Security

Port information in this section applies only to Control Center. See the documentation for your application for additional port requirements.

During installation, Control Center has no knowledge of the port requirements of the applications it is to manage, so the installation procedure includes disabling the firewall. After both Control Center and an application are installed, you can close unused ports.

Control Center includes a virtual multiplexer (mux) that performs the following functions:
  • Aggregates the UDP and TCP traffic among the services it manages. The aggregation is opaque to services, and mux traffic is encrypted when it travels among containers on remote hosts. (Traffic among containers on the same host is not encrypted.)
  • Along with the distributed file system, enables Control Center to quickly deploy services to any pool host.
  • Reduces the number of open ports required on a Control Center host to a predictable set.

The following figure identifies the ports that Control Center requires. All traffic is TCP. Except for port 4979, all ports are configurable.

Figure 1. Port requirements for Control Center hosts

Control Center relies on the system clock to synchronize its actions, and indirectly, NTP to synchronize clocks among multiple hosts. In the default configuration of ntpd, the firewalls of master and delegate hosts must support an incoming UDP connection on port 123.

Additional requirements and considerations

  • To install Control Center, you must log in as root, or as a user with superuser privileges.
  • Access to the Control Center browser interface requires a login account on the Control Center master host. Pluggable Authentication Modules (PAM) is supported. By default, users must be members of the wheel group. The default group may be changed by setting the SERVICED_ADMIN_GROUP variable, and the replacement group does not need superuser privileges.
  • The serviced startup script sets the hard and soft open files limit to 1048576. The script does not modify the /etc/sysconfig/limits.conf file.
  • Control Center supports Security Enhanced Linux.