Skip to content

List of open ports added to "asciidoc/product/atip-requirements.adoc" #800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 25, 2025
Merged

List of open ports added to "asciidoc/product/atip-requirements.adoc" #800

merged 3 commits into from
Aug 25, 2025

Conversation

@antaloala
Copy link
Contributor

@antaloala antaloala commented Aug 21, 2025
edited
Loading

fixes #584

All proposed additions are placed in asciidoc/product/atip-requirements.adoc

This is the result of the scan-port command (mainly ss -tlnup and nmap -sS -p0-65535 -A -T4 -v -r <target-server-ip-address> commands) run against SUSE Telco Cloud mgmt and downstream servers (3.3 release).
Note: For downstream nodes, the nmap command was triggered at different intervals to get the port-scan result during provisioning/inspection Metal3/Ironic phases (i.e., opened ports from IPA images)
Some nmap scans (with -sS, -sU, -sY and -sZ) were also run on spec.type: NodePort service API object (protocols TCP, UDP and SCTP) created for NodePort scan range testing purposes.

Obtained results have been compared (and complemented) against (from) the following sources:

Primary/default CNI plugins tested:

  • cilium (mgmt and edge clusters)
  • calico (edge clusters)

Copying/pasting here below some of the obtained ss -tlnup and nmap scan reports:

Mgmt cluster (single-server, CNI: cilium)

ss -tunlp | grep -v "127.0.0.1" | grep -v "\[::1\]"


    Netid State  Recv-Q Send-Q  Local Address:Port  Peer Address:PortProcess
    --------------------------------------------------------------------------
    udp   UNCONN 0      0             0.0.0.0:8472       0.0.0.0:*     # aalarcon: 8472/udp is the Cilium(VXLAN) port                                                                  
    udp   UNCONN 0      0                [::]:8472          [::]:*    

    tcp   LISTEN 0      128           0.0.0.0:22         0.0.0.0:*    users:(("sshd",pid=1491,fd=3))   
    tcp   LISTEN 0      128              [::]:22            [::]:*    users:(("sshd",pid=1491,fd=4)) 
    tcp   LISTEN 0      4096   192.168.220.81:2379       0.0.0.0:*    users:(("etcd",pid=2391,fd=9))
    tcp   LISTEN 0      4096   192.168.220.81:2380       0.0.0.0:*    users:(("etcd",pid=2391,fd=7))        
    tcp   LISTEN 0      4096   192.168.220.81:4240       0.0.0.0:*    users:(("cilium-agent",pid=20505,fd=338)) 
    tcp   LISTEN 0      4096                *:6180             *:*    users:(("httpd",pid=50458,fd=4),("httpd",pid=41990,fd=4),("httpd",pid=41989,fd=4),("httpd",pid=41903,fd=4),("httpd",pid=41087,fd=4),("httpd",pid=41086,fd=4),("httpd",pid=41085,fd=4),("httpd",pid=41084,fd=4),("httpd",pid=41082,fd=4),("httpd",pid=40841,fd=4))

    tcp   LISTEN 0      4096                *:6385             *:*    users:(("httpd",pid=50458,fd=6),("httpd",pid=41990,fd=6),("httpd",pid=41989,fd=6),("httpd",pid=41903,fd=6),("httpd",pid=41087,fd=6),("httpd",pid=41086,fd=6),("httpd",pid=41085,fd=6),("httpd",pid=41084,fd=6),("httpd",pid=41082,fd=6),("httpd",pid=40841,fd=6))

    tcp   LISTEN 0      4096                *:6443             *:*    users:(("kube-apiserver",pid=2541,fd=3))                                                     
    tcp   LISTEN 0      4096                *:6545             *:*    users (("hauler",pid=2094,fd=3))  
    tcp   LISTEN 0      4096                *:9345             *:*    users:(("rke2",pid=1632,fd=9))                                                            
    tcp   LISTEN 0      4096                *:9963             *:*    users:(("cilium-operator",pid=15887,fd=7)) 
    tcp   LISTEN 0      4096                *:10250            *:*    users:(("kubelet",pid=2108,fd=14))   

