Skip to main content

Firewalls and Ports

[edit on GitHub]

All of the ports used by the Chef Infra Server are TCP ports. Refer to the operating system’s manual or site systems administrators for instructions on how to enable changes to ports, if necessary.

All services must be listening on the appropriate ports. Most monitoring systems provide a means of testing whether a given port is accepting connections and service-specific tools may also be available. In addition, the generic system tool Telnet can also be used to initiate the connection:

telnet HOST_NAME PORT

Note

An “external” port is external from the perspective of a workstation (such as knife), a machine (Chef Infra Client), or any other user that accesses the Chef Infra Server via the Chef Infra Server API.

Standalone

The following sections describe the ports that are required by the Chef Infra Server in a standalone configuration:

image

A single loopback interface should be configured using the 127.0.0.1 address. This ensures that all of the services are available to the Chef Infra Server, in the event that the Chef Infra Server attempts to contact itself from within a front or back end machine. All ports should be accessible through the loopback interface of their respective hosts.

For a standalone installation, ensure that ports marked as external (marked as yes in the External column) are open and accessible via any firewalls that are in use:

PortService Name, DescriptionExternal

4321

bookshelf

The bookshelf service is an Amazon Simple Storage Service (S3)-compatible service that is used to store cookbooks, including all of the files—recipes, templates, and so on—that are associated with each cookbook.

no

80, 443, 9683

nginx

The nginx service is used to manage traffic to the Chef Infra Server, including virtual hosts for internal and external API request/response routing, external add-on request routing, and routing between front- and back-end components.

Note

Port 9683 is used to internally load balance the oc_bifrost service.

yes

9463

oc_bifrost

The oc_bifrost service ensures that every request to view or manage objects stored on the Chef Infra Server is authorized.

9090

oc-id

The oc-id service enables OAuth 2.0 authentication to the Chef Infra Server by external applications, including Chef Supermarket. OAuth 2.0 uses token-based authentication, where external applications use tokens that are issued by the oc-id provider. No special credentials—webui_priv.pem or privileged keys—are stored on the external application.

8000

opscode-erchef

The opscode-erchef service is an Erlang-based service that is used to handle Chef Infra Server API requests to the following areas within the Chef Infra Server:

  • Cookbooks
  • Data bags
  • Environments
  • Nodes
  • Roles
  • Sandboxes
  • Search

5432

postgresql

The postgresql service is used to store node, object, and user data.

9200

elasticsearch

The elasticsearch service is used to create the search indexes used for searching objects like nodes, data bags, and cookbooks. (This service ensures timely search results via the Chef Infra Server API; data that is used by the Chef platform is stored in PostgreSQL.)

16379

redis_lb

Key-value store used in conjunction with Nginx to route requests and populate request data used by the Chef Infra Server.

Tiered

The following sections describe the ports that are required by the Chef Infra Server in a tiered configuration:

image

A single loopback interface should be configured using the 127.0.0.1 address. This ensures that all of the services are available to the Chef Infra Server, in the event that the Chef Infra Server attempts to contact itself from within a front or back end machine. All ports should be accessible through the loopback interface of their respective hosts.

Front End

For front-end servers, ensure that ports marked as external (marked as yes in the External column) are open and accessible via any firewalls that are in use:

PortService Name, DescriptionExternal

80, 443, 9683

nginx

The nginx service is used to manage traffic to the Chef Infra Server, including virtual hosts for internal and external API request/response routing, external add-on request routing, and routing between front- and back-end components.

Note

Port 9683 is used to internally load balance the oc_bifrost service.

yes

9463

oc_bifrost

The oc_bifrost service ensures that every request to view or manage objects stored on the Chef Infra Server is authorized.

9090

oc-id

The oc-id service enables OAuth 2.0 authentication to the Chef Infra Server by external applications, including Chef Supermarket. OAuth 2.0 uses token-based authentication, where external applications use tokens that are issued by the oc-id provider. No special credentials—webui_priv.pem or privileged keys—are stored on the external application.

8000

opscode-erchef

The opscode-erchef service is an Erlang-based service that is used to handle Chef Infra Server API requests to the following areas within the Chef Infra Server:

  • Cookbooks
  • Data bags
  • Environments
  • Nodes
  • Roles
  • Sandboxes
  • Search

Back End

For back-end servers in a tiered Chef Infra Server installation, ensure that ports marked as external (marked as yes in the External column) are open and accessible via any firewalls that are in use:

PortService Name, DescriptionExternal

80, 443, 9683

nginx

The nginx service is used to manage traffic to the Chef Infra Server, including virtual hosts for internal and external API request/response routing, external add-on request routing, and routing between front- and back-end components.

Note

Port 9683 is used to internally load balance the oc_bifrost service.

yes

9463

oc_bifrost

The oc_bifrost service ensures that every request to view or manage objects stored on the Chef Infra Server is authorized.

9200

elasticsearch

The elasticsearch service is used to create the search indexes used for searching objects like nodes, data bags, and cookbooks. (This service ensures timely search results via the Chef Infra Server API; data that is used by the Chef platform is stored in PostgreSQL.)

5432

postgresql

The postgresql service is used to store node, object, and user data.

16379

redis_lb

Key-value store used in conjunction with Nginx to route requests and populate request data used by the Chef Infra Server.

4321

bookshelf

The bookshelf service is an Amazon Simple Storage Service (S3)-compatible service that is used to store cookbooks, including all of the files—recipes, templates, and so on—that are associated with each cookbook.

8000

opscode-erchef

The opscode-erchef service is an Erlang-based service that is used to handle Chef Infra Server API requests to the following areas within the Chef Infra Server:

  • Cookbooks
  • Data bags
  • Environments
  • Nodes
  • Roles
  • Sandboxes
  • Search

Chef Push Jobs

TCP protocol ports 10000, 10002 and 10003. 10000 is the default heartbeat port, 10002 is the default command port, 10003 is the default API port. These may be configured in the Chef Push Jobs configuration file. The command port allows Chef Push Jobs clients to communicate with the Chef Push Jobs server and also allows chef server components to communicate with the push-jobs server. In a configuration with both front and back ends, this port only needs to be open on the back end servers. The Chef Push Jobs server waits for connections from the Chef Push Jobs client, and never initiates a connection to a Chef Push Jobs client. In situations where the chef server has a non-locally-assigned public address (like a cloud deployment / or behind NAT ) the api port should be added to the network security configuration for the chef server to connect to itself on the public IP, if that is what the chef server hostname points to.