openstack 命令行管理十一 - 安全组管理 (备忘)-低调大师

openstack 命令行管理十一 - 安全组管理 (备忘)

2014-02-18 655

参考官方资料

You must modify the rules for the default security group because users cannot access instances that use the default group from 
any IP address outside the cloud.

You can modify the rules in a security group to allow access to instances through different ports and protocols. For example, 
you can modify rules to allow access to instances through SSH, to ping them, or to allow UDP traffic – for example, for a DNS 
server running on an instance. You specify the following parameters for rules:

Source of traffic. Enable traffic to instances from either IP addresses inside the cloud from other group members or from all IP addresses.

Protocol. Choose TCP for SSH, ICMP for pings, or UDP.

Destination port on virtual machine. Defines a port range. To open a single port only, enter the same value twice. ICMP does not support ports: Enter values to define the codes and types of ICMP traffic to be allowed.

Rules are automatically enforced as soon as you create or modify them.

注: 已通过测试, 修改默认 secgroup 或自定义 secgroup 都可以完成数据访问测试

帮助

[root@station140 ~(keystone_admin)]# nova help | grep secgroup
    add-secgroup        Add a Security Group to a server.
    list-secgroup       List Security Group(s) of a server.
    remove-secgroup     Remove a Security Group from a server.
    secgroup-add-group-rule
    secgroup-add-rule   Add a rule to a security group.
    secgroup-create     Create a security group.
    secgroup-delete     Delete a security group.
    secgroup-delete-group-rule
    secgroup-delete-rule
    secgroup-list       List security groups for the current tenant.
    secgroup-list-rules
    secgroup-update     Update a security group.

创建自定义安全组

[root@station140 ~(keystone_admin)]# nova secgroup-create terry "allow ping and ssh"
+--------------------------------------+-------+--------------------+
| Id                                   | Name  | Description        |
+--------------------------------------+-------+--------------------+
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |
+--------------------------------------+-------+--------------------+

列出当前所有安全组

[root@station140 ~(keystone_admin)]# nova  secgroup-list
+--------------------------------------+---------+--------------------+
| Id                                   | Name    | Description        |
+--------------------------------------+---------+--------------------+
| 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default            |
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry   | allow ping and ssh |
+--------------------------------------+---------+--------------------+

列出某个组中的安全规则

[root@station140 ~(keystone_admin)]# nova  secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
|             |           |         |          | default      |
|             |           |         |          | default      |
+-------------+-----------+---------+----------+--------------+

增加规则方法 (允许 ping)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

增加规则方法 (允许 ssh)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry tcp  22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

增加规则方法 (允许 dns 外部访问)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry udp 53 53 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         | 53        | 53      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

列出自定义组规则

[root@station140 ~(keystone_admin)]# nova secgroup-list-rules terry
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| udp         | 53        | 53      | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

尝试修改 default secgroup
列出 default secgroup 规则

[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
|             |           |         |          | default      |
|             |           |         |          | default      |
+-------------+-----------+---------+----------+--------------+

添加规则 (允许 ping)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

添加规则 (允许 ssh)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default tcp  22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

添加规则 (允许 dns外部访问)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default udp 53 53 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         | 53        | 53      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

列出默认组规则

[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
|             |           |         |           | default      |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
|             |           |         |           | default      |
| udp         | 53        | 53      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

删除某个实例, 使用中的规则

nova remove-secgroup terry_instance1 terry

注: 在虚拟机启动后, 无法在增加其他规则

微信关注我们

原文链接：https://yq.aliyun.com/articles/70880

转载内容版权归作者及来源网站所有！

低调大师中文资讯倾力打造互联网数据资讯、行业资源、电子商务、移动互联网、网络营销平台。持续更新报道IT业界、互联网、市场资讯、驱动更新,是最及时权威的产业资讯及硬件资讯报道平台。

openstack 命令行管理十 - 密钥管理 (备忘)

帮助 [root@station140 ~(keystone_admin)]# nova help | grep key flavor-key Set or unset extra_spec for a flavor. keypair-add Create a new key pair for use with instances. keypair-delete Delete keypair given by its name. keypair-list Print a list of keypairs for a user keypair-show Show details about the given keypair. 创建密钥方法 [ 略 ] ssh-keygen 命令 (默认安装时候已经生成密钥) 添加密钥方法 [root@station140 ~(keystone_admin)]# nova keypair-add --pub-key /root/.ssh/id_rsa.pub terrykey 显示密钥方法 [root@station140 ~(keystone_a...

2014-02-18

898

2014-02-18

718

资源下载

更多资源

Mario

马里奥是站在游戏界顶峰的超人气多面角色。马里奥靠吃蘑菇成长，特征是大鼻子、头戴帽子、身穿背带裤，还留着胡子。与他的双胞胎兄弟路易基一起，长年担任任天堂的招牌角色。

腾讯云软件源

为解决软件依赖安装时官方源访问速度慢的问题，腾讯云为一些软件搭建了缓存服务。您可以通过使用腾讯云软件源站来提升依赖包的安装速度。为了方便用户自由搭建服务架构，目前腾讯云软件源站支持公网访问和内网访问。

Rocky Linux

Rocky Linux（中文名：洛基）是由Gregory Kurtzer于2020年12月发起的企业级Linux发行版，作为CentOS稳定版停止维护后与RHEL（Red Hat Enterprise Linux）完全兼容的开源替代方案，由社区拥有并管理，支持x86_64、aarch64等架构。其通过重新编译RHEL源代码提供长期稳定性，采用模块化包装和SELinux安全架构，默认包含GNOME桌面环境及XFS文件系统，支持十年生命周期更新。

Sublime Text

Sublime Text具有漂亮的用户界面和强大的功能，例如代码缩略图，Python的插件，代码段等。还可自定义键绑定，菜单和工具栏。Sublime Text 的主要功能包括：拼写检查，书签，完整的 Python API ， Goto 功能，即时项目切换，多选择，多窗口等等。Sublime Text 是一个跨平台的编辑器，同时支持Windows、Linux、Mac OS X等操作系统。