    # sudo nmap -sS -p0-65535 -T4 -A -v -r 192.168.220.81
    #
    Starting Nmap 7.94 ( https://nmap.org ) at 2025-07-31 13:36 CEST
    NSE: Loaded 156 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 13:36
    Completed NSE at 13:36, 0.00s elapsed
    Initiating NSE at 13:36
    Completed NSE at 13:36, 0.00s elapsed
    Initiating NSE at 13:36
    Completed NSE at 13:36, 0.00s elapsed
    Initiating ARP Ping Scan at 13:36
    Scanning 192.168.220.81 [1 port]
    Completed ARP Ping Scan at 13:36, 0.04s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 13:36
    Completed Parallel DNS resolution of 1 host. at 13:36, 0.00s elapsed
    Initiating SYN Stealth Scan at 13:36
    Scanning 192.168.220.81 (192.168.220.81) [65536 ports]
    Discovered open port 22/tcp on 192.168.220.81
    Discovered open port 80/tcp on 192.168.220.81
    Discovered open port 443/tcp on 192.168.220.81
    Discovered open port 2379/tcp on 192.168.220.81
    Discovered open port 2380/tcp on 192.168.220.81
    Discovered open port 4240/tcp on 192.168.220.81
    Discovered open port 6180/tcp on 192.168.220.81
    Discovered open port 6385/tcp on 192.168.220.81
    Discovered open port 6443/tcp on 192.168.220.81
    Discovered open port 6545/tcp on 192.168.220.81
    Discovered open port 9345/tcp on 192.168.220.81
    Discovered open port 9963/tcp on 192.168.220.81
    Discovered open port 10250/tcp on 192.168.220.81
    Discovered open port 30485/tcp on 192.168.220.81
    Discovered open port 30514/tcp on 192.168.220.81
    Completed SYN Stealth Scan at 13:36, 0.95s elapsed (65536 total ports)
    Initiating Service scan at 13:36
    Scanning 15 services on 192.168.220.81 (192.168.220.81)
    Completed Service scan at 13:38, 92.12s elapsed (15 services on 1 host)
    Initiating OS detection (try #1) against 192.168.220.81 (192.168.220.81)
    NSE: Script scanning 192.168.220.81.
    Initiating NSE at 13:38
    Completed NSE at 13:38, 0.82s elapsed
    Initiating NSE at 13:38
    Completed NSE at 13:38, 0.07s elapsed
    Initiating NSE at 13:38
    Completed NSE at 13:38, 0.00s elapsed
    Nmap scan report for 192.168.220.81 (192.168.220.81)
    Host is up (0.00052s latency).
    Not shown: 65521 closed tcp ports (reset)
    PORT      STATE SERVICE           VERSION
    22/tcp    open  ssh               OpenSSH 9.6 (protocol 2.0)
    | ssh-hostkey: 
    |   256 db:a7:50:3c:27:29:75:91:b9:f9:9d:5d:86:90:fd:41 (ECDSA)
    |_  256 ae:bb:39:49:dc:8d:6a:f2:b7:8e:8a:da:92:94:d8:0a (ED25519)
    80/tcp    open  http              nginx (reverse proxy)
    |_http-title: 404 Not Found
    443/tcp   open  ssl/http          nginx (reverse proxy)
    |_http-title: 404 Not Found
    | ssl-cert: Subject: commonName=Kubernetes Ingress Controller Fake Certificate/organizationName=Acme Co
    | Subject Alternative Name: DNS:ingress.local
    | Issuer: commonName=Kubernetes Ingress Controller Fake Certificate/organizationName=Acme Co
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-31T08:09:25
    | Not valid after:  2026-07-31T08:09:25
    | MD5:   66ca:6372:51cc:b1aa:3ae5:c419:634e:c2bb
    |_SHA-1: 7238:14a1:5624:f31b:a7bd:0494:6878:6b6c:d47b:6dbc
    2379/tcp  open  ssl/etcd-client?
    | ssl-cert: Subject: commonName=etcd-server
    | Subject Alternative Name: DNS:kine.sock, DNS:localhost, DNS:mgmt-cluster-network, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.220.81, IP Address:10.43.0.1
    | Issuer: commonName=etcd-server-ca@1753900811
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: ecdsa-with-SHA256
    | Not valid before: 2025-07-30T18:40:11
    | Not valid after:  2026-07-30T18:40:11
    | MD5:   cd0c:ee26:93c6:d540:a49f:eece:50de:e824
    |_SHA-1: 0f9b:78d0:c583:e1ec:cfbf:ed10:d8ec:7c72:6174:3d45
    2380/tcp  open  ssl/etcd-server?
    | ssl-cert: Subject: commonName=etcd-peer
    | Subject Alternative Name: DNS:kine.sock, DNS:localhost, DNS:mgmt-cluster-network, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.220.81, IP Address:10.43.0.1
    | Issuer: commonName=etcd-peer-ca@1753900811
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: ecdsa-with-SHA256
    | Not valid before: 2025-07-30T18:40:11
    | Not valid after:  2026-07-30T18:40:11
    | MD5:   16f8:bce5:e744:b2ce:c442:19a5:a7b6:1731
    |_SHA-1: 208f:715d:9c7a:0bfb:e6fd:2fcc:99db:dcff:8d56:bdd1
    4240/tcp  open  daap              mt-daapd DAAP
    6180/tcp  open  http              Apache httpd
    |_http-server-header: Apache
    |_http-title: 404 Not Found
    | http-methods: 
    |_  Supported Methods: POST OPTIONS HEAD GET
    6385/tcp  open  http              Apache httpd
    |_http-server-header: Apache
    |_http-title: 400 Bad Request
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    6443/tcp  open  ssl/sun-sr-https?
    | ssl-cert: Subject: commonName=kube-apiserver
    | Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:mgmt-cluster-network, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.220.81, IP Address:10.43.0.1
    | Issuer: commonName=rke2-server-ca@1753900811
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: ecdsa-with-SHA256
    | Not valid before: 2025-07-30T18:40:11
    | Not valid after:  2026-07-30T18:40:11
    | MD5:   9dbe:2359:a149:64a3:1a4b:460d:7df3:65f1
    |_SHA-1: 9df7:fab1:1eef:ada2:642e:ada5:e9fb:5e79:8917:4745
    | fingerprint-strings: 
    |   FourOhFourRequest: 
    |     HTTP/1.0 401 Unauthorized
    |     Audit-Id: c50e6edf-db19-44b8-9015-914543376e65
    |     Cache-Control: no-cache, private
    |     Content-Type: application/json
    |     Date: Thu, 31 Jul 2025 11:37:10 GMT
    |     Content-Length: 129
    |     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    |   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
    |     HTTP/1.1 400 Bad Request
