---
pve-firewall.adoc | 9 ++++++---
pvecm.adoc | 6 +++---
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index f59c302..ca8acfe 100644
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -426,7 +426,7 @@ following traffic is still allowed for all {pve} hosts in
the cluster:
* TCP traffic from management hosts to port 3128 for connections to the SPICE
proxy
* TCP traffic from management hosts to port 22 to allow ssh access
-* UDP traffic in the cluster network to port 5404 and 5405 for corosync
+* UDP traffic in the cluster network to ports 5405 and following ports for
corosync. If you have setup redundant links, corosync port for each link is
UDP/5405+linknumber [0-7]
* UDP multicast traffic in the cluster network
* ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
(Time Exceeded)
@@ -628,13 +628,16 @@ corresponding link local addresses. (See the
Ports used by {pve}
-------------------
-* Web interface: 8006 (TCP, HTTP/1.1 over TLS)
+* Web interface: 8006 (TCP, HTTP/1.1 over TLS). Also needs to be open between
nodes in a cluster, to allow operations in the web UI.
* VNC Web console: 5900-5999 (TCP, WebSocket)
* SPICE proxy: 3128 (TCP)
* sshd (used for cluster actions): 22 (TCP)
+
+NOTE: You can run sshd on a non-standard port if you set this port in both the
SSH client and server config, on all cluster nodes.
+
* rpcbind: 111 (UDP)
* sendmail: 25 (TCP, outgoing)
-* corosync cluster traffic: 5404, 5405 UDP
+* corosync cluster traffic: 5405 (UDP) and following ports. If you have setup
redundant links, corosync port for each link is UDP/5405+linknumber [0-7]
* live migration (VM memory and local-disk data): 60000-60050 (TCP)
ifdef::manvolnum[]
diff --git a/pvecm.adoc b/pvecm.adoc
index 0b1857e..07a8a66 100644
--- a/pvecm.adoc
+++ b/pvecm.adoc
@@ -58,8 +58,7 @@ Grouping nodes into a cluster has the following advantages:
Requirements
------------
-* All nodes must be able to connect to each other via UDP ports 5404 and 5405
- for corosync to work.
+* All nodes must be able to connect to each other via UDP ports 5405 and
following ports for corosync to work. If you have setup redundant links,
corosync port for each link is UDP/5405+linknumber [0-7].
* Date and time must be synchronized.
@@ -524,7 +523,7 @@ be generated - no manual action is required.
NOTE: Corosync used Multicast before version 3.0 (introduced in {pve} 6.0).
Modern versions rely on https://kronosnet.org/[Kronosnet] for cluster
-communication, which, for now, only supports regular UDP unicast.
+communication, which, for now, only supports regular UDP unicast. More
advanced information about Kronosnet can be found in
http://people.redhat.com/ccaulfie/docs/KnetCorosync.pdf[KnetCorosync.pdf].
CAUTION: You can still enable Multicast or legacy unicast by setting your
transport to `udp` or `udpu` in your
xref:pvecm_edit_corosync_conf[corosync.conf],
@@ -885,6 +884,7 @@ pvecm status
If you see a healthy cluster state, it means that your new link is being used.
+NOTE: If you experience communication problems, please check your firewall
setup. With PVE 6.x+ and the introduction of Corosync3/Kronosnet, Corosync uses
one port for each link, starting with port 5405. So the port number for each
link is UDP/5405+linknumber [0-7].
Role of SSH in {pve} Clusters
-----------------------------
--
2.30.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
