctly. Perform the following steps to set the correct startup order:

  1. On each delegate, edit the file:
    /lib/systemd/system/docker.service
  2. Add the following two configuration parameters to the systemd [unit] section of the file:
    After=firewalld.service
    PartOf=firewalld.service

    Note: Because serviced is dependant on firewalld, the second line is required to trigger Docker to restart if firewalld is restarted.

  3. Save and exit the file.
  4. Restart the delegate.

Verify firewalld and NAT Port Forwarding

Issue the following command to verify that firewalld is active:

systemctl status firewalld

Issue the following command to verify the containers have NAT port forwards:

curl http://127.0.0.1:4242

Note: serviced and docker may need to be restarted after each change in firewall configuration.

Docker Container Traffic

All traffic must be enabled between a host and the Control Center / Resource Manager Docker containers. The most expedient means of accomplishing this is to allow all traffic on the subnet used by docker. For example, if the default subnet of 172.17.0.0/16 is in use and Firewalld is employed as the firewall, the following command will allow all traffic between Docker containers and the host:

firewall-cmd --permanent --zone=[zone in use, for example 'internal'] --add-source=172.17.0.0/16

 

The following diagram illustrates traffic between Control Center and Resource Manager hosts:

 

Was this article helpful?
1 out of 2 found this helpful

Comments

Powered by Zendesk