    |     Content-Type: text/plain; charset=utf-8
    |     Connection: close
    |     Request
    |   GetRequest: 
    |     HTTP/1.0 401 Unauthorized
    |     Audit-Id: 2bae1ae7-93d4-447f-afd8-7a8903cf9e76
    |     Cache-Control: no-cache, private
    |     Content-Type: application/json
    |     Date: Thu, 31 Jul 2025 11:36:45 GMT
    |     Content-Length: 129
    |     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    |   HTTPOptions: 
    |     HTTP/1.0 401 Unauthorized
    |     Audit-Id: 3fa8c93a-903b-4b72-b772-00040e52d57e
    |     Cache-Control: no-cache, private
    |     Content-Type: application/json
    |     Date: Thu, 31 Jul 2025 11:36:45 GMT
    |     Content-Length: 129
    |_    {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    6545/tcp  open  http              Docker Registry (API: 2.0)
    |_http-title: Site doesn't have a title.
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    9345/tcp  open  ssl/http          Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
    |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
    | ssl-cert: Subject: commonName=rke2/organizationName=rke2
    | Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:mgmt-cluster-network, IP Address:10.43.0.1, IP Address:127.0.0.1, IP Address:192.168.220.81, IP Address:0:0:0:0:0:0:0:1
    | Issuer: commonName=rke2-server-ca@1753900811
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: ecdsa-with-SHA256
    | Not valid before: 2025-07-30T18:40:11
    | Not valid after:  2026-07-30T18:40:12
    | MD5:   82a8:060b:38ba:f6a7:7c18:919f:7828:fb9b
    |_SHA-1: 7838:5652:0938:a322:6cfb:4f7a:5b66:4de9:9429:9aa3
    9963/tcp  open  http              Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
    |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
    10250/tcp open  ssl/http          Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
    |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
    | ssl-cert: Subject: commonName=mgmt-cluster-network
    | Subject Alternative Name: DNS:mgmt-cluster-network, DNS:localhost, IP Address:127.0.0.1, IP Address:192.168.220.81
    | Issuer: commonName=rke2-server-ca@1753900811
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: ecdsa-with-SHA256
    | Not valid before: 2025-07-30T18:40:11
    | Not valid after:  2026-07-31T08:05:20
    | MD5:   a06d:2a55:4c30:68ba:f836:ee82:ec9b:0160
    |_SHA-1: 64b4:a563:d1c7:28b0:6763:d758:6f51:2cae:98b3:6e54
    30485/tcp open  http              Apache httpd
    | http-methods: 
    |_  Supported Methods: GET HEAD POST OPTIONS
    |_http-title: 400 Bad Request
    |_http-server-header: Apache
    30514/tcp open  http              Apache httpd
    | http-methods: 
    |_  Supported Methods: POST OPTIONS HEAD GET
    |_http-title: 404 Not Found
    |_http-server-header: Apache
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port6443-TCP:V=7.94%T=SSL%I=7%D=7/31%Time=688B554D%P=x86_64-suse-linux-
    SF:gnu%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
    SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
    SF:x20Bad\x20Request")%r(GetRequest,14A,"HTTP/1\.0\x20401\x20Unauthorized\
    SF:r\nAudit-Id:\x202bae1ae7-93d4-447f-afd8-7a8903cf9e76\r\nCache-Control:\
    SF:x20no-cache,\x20private\r\nContent-Type:\x20application/json\r\nDate:\x
    SF:20Thu,\x2031\x20Jul\x202025\x2011:36:45\x20GMT\r\nContent-Length:\x2012
    SF:9\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"s
    SF:tatus\":\"Failure\",\"message\":\"Unauthorized\",\"reason\":\"Unauthori
    SF:zed\",\"code\":401}\n")%r(HTTPOptions,14A,"HTTP/1\.0\x20401\x20Unauthor
    SF:ized\r\nAudit-Id:\x203fa8c93a-903b-4b72-b772-00040e52d57e\r\nCache-Cont
    SF:rol:\x20no-cache,\x20private\r\nContent-Type:\x20application/json\r\nDa
    SF:te:\x20Thu,\x2031\x20Jul\x202025\x2011:36:45\x20GMT\r\nContent-Length:\
    SF:x20129\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{
    SF:},\"status\":\"Failure\",\"message\":\"Unauthorized\",\"reason\":\"Unau
    SF:thorized\",\"code\":401}\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\
    SF:x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnecti
    SF:on:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400
    SF:\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n
    SF:Connection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,
    SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20
    SF:charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(
    SF:TerminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-
    SF:Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n40
    SF:0\x20Bad\x20Request")%r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Re
    SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x
    SF:20close\r\n\r\n400\x20Bad\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400\
    SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC
    SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(FourOhFourRequest,
    SF:14A,"HTTP/1\.0\x20401\x20Unauthorized\r\nAudit-Id:\x20c50e6edf-db19-44b
    SF:8-9015-914543376e65\r\nCache-Control:\x20no-cache,\x20private\r\nConten
    SF:t-Type:\x20application/json\r\nDate:\x20Thu,\x2031\x20Jul\x202025\x2011
    SF::37:10\x20GMT\r\nContent-Length:\x20129\r\n\r\n{\"kind\":\"Status\",\"a
    SF:piVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\
    SF:"Unauthorized\",\"reason\":\"Unauthorized\",\"code\":401}\n");
    MAC Address: 52:54:00:2E:1E:2B (QEMU virtual NIC)
    Device type: general purpose
    Running: Linux 4.X|5.X
    OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
    OS details: Linux 4.15 - 5.8
    Uptime guess: 16.818 days (since Mon Jul 14 17:59:51 2025)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=257 (Good luck!)
    IP ID Sequence Generation: All zeros

