[pve-devel] [PATCH pve-docs 1/1] pvecm.adoc, pve-firewall.adoc: add info about ports used by corosync and others

[Sylvain Faivre <sylvain.faivre@fraudbuster.mobi>]

---
 pve-firewall.adoc | 9 ++++++---
 pvecm.adoc        | 6 +++---
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index f59c302..ca8acfe 100644
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -426,7 +426,7 @@ following traffic is still allowed for all {pve} hosts in the cluster:
 * TCP traffic from management hosts to port 3128 for connections to the SPICE
   proxy
 * TCP traffic from management hosts to port 22 to allow ssh access
-* UDP traffic in the cluster network to port 5404 and 5405 for corosync
+* UDP traffic in the cluster network to ports 5405 and following ports for corosync. If you have setup redundant links, corosync port for each link is UDP/5405+linknumber [0-7]
 * UDP multicast traffic in the cluster network
 * ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
   (Time Exceeded)
@@ -628,13 +628,16 @@ corresponding link local addresses.  (See the
 Ports used by {pve}
 -------------------
 
-* Web interface: 8006 (TCP, HTTP/1.1 over TLS)
+* Web interface: 8006 (TCP, HTTP/1.1 over TLS). Also needs to be open between nodes in a cluster, to allow operations in the web UI.
 * VNC Web console: 5900-5999 (TCP, WebSocket)
 * SPICE proxy: 3128 (TCP)
 * sshd (used for cluster actions): 22 (TCP)
+
+NOTE: You can run sshd on a non-standard port if you set this port in both the SSH client and server config, on all cluster nodes.
+
 * rpcbind: 111 (UDP)
 * sendmail: 25 (TCP, outgoing)
-* corosync cluster traffic: 5404, 5405 UDP
+* corosync cluster traffic: 5405 (UDP) and following ports. If you have setup redundant links, corosync port for each link is UDP/5405+linknumber [0-7]
 * live migration (VM memory and local-disk data): 60000-60050 (TCP)
 
 ifdef::manvolnum[]
diff --git a/pvecm.adoc b/pvecm.adoc
index 0b1857e..07a8a66 100644
--- a/pvecm.adoc
+++ b/pvecm.adoc
@@ -58,8 +58,7 @@ Grouping nodes into a cluster has the following advantages:
 Requirements
 ------------
 
-* All nodes must be able to connect to each other via UDP ports 5404 and 5405
- for corosync to work.
+* All nodes must be able to connect to each other via UDP ports 5405 and following ports for corosync to work. If you have setup redundant links, corosync port for each link is UDP/5405+linknumber [0-7].
 
 * Date and time must be synchronized.
 
@@ -524,7 +523,7 @@ be generated - no manual action is required.
 
 NOTE: Corosync used Multicast before version 3.0 (introduced in {pve} 6.0).
 Modern versions rely on https://kronosnet.org/[Kronosnet] for cluster
-communication, which, for now, only supports regular UDP unicast.
+communication, which, for now, only supports regular UDP unicast. More advanced information about Kronosnet can be found in http://people.redhat.com/ccaulfie/docs/KnetCorosync.pdf[KnetCorosync.pdf].
 
 CAUTION: You can still enable Multicast or legacy unicast by setting your
 transport to `udp` or `udpu` in your xref:pvecm_edit_corosync_conf[corosync.conf],
@@ -885,6 +884,7 @@ pvecm status
 
 If you see a healthy cluster state, it means that your new link is being used.
 
+NOTE: If you experience communication problems, please check your firewall setup. With PVE 6.x+ and the introduction of Corosync3/Kronosnet, Corosync uses one port for each link, starting with port 5405. So the port number for each link is UDP/5405+linknumber [0-7].
 
 Role of SSH in {pve} Clusters
 -----------------------------
-- 
2.30.2