Ports Required by Cloudera Data Science Workbench

Cloudera Data Science Workbench runs on gateway hosts in a CDH/HDP cluster. As such, Cloudera Data Science Workbench acts as a gateway and requires full connectivity to cluster services such as Impala, Spark 2, etc. Additionally, in the case of Spark 2, cluster hosts will require access to the Spark driver running on a set of random ports (20050-32767) on Cloudera Data Science Workbench hosts.

Firewall restrictions must be disabled across Cloudera Data Science Workbench and CDH/HDP cluster hosts. Internally, the Cloudera Data Science Workbench master and worker hosts require full connectivity with no firewalls. Externally, end users connect to Cloudera Data Science Workbench exclusively through a web server running on the master host, and therefore do not need direct access to any other internal Cloudera Data Science Workbench or CDH services.

This information has been summarized in the following table.

Components Details
Communication with the CDH / HDP cluster

CDH / HDP -> Cloudera Data Science Workbench

The CDH/HDP cluster must have access to the Spark driver that runs on Cloudera Data Science Workbench hosts, on a set of randomized ports in the range, 20050-32767.

Cloudera Data Science Workbench -> CDH / HDP

As a gateway service, Cloudera Data Science Workbench must have access to all the ports used by CDH and Cloudera Manager.

Communication with the Web Browser The Cloudera Data Science Workbench web application is available at port 80. HTTPS access is available over port 443.
Table 1. Ports used for communication with Unsecure Master
Port Process Mandatory Note
22/tcp sshd yes secure shell server (mandatory for CM managed host provisioning)
80/tcp ingress-controller yes CDSW web interface
2049/tcp nfs yes shared filesystem
2379/tcp etcd-client yes k8s shared data store client
2380/tcp etcd-server yes k8s shared data store server
3306/tcp mysql for CM Agent
6443/tcp kube-apiserver yes k8s API endpoint
6783/tcp weaver yes virtual network for docker containers
7191/tcp CM Agent yes for CM Agent
9000/tcp CM Agent yes CM Agent status server
9100/tcp node_exporter Prometheus node monitoring service
10250/tcp kubelet yes k8s the primary "node agent"
10256/tcp kube-proxy yes network proxy that implements part of the k8s Service concept
20048/tcp rpc.mountd yes server side of the NFS MOUNT protocol
Table 2. Ports used for communication with Secure Master
Port Process Mandatory Note
22/tcp sshd yes secure shell server (mandatory for CM managed host provisioning)
80/tcp ingress-controller CDSW web interface
443/tcp secure ingress-controller yes CDSW web interface
2049/tcp nfs yes shared filesystem
2379/tcp etcd-client yes k8s shared data store client
2380/tcp etcd-server yes k8s shared data store server
3306/tcp mysql for CM Agent
6443/tcp kube-apiserver yes k8s API endpoint
6783/tcp weaver yes virtual network for docker containers
7191/tcp CM Agent yes for CM Agent
9000/tcp CM Agent yes CM Agent status server
9100/tcp node_exporter Prometheus node monitoring service
10250/tcp kubelet yes k8s the primary "node agent"
10256/tcp kube-proxy yes network proxy that implements part of the k8s Service concept
20048/tcp rpc.mountd yes server side of the NFS MOUNT protocol
Table 3. Ports used for communication with Secure/Unsecure Worker
Port Process Mandatory Note
22/tcp sshd yes secure shell server (mandatory for CM managed host provisioning)
3306/tcp mysql for CM Agent
6783/tcp weaver yes virtual network for docker containers
7191/tcp CM Agent yes for CM Agent
9000/tcp CM Agent yes CM Agent status server
9100/tcp node_exporter Prometheus node monitoring service
10250/tcp kubelet yes k8s the primary "node agent"
10256/tcp kube-proxy yes network proxy that implements part of the k8s Service concept