    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.52 ms 192.168.220.81 (192.168.220.81)

    NSE: Script Post-scanning.
    Initiating NSE at 13:38
    Completed NSE at 13:38, 0.00s elapsed
    Initiating NSE at 13:38
    Completed NSE at 13:38, 0.00s elapsed
    Initiating NSE at 13:38
    Completed NSE at 13:38, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 95.66 seconds
            Raw packets sent: 65559 (2.885MB) | Rcvd: 65564 (2.624MB)

Edge cluster - provisioned (single-server, CNI: calico)

ss -tunlp | grep -v "127.0.0.1" | grep -v "\[::1\]"

    Netid State  Recv-Q Send-Q  Local Address:Port  Peer Address:PortProcess    

    udp   UNCONN 0      0             0.0.0.0:4789       0.0.0.0:*  

    tcp   LISTEN 0      128           0.0.0.0:22         0.0.0.0:*    users:(("sshd",pid=1099,fd=3)) 
    tcp   LISTEN 0      128              [::]:22            [::]:*    users:(("sshd",pid=1099,fd=4))           
    tcp   LISTEN 0      4096   192.168.220.91:2379       0.0.0.0:*    users:(("etcd",pid=1899,fd=10))          
    tcp   LISTEN 0      4096   192.168.220.91:2380       0.0.0.0:*    users:(("etcd",pid=1899,fd=7))  
    tcp   LISTEN 0      4096                *:5473             *:*    users:(("calico-typha",pid=2889,fd=6))   
    tcp   LISTEN 0      4096                *:6443             *:*    users:(("kube-apiserver",pid=2091,fd=3))  
    tcp   LISTEN 0      4096                *:9345             *:*    users:(("rke2",pid=1370,fd=7))         
    tcp   LISTEN 0      4096                *:10250            *:*    users:(("kubelet",pid=1637,fd=14))       
    tcp   LISTEN 0      4096                *:10255            *:*    users:(("kubelet",pid=1637,fd=8))  

