docs: require every CVM port (incl. migration :8079) bound to a dedicated IP

[barakeinav1]

Closes #3457

[Copilot]

Pull request overview

Updates the multi-CVM deployment guide to prevent port-forward conflicts when running multiple MPC CVMs on a single host by requiring per-CVM port forwards to bind to the CVM’s dedicated host IP (not 0.0.0.0), including the migration port.

Changes:

• Adds :8079 (migration) to the list of public ports that must be bound to the CVM’s dedicated IP.
• Adds an explicit warning describing the wildcard-bind failure mode (0.0.0.0:<port> preventing other CVMs from binding the same port on their own IPs).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[barakeinav1]

Fixed in 45eaa88 — added :8079 to the Step 1 Plan-IPs table (and the firewall bullet, architecture diagram, and key-properties bullet) so the whole doc is consistent.

[claude]

Pull request overview

Docs-only fix to docs/running-multiple-mpc-nodes-on-one-host.md. Extends the "set host_address per port-forward" guidance to explicitly include the migration port :8079 (whose single-node default of 0.0.0.0:8079 was easy to miss), and adds a warning block explaining that any wildcard bind on a shared host port causes a qemu: Could not set up host forwarding rule … error on the second CVM, crash-looping it.

Changes:

• Extends the port-forward callout in Step 2 — Create the second CVM from :80, :8080, :24567 to also include :8079, and prohibits 0.0.0.0.
• Adds a warning block explaining the qemu hostfwd failure mode and explicitly calls out :8079 as the easy-to-miss case.

Reviewed changes

Per-file summary

File	Description
docs/running-multiple-mpc-nodes-on-one-host.md	Adds :8079 to the port-forward host_address list in Step 2 and a warning explaining the wildcard-bind crash mode.

I cross-checked against docs/running-an-mpc-node-in-tdx-external-guide.md (lines 651, 684, 706, 825, 858), deployment/cvm-deployment/user-config.toml (lines 21, 86), and docs/node-migration-guide.md — the :8079 migration-port claim and its 0.0.0.0:8079 single-node default are both accurate.

Findings

Non-blocking (consistency follow-ups inside the same file):

The change only updates Step 2. The rest of the document still lists the multi-node port set as :80, :8080, :24567 and omits :8079, which contradicts the new guidance and reintroduces the exact "easy to miss" trap this PR is trying to close. Worth fixing in the same PR per CLAUDE.md's "Documentation alignment" policy:

• docs/running-multiple-mpc-nodes-on-one-host.md:44 — Prerequisites bullet: (80, 8080, 24567) should include 8079 (firewall must be opened for it on both IPs as well).
• docs/running-multiple-mpc-nodes-on-one-host.md:62-63 — Architecture ASCII diagram: hostfwd :80, :8080, :24567 -> CVM_M/T should include :8079.
• docs/running-multiple-mpc-nodes-on-one-host.md:87-88 — "Key properties" bullet: its :24567 / :80 / :8080 forwards land on a distinct host IP should include :8079.
• docs/running-multiple-mpc-nodes-on-one-host.md:122-123 — Step 1 Plan IPs table: the Ports (host & CVM) column lists :24567, :80, :8080 for both rows; should include :8079.

Without these, an operator reading Step 1 and planning IP allocations from the table would still miss :8079 before getting to the Step 2 callout.

✅ Approved — the change itself is correct and lands the key warning. The follow-ups above would tighten internal consistency but aren't blocking.

[barakeinav1]

Addressed all four consistency follow-ups in 45eaa88: the prerequisites firewall bullet, the architecture diagram, the key-properties bullet, and the Step 1 Plan-IPs table now all include :8079.

[gilcu3]

Thank you!