openstack 命令行管理十一 - 安全组管理 (备忘)

2014-02-18 604 89


参考官方资料

You must modify the rules for the default security group because users cannot access instances that use the default group from 
any IP address outside the cloud.

You can modify the rules in a security group to allow access to instances through different ports and protocols. For example, 
you can modify rules to allow access to instances through SSH, to ping them, or to allow UDP traffic – for example, for a DNS 
server running on an instance. You specify the following parameters for rules:

Source of traffic. Enable traffic to instances from either IP addresses inside the cloud from other group members or from all IP addresses.

Protocol. Choose TCP for SSH, ICMP for pings, or UDP.

Destination port on virtual machine. Defines a port range. To open a single port only, enter the same value twice. ICMP does not support ports: Enter values to define the codes and types of ICMP traffic to be allowed.

Rules are automatically enforced as soon as you create or modify them.

注: 已通过测试, 修改默认 secgroup 或自定义 secgroup 都可以完成数据访问测试

帮助

[root@station140 ~(keystone_admin)]# nova help | grep secgroup
    add-secgroup        Add a Security Group to a server.
    list-secgroup       List Security Group(s) of a server.
    remove-secgroup     Remove a Security Group from a server.
    secgroup-add-group-rule
    secgroup-add-rule   Add a rule to a security group.
    secgroup-create     Create a security group.
    secgroup-delete     Delete a security group.
    secgroup-delete-group-rule
    secgroup-delete-rule
    secgroup-list       List security groups for the current tenant.
    secgroup-list-rules
    secgroup-update     Update a security group.

创建自定义安全组

[root@station140 ~(keystone_admin)]# nova secgroup-create terry "allow ping and ssh"
+--------------------------------------+-------+--------------------+
| Id                                   | Name  | Description        |
+--------------------------------------+-------+--------------------+
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |
+--------------------------------------+-------+--------------------+

列出当前所有安全组

[root@station140 ~(keystone_admin)]# nova  secgroup-list
+--------------------------------------+---------+--------------------+
| Id                                   | Name    | Description        |
+--------------------------------------+---------+--------------------+
| 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default            |
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry   | allow ping and ssh |
+--------------------------------------+---------+--------------------+

列出某个组中的安全规则 
[root@station140 ~(keystone_admin)]# nova  secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
|             |           |         |          | default      |
|             |           |         |          | default      |
+-------------+-----------+---------+----------+--------------+

增加规则方法 (允许 ping)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

增加规则方法 (允许 ssh)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry tcp  22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

增加规则方法 (允许 dns 外部访问) 

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry udp 53 53 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         | 53        | 53      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

列出自定义组规则

[root@station140 ~(keystone_admin)]# nova secgroup-list-rules terry
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| udp         | 53        | 53      | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

尝试修改 default secgroup
列出 default secgroup 规则

[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
|             |           |         |          | default      |
|             |           |         |          | default      |
+-------------+-----------+---------+----------+--------------+

添加规则 (允许 ping) 
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

添加规则 (允许 ssh)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default tcp  22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

添加规则 (允许 dns外部访问) 
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default udp 53 53 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         | 53        | 53      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

列出默认组规则

[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
|             |           |         |           | default      |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
|             |           |         |           | default      |
| udp         | 53        | 53      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

删除某个实例, 使用中的规则 
nova remove-secgroup terry_instance1 terry

注: 在虚拟机启动后, 无法在增加其他规则

优秀的个人博客,低调大师

微信关注我们

原文链接:https://yq.aliyun.com/articles/70880

转载内容版权归作者及来源网站所有!

低调大师中文资讯倾力打造互联网数据资讯、行业资源、电子商务、移动互联网、网络营销平台。持续更新报道IT业界、互联网、市场资讯、驱动更新,是最及时权威的产业资讯及硬件资讯报道平台。

openstack 命令行管理十 - 密钥管理 (备忘)
2014-02-19 00:00:00

openstack 命令行管理十 - 密钥管理 (备忘)

 帮助 [root@station140 ~(keystone_admin)]# nova help | grep key flavor-key Set or unset extra_spec for a flavor. keypair-add Create a new key pair for use with instances. keypair-delete Delete keypair given by its name. keypair-list Print a list of keypairs for a user keypair-show Show details about the given keypair. 创建密钥方法 [ 略 ] ssh-keygen 命令 (默认安装时候已经生成密钥) 添加密钥方法 [root@station140 ~(keystone_admin)]# nova keypair-add --pub-key /root/.ssh/id_rsa.pub terrykey 显示密钥方法 [root@station140 ~(keystone_a...
810
上一篇
openstack 命令行管理十三 - 外部网络[外部连接专用]管理 (备忘)
2014-02-19 00:00:00

openstack 命令行管理十三 - 外部网络[外部连接专用]管理 (备忘)

 创建公网 [root@station140 ~(network_admin)]# neutron net-create --router:external=true pub1 Created a new network: +---------------------------+--------------------------------------+ | Field | Value | +---------------------------+--------------------------------------+ | admin_state_up | True | | id | aebe75f0-6013-4a5e-bbd9-cb81e1f017bc | | name | pub1 | | provider:network_type | local | | provider:physical_network | | | provider:segmentation_id | | | router:external | True | | shared | False |...
638
下一篇

相关文章

发表评论

资源下载

更多资源
Mario,低调大师唯一一个Java游戏作品

Mario,低调大师唯一一个Java游戏作品

马里奥是站在游戏界顶峰的超人气多面角色。马里奥靠吃蘑菇成长,特征是大鼻子、头戴帽子、身穿背带裤,还留着胡子。与他的双胞胎兄弟路易基一起,长年担任任天堂的招牌角色。

Oracle Database,又名Oracle RDBMS

Oracle Database,又名Oracle RDBMS

Oracle Database,又名Oracle RDBMS,或简称Oracle。是甲骨文公司的一款关系数据库管理系统。它是在数据库领域一直处于领先地位的产品。可以说Oracle数据库系统是目前世界上流行的关系数据库管理系统,系统可移植性好、使用方便、功能强,适用于各类大、中、小、微机环境。它是一种高效率、可靠性好的、适应高吞吐量的数据库方案。

Apache Tomcat7、8、9(Java Web服务器)

Apache Tomcat7、8、9(Java Web服务器)

Tomcat是Apache 软件基金会(Apache Software Foundation)的Jakarta 项目中的一个核心项目,由Apache、Sun 和其他一些公司及个人共同开发而成。因为Tomcat 技术先进、性能稳定,而且免费,因而深受Java 爱好者的喜爱并得到了部分软件开发商的认可,成为目前比较流行的Web 应用服务器。

Eclipse(集成开发环境)

Eclipse(集成开发环境)

Eclipse 是一个开放源代码的、基于Java的可扩展开发平台。就其本身而言,它只是一个框架和一组服务,用于通过插件组件构建开发环境。幸运的是,Eclipse 附带了一个标准的插件集,包括Java开发工具(Java Development Kit,JDK)。

手机查看

扫码在手机上查看文章

扫描二维码,手机阅读更方便

热门标签
服务网格 Redis Docker Nacos SpringBoot K8s HarmonyOS NEXT Jdk25 DeepSeek SpringCloud ChatGPT

欢迎您!

登录后,您将获得更多功能!

热门文章
联系我们

有任何问题或合作意向欢迎联系我们

Email: 99873273@qq.com

QQ: 99873273