    # sudo nmap -sS -p0-65535 -T4 -A -v -r 192.168.220.91
    #
    Starting Nmap 7.94 ( https://nmap.org ) at 2025-07-31 13:40 CEST
    NSE: Loaded 156 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 13:40
    Completed NSE at 13:40, 0.00s elapsed
    Initiating NSE at 13:40
    Completed NSE at 13:40, 0.00s elapsed
    Initiating NSE at 13:40
    Completed NSE at 13:40, 0.00s elapsed
    Initiating ARP Ping Scan at 13:40
    Scanning 192.168.220.91 [1 port]
    Completed ARP Ping Scan at 13:40, 0.05s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 13:40
    Completed Parallel DNS resolution of 1 host. at 13:40, 0.00s elapsed
    Initiating SYN Stealth Scan at 13:40
    Scanning 192.168.220.91 (192.168.220.91) [65536 ports]
    Discovered open port 22/tcp on 192.168.220.91
    Discovered open port 80/tcp on 192.168.220.91
    Discovered open port 443/tcp on 192.168.220.91
    Discovered open port 2379/tcp on 192.168.220.91
    Discovered open port 2380/tcp on 192.168.220.91
    Discovered open port 5473/tcp on 192.168.220.91
    Discovered open port 6443/tcp on 192.168.220.91
    Discovered open port 9345/tcp on 192.168.220.91
    Discovered open port 10250/tcp on 192.168.220.91
    Discovered open port 10255/tcp on 192.168.220.91
    Completed SYN Stealth Scan at 13:40, 1.08s elapsed (65536 total ports)
    Initiating Service scan at 13:40
    Scanning 10 services on 192.168.220.91 (192.168.220.91)
    Completed Service scan at 13:42, 102.28s elapsed (10 services on 1 host)
    Initiating OS detection (try #1) against 192.168.220.91 (192.168.220.91)
    adjust_timeouts2: packet supposedly had rtt of -79045 microseconds.  Ignoring time.
    adjust_timeouts2: packet supposedly had rtt of -104109 microseconds.  Ignoring time.
    adjust_timeouts2: packet supposedly had rtt of -104109 microseconds.  Ignoring time.
    adjust_timeouts2: packet supposedly had rtt of -129214 microseconds.  Ignoring time.
    adjust_timeouts2: packet supposedly had rtt of -129214 microseconds.  Ignoring time.
    NSE: Script scanning 192.168.220.91.
    Initiating NSE at 13:42
    Completed NSE at 13:42, 2.19s elapsed
    Initiating NSE at 13:42
    Completed NSE at 13:42, 0.06s elapsed
    Initiating NSE at 13:42
    Completed NSE at 13:42, 0.00s elapsed
    Nmap scan report for 192.168.220.91 (192.168.220.91)
    Host is up (0.00022s latency).
    Not shown: 65526 closed tcp ports (reset)
    PORT      STATE SERVICE           VERSION
    22/tcp    open  ssh               OpenSSH 9.6 (protocol 2.0)
    | ssh-hostkey: 
    |   256 5d:cb:d0:c0:4c:34:02:01:34:40:02:21:53:73:4b:18 (ECDSA)
    |_  256 0e:33:0a:c8:1e:a9:38:e6:5d:27:17:54:fc:43:05:ae (ED25519)
    80/tcp    open  http              nginx (reverse proxy)
    |_http-title: 404 Not Found
    443/tcp   open  ssl/http          nginx (reverse proxy)
    | ssl-cert: Subject: commonName=Kubernetes Ingress Controller Fake Certificate/organizationName=Acme Co
    | Subject Alternative Name: DNS:ingress.local
    | Issuer: commonName=Kubernetes Ingress Controller Fake Certificate/organizationName=Acme Co
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-31T07:57:25
    | Not valid after:  2026-07-31T07:57:25
    | MD5:   3bcb:bfc1:e100:0c16:e4ee:526e:33cc:06a7
    |_SHA-1: d56f:5f30:eff0:9faf:fb27:0d1e:31de:2c8a:6348:15e4
    |_http-title: 404 Not Found
    2379/tcp  open  ssl/etcd-client?
    | ssl-cert: Subject: commonName=etcd-server
    | Subject Alternative Name: DNS:kine.sock, DNS:localhost, DNS:rke2controlplane-snc-telco-01-wqgx8, IP Address:192.168.220.91, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.220.91, IP Address:10.96.0.1
    | Issuer: commonName=kubernetes
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-30T19:48:07
    | Not valid after:  2026-07-30T19:57:27
    | MD5:   dd8b:cead:7961:b0bd:4b3a:b325:a453:205c
    |_SHA-1: 5f60:721a:014e:579a:90d4:0586:b2ea:e3a9:1dfe:3713
    2380/tcp  open  ssl/etcd-server?
    | ssl-cert: Subject: commonName=etcd-peer
    | Subject Alternative Name: DNS:kine.sock, DNS:localhost, DNS:rke2controlplane-snc-telco-01-wqgx8, IP Address:192.168.220.91, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.220.91, IP Address:10.96.0.1
    | Issuer: commonName=kubernetes
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-30T19:48:07
    | Not valid after:  2026-07-30T19:57:27
    | MD5:   1440:5bc5:d272:3dde:ba6f:321d:89fc:db04
    |_SHA-1: 47b5:67c8:84fa:bfdd:d13d:89dd:e19c:fbf8:34d2:357a
    5473/tcp  open  ssl/apsolab-tags?
    | ssl-cert: Subject: commonName=typha-server
    | Subject Alternative Name: DNS:typha-server
    | Issuer: commonName=tigera-operator-signer
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-30T19:59:28
    | Not valid after:  2027-11-02T19:59:29
    | MD5:   0a61:d045:12d3:bdf3:3aa0:aefe:2c2a:6442
    |_SHA-1: e5b3:4ede:cd87:733d:120b:f613:9813:a038:b47a:20b9
    6443/tcp  open  ssl/sun-sr-https?
    | ssl-cert: Subject: commonName=kube-apiserver
    | Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:rke2controlplane-snc-telco-01-wqgx8, IP Address:192.168.220.91, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.220.91, IP Address:10.96.0.1
    | Issuer: commonName=kubernetes
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-30T19:48:06
    | Not valid after:  2026-07-30T19:57:27
    | MD5:   d06e:bf18:a542:ecf0:d415:940f:2464:1d42
    |_SHA-1: 8e3f:e96a:af87:90a5:b7ce:e7a7:0f9f:ed8f:2f20:0ab1
    | fingerprint-strings: 
    |   FourOhFourRequest: 
    |     HTTP/1.0 401 Unauthorized
    |     Audit-Id: 2d14f72c-fe7a-4401-8f57-ea3f92f99fdb
    |     Cache-Control: no-cache, private
    |     Content-Type: application/json
    |     Date: Thu, 31 Jul 2025 11:41:11 GMT
    |     Content-Length: 129
    |     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    |   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
    |     HTTP/1.1 400 Bad Request
    |     Content-Type: text/plain; charset=utf-8
    |     Connection: close
    |     Request
    |   GetRequest: 
    |     HTTP/1.0 401 Unauthorized
    |     Audit-Id: 3a19e486-0dac-4073-a4ac-bf5b3ebcbc23
    |     Cache-Control: no-cache, private
    |     Content-Type: application/json
    |     Date: Thu, 31 Jul 2025 11:40:45 GMT
    |     Content-Length: 129
    |     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    |   HTTPOptions: 
    |     HTTP/1.0 401 Unauthorized
    |     Audit-Id: 1139af17-87dd-453a-9f5e-b1e3a3a4a732
    |     Cache-Control: no-cache, private
    |     Content-Type: application/json
    |     Date: Thu, 31 Jul 2025 11:40:45 GMT
    |     Content-Length: 129
    |_    {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    9345/tcp  open  ssl/http          Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
    |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
    | ssl-cert: Subject: commonName=rke2/organizationName=rke2
    | Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:rke2controlplane-snc-telco-01-wqgx8, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:192.168.220.91, IP Address:0:0:0:0:0:0:0:1
    | Issuer: commonName=kubernetes
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-30T19:48:06
    | Not valid after:  2026-07-30T19:57:27
    | MD5:   2915:f5cd:cbcc:5a30:2000:9fff:15c7:e027
    |_SHA-1: 4912:8c7e:62c2:336f:a133:5826:e064:8fd7:8eb5:4c5c
    10250/tcp open  ssl/http          Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
    |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
    | ssl-cert: Subject: commonName=rke2controlplane-snc-telco-01-wqgx8
    | Subject Alternative Name: DNS:rke2controlplane-snc-telco-01-wqgx8, DNS:localhost, IP Address:127.0.0.1, IP Address:192.168.220.91
    | Issuer: commonName=kubernetes
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-30T19:48:06
    | Not valid after:  2026-07-31T07:55:02
    | MD5:   4392:e6ca:39fe:fcca:05a7:b822:cc42:d725
    |_SHA-1: 4518:fdf0:d14e:eed1:8fae:1474:dbaf:3ab0:db33:790e
    10255/tcp open  http              Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port6443-TCP:V=7.94%T=SSL%I=7%D=7/31%Time=688B563D%P=x86_64-suse-linux-
    SF:gnu%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
    SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
    SF:x20Bad\x20Request")%r(GetRequest,14A,"HTTP/1\.0\x20401\x20Unauthorized\
    SF:r\nAudit-Id:\x203a19e486-0dac-4073-a4ac-bf5b3ebcbc23\r\nCache-Control:\
    SF:x20no-cache,\x20private\r\nContent-Type:\x20application/json\r\nDate:\x
    SF:20Thu,\x2031\x20Jul\x202025\x2011:40:45\x20GMT\r\nContent-Length:\x2012
    SF:9\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"s
    SF:tatus\":\"Failure\",\"message\":\"Unauthorized\",\"reason\":\"Unauthori
    SF:zed\",\"code\":401}\n")%r(HTTPOptions,14A,"HTTP/1\.0\x20401\x20Unauthor
    SF:ized\r\nAudit-Id:\x201139af17-87dd-453a-9f5e-b1e3a3a4a732\r\nCache-Cont
    SF:rol:\x20no-cache,\x20private\r\nContent-Type:\x20application/json\r\nDa
    SF:te:\x20Thu,\x2031\x20Jul\x202025\x2011:40:45\x20GMT\r\nContent-Length:\
    SF:x20129\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{
    SF:},\"status\":\"Failure\",\"message\":\"Unauthorized\",\"reason\":\"Unau
    SF:thorized\",\"code\":401}\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\
    SF:x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnecti
    SF:on:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400
    SF:\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n
    SF:Connection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,
    SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20
    SF:charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(
    SF:TerminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-
    SF:Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n40
    SF:0\x20Bad\x20Request")%r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Re
    SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x
    SF:20close\r\n\r\n400\x20Bad\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400\
    SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC
    SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(FourOhFourRequest,
    SF:14A,"HTTP/1\.0\x20401\x20Unauthorized\r\nAudit-Id:\x202d14f72c-fe7a-440
    SF:1-8f57-ea3f92f99fdb\r\nCache-Control:\x20no-cache,\x20private\r\nConten
    SF:t-Type:\x20application/json\r\nDate:\x20Thu,\x2031\x20Jul\x202025\x2011
    SF::41:11\x20GMT\r\nContent-Length:\x20129\r\n\r\n{\"kind\":\"Status\",\"a
    SF:piVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\
    SF:"Unauthorized\",\"reason\":\"Unauthorized\",\"code\":401}\n");
    MAC Address: 52:54:00:D2:C3:14 (QEMU virtual NIC)
    Device type: general purpose
    Running: Linux 4.X|5.X
    OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
    OS details: Linux 4.15 - 5.8, Linux 5.4
    Uptime guess: 0.000 days (since Thu Jul 31 13:42:12 2025)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=261 (Good luck!)
    IP ID Sequence Generation: All zeros

