This document describes ports to be used by components of FineOps-deployed FineBI projects and server ports to be opened.
An O&M project includes many components, and some of them require port mapping to the server, occupying server ports for operation.
Before deployment, ensure ports to be mapped automatically (default port) are not in use. If they are already in use, use free ports.
1. Ensure the port configuration of all servers is consistent and meets the requirements, since the components are randomly assigned during installation.
2. This section explains the port requirements for deploying the FineBI project.
Note that container ports for some components are not mapped to the host machine and do not require reservation of the corresponding server ports. These ports are not listed in the following table.
Engine - Calculation Node
(If multiple Engine - Calculation Node components need to be installed on a single server, the default port number of these three ports for each additional Engine - Calculation Node component will be incremented sequentially.)
9008
9009
A port for the component service
9000
9006
If using a non-root user for installation, do not use ports below 1024.
In a Linux environment, non-root users can only use ports 1024 and above.
Google Chrome identifies the following ports as insecure ports with potential security threats.
Do not use the following ports, as doing so will prevent Google Chrome from accessing FineOps.
1, 7, 9, 11, 13, 15, 17, 19, 20, 21, 22, 23, 25, 37, 42, 43, 53, 69, 77, 79, 87, 95, 101, 102, 103, 104, 109, 110, 111, 113, 115, 117, 119, 123, 135, 137, 139, 143, 161, 179, 389, 465, 512, 513, 514, 515, 526, 530, 531, 532, 540, 548, 554, 556, 563, 587, 601, 636, 989, 990, 993, 995, 1719, 1720, 1723, 2049, 3659, 4045, 5061, 6000, 6566, 6665, 6666, 6667, 6668, 6669, 6697, and 10080
To ensure normal access to O&M projects and smooth deployment and monitoring of O&M projects via FineOps, certain server ports must be opened for use.
Relation
O&M personnel
(unlimited IP address)
Nginx of the O&M project
Without SSL: 80
With SSL: 443
The OceanBase allowlist may check the container IP address instead of the host IP address.
Therefore, to use the OceanBase (Oracle) data connection, you must additionally ensure that the container IP address of the FanRuan application component (FineReport/FineBI - Application Node/FineDataLink) is allowed to access the OceanBase database port.
Registry: 5000
Ensure that all the mentioned ports are open for communication between the components.
Nginx of FineOps
Root user deployment: 80
Non-root user deployment: 8090
Each FineBI - Application Node component of the project: 8080
Each Engine - Calculation Node component of the project: 9001
If multiple Engine - Calculation Node components need to be installed on a single server, the default port number for each additional Engine - Calculation Node component will be incremented sequentially.
The Engine - Metadata Node component of the project: 8000
The OPS Agent component on every server of this project (including project nodes and cluster component nodes): 9070
SkyWalking OAP of FineOps: 11800 and 12800
Pulling components from the image repository of FineOps for project deployment
The project nodes and the cluster component nodes (on any server)
Elasticsearch (if installed) of the O&M project: 9200
Therefore, if FineOps and FineOps-deployed projects use the same server, you must ensure that port 22 on the host machine of the ops container of FineOps is reachable from the IP address of ops.
Network isolation and security: In the Bridge mode, container networks are isolated, preventing port conflicts. In the Host mode, containers share the host's network stack, exposing container ports, which increases security risks.
O&M complexity: Docker uses the Bridge mode by default, enabling unified management of port mappings. Using the Host mode requires manual configuration of ports for each component, making maintenance difficult.
Firewall compatibility: In the Bridge mode, Docker automatically operates firewall rules (for example, managing the docker zone in firewalld), whereas using the Host mode requires manual port configuration, which is error-prone.
Production suitability: The Host mode is not suitable for production environments due to resource contention (caused by random port usage, for example) and uncontrolled network exposure. The Bridge mode offers greater stability and better aligns with the principles of containerization design.