    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.22 ms 192.168.220.91 (192.168.220.91)

    NSE: Script Post-scanning.
    Initiating NSE at 13:42
    Completed NSE at 13:42, 0.00s elapsed
    Initiating NSE at 13:42
    Completed NSE at 13:42, 0.00s elapsed
    Initiating NSE at 13:42
    Completed NSE at 13:42, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 109.42 seconds
            Raw packets sent: 65605 (2.889MB) | Rcvd: 65594 (2.626MB)

Edge cluster - provisioned (single-server, CNI: cilium)

ss -tunlp | grep -v "127.0.0.1" | grep -v "\[::1\]"

    Netid State  Recv-Q Send-Q   Local Address:Port  Peer Address:PortProcess

    udp   UNCONN 0      0              0.0.0.0:8472       0.0.0.0:*                                             
    udp   UNCONN 0      0                 [::]:8472          [::]:*  

    tcp   LISTEN 0      128            0.0.0.0:22         0.0.0.0:*    users:(("sshd",pid=1056,fd=3)) 
    tcp   LISTEN 0      128               [::]:22            [::]:*    users:(("sshd",pid=1056,fd=4))                    
    tcp   LISTEN 0      4096   192.168.220.101:2379       0.0.0.0:*    users:(("etcd",pid=2388,fd=9))    
    tcp   LISTEN 0      4096   192.168.220.101:2380       0.0.0.0:*    users:(("etcd",pid=2388,fd=7))                   
    tcp   LISTEN 0      4096   192.168.220.101:4240       0.0.0.0:*    users:(("cilium-agent",pid=4287,fd=189))          
    tcp   LISTEN 0      4096                 *:6443             *:*    users:(("kube-apiserver",pid=1776,fd=3)) 
    tcp   LISTEN 0      4096                 *:9345             *:*    users:(("rke2",pid=1238,fd=7)) 
    tcp   LISTEN 0      4096                 *:9963             *:*    users:(("cilium-operator",pid=3447,fd=7))
    tcp   LISTEN 0      4096                 *:10250            *:*    users:(("kubelet",pid=1347,fd=15))       
    tcp   LISTEN 0      4096                 *:10255            *:*    users:(("kubelet",pid=1347,fd=8))   

    # sudo nmap -sS -p0-65535 -T4 -A -v -r 192.168.220.101
    #
    Starting Nmap 7.94 ( https://nmap.org ) at 2025-07-31 13:51 CEST
    NSE: Loaded 156 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 13:51
    Completed NSE at 13:51, 0.00s elapsed
    Initiating NSE at 13:51
    Completed NSE at 13:51, 0.00s elapsed
    Initiating NSE at 13:51
    Completed NSE at 13:51, 0.00s elapsed
    Initiating ARP Ping Scan at 13:51
    Scanning 192.168.220.101 [1 port]
    Completed ARP Ping Scan at 13:51, 0.06s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 13:51
    Completed Parallel DNS resolution of 1 host. at 13:51, 0.00s elapsed
    Initiating SYN Stealth Scan at 13:51
    Scanning 192.168.220.101 (192.168.220.101) [65536 ports]
    Discovered open port 22/tcp on 192.168.220.101
    Discovered open port 80/tcp on 192.168.220.101
    Discovered open port 443/tcp on 192.168.220.101
    Discovered open port 2379/tcp on 192.168.220.101
    Discovered open port 2380/tcp on 192.168.220.101
    Discovered open port 4240/tcp on 192.168.220.101
    Discovered open port 6443/tcp on 192.168.220.101
    Discovered open port 9345/tcp on 192.168.220.101
    Discovered open port 9963/tcp on 192.168.220.101
    Discovered open port 10250/tcp on 192.168.220.101
    Discovered open port 10255/tcp on 192.168.220.101
    Completed SYN Stealth Scan at 13:51, 0.92s elapsed (65536 total ports)
    Initiating Service scan at 13:51
    Scanning 11 services on 192.168.220.101 (192.168.220.101)
    Completed Service scan at 13:52, 92.13s elapsed (11 services on 1 host)
    Initiating OS detection (try #1) against 192.168.220.101 (192.168.220.101)
    NSE: Script scanning 192.168.220.101.
    Initiating NSE at 13:52
    Completed NSE at 13:52, 0.44s elapsed
    Initiating NSE at 13:52
    Completed NSE at 13:52, 0.06s elapsed
    Initiating NSE at 13:52
    Completed NSE at 13:52, 0.00s elapsed
    Nmap scan report for 192.168.220.101 (192.168.220.101)
    Host is up (0.00020s latency).
    Not shown: 65525 closed tcp ports (reset)
    PORT      STATE SERVICE           VERSION
    22/tcp    open  ssh               OpenSSH 9.6 (protocol 2.0)
    | ssh-hostkey: 
    |   256 ef:00:ee:71:41:3f:31:46:b4:08:07:4a:0e:a5:7a:18 (ECDSA)
    |_  256 e9:a0:bc:14:93:27:c5:de:2e:37:82:e3:e2:47:e8:d9 (ED25519)
    80/tcp    open  http              nginx (reverse proxy)
    |_http-title: 404 Not Found
    443/tcp   open  ssl/http          nginx (reverse proxy)
    | ssl-cert: Subject: commonName=Kubernetes Ingress Controller Fake Certificate/organizationName=Acme Co
    | Subject Alternative Name: DNS:ingress.local
    | Issuer: commonName=Kubernetes Ingress Controller Fake Certificate/organizationName=Acme Co
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-31T07:57:41
    | Not valid after:  2026-07-31T07:57:41
    | MD5:   c382:7692:3188:781d:5751:ce62:39c3:b7f1
    |_SHA-1: c4b1:95f3:6483:78fa:9828:234a:1315:0df3:b925:495a
    |_http-title: 404 Not Found
    2379/tcp  open  ssl/etcd-client?
    | ssl-cert: Subject: commonName=etcd-server
    | Subject Alternative Name: DNS:kine.sock, DNS:localhost, DNS:rke2controlplane-snc-no-telco-ccddm, IP Address:192.168.220.101, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.220.101, IP Address:10.96.0.1
    | Issuer: commonName=kubernetes
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-30T19:29:29
    | Not valid after:  2026-07-30T19:38:08
    | MD5:   9063:5a64:7927:cbe5:1b22:0391:1613:0cdc
    |_SHA-1: cb6b:cd37:06ea:88f2:aa4c:6d8c:c978:a3c6:7d03:8d10
    2380/tcp  open  ssl/etcd-server?
    | ssl-cert: Subject: commonName=etcd-peer
    | Subject Alternative Name: DNS:kine.sock, DNS:localhost, DNS:rke2controlplane-snc-no-telco-ccddm, IP Address:192.168.220.101, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.220.101, IP Address:10.96.0.1
    | Issuer: commonName=kubernetes
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-30T19:29:29
    | Not valid after:  2026-07-30T19:38:08
    | MD5:   8318:323a:edd7:296a:5d20:529e:6e1b:d318
    |_SHA-1: 700e:2a48:71d0:7ceb:54a4:294d:cea3:ba4d:8dd7:e221
    4240/tcp  open  daap              mt-daapd DAAP
    6443/tcp  open  ssl/sun-sr-https?
    | ssl-cert: Subject: commonName=kube-apiserver
    | Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:rke2controlplane-snc-no-telco-ccddm, IP Address:192.168.220.101, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:192.168.220.101, IP Address:10.96.0.1
    | Issuer: commonName=kubernetes
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-30T19:29:29
    | Not valid after:  2026-07-30T19:38:08
    | MD5:   5120:5afd:e518:0dd5:bca9:2457:187d:8ec3
    |_SHA-1: 8014:7e6f:0abd:4059:ac1d:cf6b:6d26:b029:c675:01f5
    | fingerprint-strings: 
    |   FourOhFourRequest: 
    |     HTTP/1.0 401 Unauthorized
    |     Audit-Id: 5a5479ab-96e5-4b8f-89fa-b77cdb1e8b86
    |     Cache-Control: no-cache, private
    |     Content-Type: application/json
    |     Date: Thu, 31 Jul 2025 11:51:51 GMT
    |     Content-Length: 129
    |     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    |   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
    |     HTTP/1.1 400 Bad Request
    |     Content-Type: text/plain; charset=utf-8
    |     Connection: close
    |     Request
    |   GetRequest: 
    |     HTTP/1.0 401 Unauthorized
    |     Audit-Id: abbdb9a1-11b2-495e-ab69-cb147fe3aa34
    |     Cache-Control: no-cache, private
    |     Content-Type: application/json
    |     Date: Thu, 31 Jul 2025 11:51:26 GMT
    |     Content-Length: 129
    |     {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    |   HTTPOptions: 
    |     HTTP/1.0 401 Unauthorized
    |     Audit-Id: bea41ff3-098a-4e0e-bcfd-270a74f65b66
    |     Cache-Control: no-cache, private
    |     Content-Type: application/json
    |     Date: Thu, 31 Jul 2025 11:51:26 GMT
    |     Content-Length: 129
    |_    {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
    9345/tcp  open  ssl/http          Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
    |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
    | ssl-cert: Subject: commonName=rke2/organizationName=rke2
    | Subject Alternative Name: DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:rke2controlplane-snc-no-telco-ccddm, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:192.168.220.101, IP Address:0:0:0:0:0:0:0:1
    | Issuer: commonName=kubernetes
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-30T19:29:29
    | Not valid after:  2026-07-30T19:38:08
    | MD5:   58d4:c7bb:dcba:b4fd:c7b9:2263:6c7d:dee7
    |_SHA-1: 6de4:aafc:4894:08c1:f510:b1cf:d79c:d5fc:1884:1165
    9963/tcp  open  http              Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
    |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
    10250/tcp open  ssl/http          Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
    | ssl-cert: Subject: commonName=rke2controlplane-snc-no-telco-ccddm
    | Subject Alternative Name: DNS:rke2controlplane-snc-no-telco-ccddm, DNS:localhost, IP Address:127.0.0.1, IP Address:192.168.220.101
    | Issuer: commonName=kubernetes
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2025-07-30T19:29:29
    | Not valid after:  2026-07-31T07:55:08
    | MD5:   af61:f9c9:6d9b:2339:4f0b:ea0a:f29d:4ed2
    |_SHA-1: f3b8:6b28:40a9:2703:6941:02c3:71cb:8f31:41d8:6e3a
    |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
    10255/tcp open  http              Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
    |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port6443-TCP:V=7.94%T=SSL%I=7%D=7/31%Time=688B58BE%P=x86_64-suse-linux-
    SF:gnu%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Ty
    SF:pe:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\
    SF:x20Bad\x20Request")%r(GetRequest,14A,"HTTP/1\.0\x20401\x20Unauthorized\
    SF:r\nAudit-Id:\x20abbdb9a1-11b2-495e-ab69-cb147fe3aa34\r\nCache-Control:\
    SF:x20no-cache,\x20private\r\nContent-Type:\x20application/json\r\nDate:\x
    SF:20Thu,\x2031\x20Jul\x202025\x2011:51:26\x20GMT\r\nContent-Length:\x2012
    SF:9\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"s
    SF:tatus\":\"Failure\",\"message\":\"Unauthorized\",\"reason\":\"Unauthori
    SF:zed\",\"code\":401}\n")%r(HTTPOptions,14A,"HTTP/1\.0\x20401\x20Unauthor
    SF:ized\r\nAudit-Id:\x20bea41ff3-098a-4e0e-bcfd-270a74f65b66\r\nCache-Cont
    SF:rol:\x20no-cache,\x20private\r\nContent-Type:\x20application/json\r\nDa
    SF:te:\x20Thu,\x2031\x20Jul\x202025\x2011:51:26\x20GMT\r\nContent-Length:\
    SF:x20129\r\n\r\n{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{
    SF:},\"status\":\"Failure\",\"message\":\"Unauthorized\",\"reason\":\"Unau
    SF:thorized\",\"code\":401}\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\
    SF:x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnecti
    SF:on:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400
    SF:\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n
    SF:Connection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,
    SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20
    SF:charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(
    SF:TerminalServerCookie,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-
    SF:Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n40
    SF:0\x20Bad\x20Request")%r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Re
    SF:quest\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x
    SF:20close\r\n\r\n400\x20Bad\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400\
    SF:x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nC
    SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(FourOhFourRequest,
    SF:14A,"HTTP/1\.0\x20401\x20Unauthorized\r\nAudit-Id:\x205a5479ab-96e5-4b8
    SF:f-89fa-b77cdb1e8b86\r\nCache-Control:\x20no-cache,\x20private\r\nConten
    SF:t-Type:\x20application/json\r\nDate:\x20Thu,\x2031\x20Jul\x202025\x2011
    SF::51:51\x20GMT\r\nContent-Length:\x20129\r\n\r\n{\"kind\":\"Status\",\"a
    SF:piVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\
    SF:"Unauthorized\",\"reason\":\"Unauthorized\",\"code\":401}\n");
    MAC Address: 52:54:00:F3:A6:A8 (QEMU virtual NIC)
    Device type: general purpose
    Running: Linux 4.X|5.X
    OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
    OS details: Linux 4.15 - 5.8
    Uptime guess: 26.200 days (since Sat Jul  5 09:04:15 2025)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=264 (Good luck!)
    IP ID Sequence Generation: All zeros

    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.20 ms 192.168.220.101 (192.168.220.101)

    NSE: Script Post-scanning.
    Initiating NSE at 13:52
    Completed NSE at 13:52, 0.00s elapsed
    Initiating NSE at 13:52
    Completed NSE at 13:52, 0.00s elapsed
    Initiating NSE at 13:52
    Completed NSE at 13:52, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 95.24 seconds
            Raw packets sent: 65559 (2.885MB) | Rcvd: 65551 (2.623MB)

Edge node - IPA HW inspection running

    # sudo nmap -sS -p0-65535 -T4 -A -v -r 192.168.220.111
    #
    Starting Nmap 7.94 ( https://nmap.org ) at 2025-08-01 01:20 CEST
    NSE: Loaded 156 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 01:20
    Completed NSE at 01:20, 0.00s elapsed
    Initiating NSE at 01:20
    Completed NSE at 01:20, 0.00s elapsed
    Initiating NSE at 01:20
    Completed NSE at 01:20, 0.00s elapsed
    Initiating ARP Ping Scan at 01:20
    Scanning 192.168.220.111 [1 port]
    Completed ARP Ping Scan at 01:20, 0.04s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 01:20
    Completed Parallel DNS resolution of 1 host. at 01:20, 0.00s elapsed
    Initiating SYN Stealth Scan at 01:20
    Scanning 192.168.220.111 (192.168.220.111) [65536 ports]
    Discovered open port 22/tcp on 192.168.220.111
    Discovered open port 9999/tcp on 192.168.220.111
    Completed SYN Stealth Scan at 01:20, 0.83s elapsed (65536 total ports)
    Initiating Service scan at 01:20
    Scanning 2 services on 192.168.220.111 (192.168.220.111)
    Completed Service scan at 01:22, 97.21s elapsed (2 services on 1 host)
    Initiating OS detection (try #1) against 192.168.220.111 (192.168.220.111)
    NSE: Script scanning 192.168.220.111.
    Initiating NSE at 01:22
    Completed NSE at 01:22, 0.19s elapsed
    Initiating NSE at 01:22
    Completed NSE at 01:22, 1.22s elapsed
    Initiating NSE at 01:22
    Completed NSE at 01:22, 0.00s elapsed
    Nmap scan report for 192.168.220.111 (192.168.220.111)
    Host is up (0.00019s latency).
    Not shown: 65534 closed tcp ports (reset)
    PORT     STATE SERVICE    VERSION
    22/tcp   open  ssh        OpenSSH 9.6 (protocol 2.0)
    | ssh-hostkey: 
    |   256 6d:97:01:87:8f:4c:e0:fe:70:5d:cc:c2:03:75:3e:8c (ECDSA)
    |_  256 c2:1a:f2:bf:43:04:3b:91:86:e6:35:6a:aa:f3:e6:b6 (ED25519)
    9999/tcp open  ssl/abyss?
    | ssl-cert: Subject: commonName=localhost.localdomain
    | Subject Alternative Name: IP Address:192.168.220.111
    | Issuer: commonName=localhost.localdomain
    | Public Key type: ec
    | Public Key bits: 256
    | Signature Algorithm: ecdsa-with-SHA256
    | Not valid before: 2025-07-31T22:20:32
    | Not valid after:  2025-08-30T23:20:32
    | MD5:   41d4:6ce7:da6e:9d2e:27d7:f24c:db23:6364
    |_SHA-1: 97e0:b9b8:bf03:6056:f56a:1f88:39d8:1d42:936a:4de7
    |_ssl-date: TLS randomness does not represent time
    MAC Address: 52:54:00:F3:A6:F0 (QEMU virtual NIC)
    Device type: general purpose
    Running: Linux 4.X|5.X
    OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
    OS details: Linux 4.15 - 5.8
    Uptime guess: 2.542 days (since Tue Jul 29 12:22:10 2025)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=263 (Good luck!)
    IP ID Sequence Generation: All zeros

    TRACEROUTE
    HOP RTT     ADDRESS
    1   0.19 ms 192.168.220.111 (192.168.220.111)

    NSE: Script Post-scanning.
    Initiating NSE at 01:22
    Completed NSE at 01:22, 0.00s elapsed
    Initiating NSE at 01:22
    Completed NSE at 01:22, 0.00s elapsed
    Initiating NSE at 01:22
    Completed NSE at 01:22, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 101.11 seconds
            Raw packets sent: 65559 (2.885MB) | Rcvd: 65551 (2.623MB)

ranjinimn
ranjinimn requested changes Aug 21, 2025
View reviewed changes
Copy link
Collaborator

@ranjinimn ranjinimn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @antaloala I have a few suggestions from the documentation perspective and style guide.
please let me know if you have any questions.

@antaloala antaloala requested a review from ranjinimn August 21, 2025 17:34
hardys
hardys reviewed Aug 22, 2025
View reviewed changes
hardys
hardys previously approved these changes Aug 22, 2025
View reviewed changes
Copy link
Contributor

@hardys hardys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, thanks! One small comment re the cilium link, otherwise lgtm!

ranjinimn
ranjinimn previously approved these changes Aug 22, 2025
View reviewed changes
@antaloala antaloala dismissed stale reviews from ranjinimn and hardys via 181911d August 22, 2025 20:16
@antaloala antaloala merged commit 5466634 into suse-edge:main Aug 25, 2025
1 check passed
@antaloala antaloala deleted the EDGE-1342 branch August 25, 2025 07:52
hardys pushed a commit to hardys/suse-edge.github.io that referenced this pull request Sep 19, 2025
@antaloala @hardys
List of open ports added to "asciidoc/product/atip-requirements.adoc" (
3cb398a 
…suse-edge#800)

* list of open ports added to "asciidoc/product/atip-requirements.adoc"

Signed-off-by: Antonio Alonso Alarcon <[email protected]>

* Applied changes from PR#800 ranjinimn suggestions/proposals (first review)

Signed-off-by: Antonio Alonso Alarcon <[email protected]>

* Applied changes from PR#800 review - hardys comments

Signed-off-by: Antonio Alonso Alarcon <[email protected]>

---------

Signed-off-by: Antonio Alonso Alarcon <[email protected]>
(cherry picked from commit 5466634)
@hardys hardys mentioned this pull request Sep 19, 2025
Merged
hardys pushed a commit that referenced this pull request Sep 23, 2025
@antaloala @hardys
List of open ports added to "asciidoc/product/atip-requirements.adoc" (
5d2c507 
…#800)

* list of open ports added to "asciidoc/product/atip-requirements.adoc"

Signed-off-by: Antonio Alonso Alarcon <[email protected]>

* Applied changes from PR#800 ranjinimn suggestions/proposals (first review)

Signed-off-by: Antonio Alonso Alarcon <[email protected]>

* Applied changes from PR#800 review - hardys comments

Signed-off-by: Antonio Alonso Alarcon <[email protected]>

---------

Signed-off-by: Antonio Alonso Alarcon <[email protected]>
(cherry picked from commit 5466634)
ranjinimn pushed a commit to ranjinimn/suse-edge.github.io that referenced this pull request Oct 21, 2025
@antaloala @ranjinimn
List of open ports added to "asciidoc/product/atip-requirements.adoc" (
5daa5cd 
…suse-edge#800)

* list of open ports added to "asciidoc/product/atip-requirements.adoc"

Signed-off-by: Antonio Alonso Alarcon <[email protected]>

* Applied changes from PR#800 ranjinimn suggestions/proposals (first review)

Signed-off-by: Antonio Alonso Alarcon <[email protected]>

* Applied changes from PR#800 review - hardys comments

Signed-off-by: Antonio Alonso Alarcon <[email protected]>

---------

Signed-off-by: Antonio Alonso Alarcon <[email protected]>
(cherry picked from commit 5466634)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ranjinimn ranjinimn ranjinimn approved these changes

@hardys hardys hardys left review comments

@alknopfler alknopfler Awaiting requested review from alknopfler

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add network requirements for baremetal deployments

3 participants

@antaloala @hardys @ranjinimn