926
openstack 命令行管理十一 - 安全組管理 (備忘)
參考官方資料
You must modify the rules for the default security group because users cannot access instances that use the default group from any IP address outside the cloud. You can modify the rules in a security group to allow access to instances through different ports and protocols. For example, you can modify rules to allow access to instances through SSH, to ping them, or to allow UDP traffic – for example, for a DNS server running on an instance. You specify the following parameters for rules: Source of traffic. Enable traffic to instances from either IP addresses inside the cloud from other group members or from all IP addresses. Protocol. Choose TCP for SSH, ICMP for pings, or UDP. Destination port on virtual machine. Defines a port range. To open a single port only, enter the same value twice. ICMP does not support ports: Enter values to define the codes and types of ICMP traffic to be allowed. Rules are automatically enforced as soon as you create or modify them.
注: 已通過測試, 修改默認 secgroup 或自定義 secgroup 都可以完成數據訪問測試
幫助
[root@station140 ~(keystone_admin)]# nova help | grep secgroup
add-secgroup Add a Security Group to a server.
list-secgroup List Security Group(s) of a server.
remove-secgroup Remove a Security Group from a server.
secgroup-add-group-rule
secgroup-add-rule Add a rule to a security group.
secgroup-create Create a security group.
secgroup-delete Delete a security group.
secgroup-delete-group-rule
secgroup-delete-rule
secgroup-list List security groups for the current tenant.
secgroup-list-rules
secgroup-update Update a security group.
創建自定義安全組
[root@station140 ~(keystone_admin)]# nova secgroup-create terry "allow ping and ssh" +--------------------------------------+-------+--------------------+ | Id | Name | Description | +--------------------------------------+-------+--------------------+ | 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh | +--------------------------------------+-------+--------------------+
列出當前所有安全組
[root@station140 ~(keystone_admin)]# nova secgroup-list +--------------------------------------+---------+--------------------+ | Id | Name | Description | +--------------------------------------+---------+--------------------+ | 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default | | 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh | +--------------------------------------+---------+--------------------+
列出某個組中的安全規則
[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default +-------------+-----------+---------+----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+----------+--------------+ | | | | | default | | | | | | default | +-------------+-----------+---------+----------+--------------+
增加規則方法 (允許 ping)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | icmp | -1 | -1 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
增加規則方法 (允許 ssh)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry tcp 22 22 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 22 | 22 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
增加規則方法 (允許 dns 外部訪問)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry udp 53 53 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | udp | 53 | 53 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
列出自定義組規則
[root@station140 ~(keystone_admin)]# nova secgroup-list-rules terry +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 22 | 22 | 0.0.0.0/0 | | | udp | 53 | 53 | 0.0.0.0/0 | | | icmp | -1 | -1 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
嚐試修改 default secgroup
列出 default secgroup 規則
[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default +-------------+-----------+---------+----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+----------+--------------+ | | | | | default | | | | | | default | +-------------+-----------+---------+----------+--------------+
添加規則 (允許 ping)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | icmp | -1 | -1 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
添加規則 (允許 ssh)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 22 | 22 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
添加規則 (允許 dns外部訪問)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default udp 53 53 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | udp | 53 | 53 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
列出默認組規則
[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | | | | | default | | icmp | -1 | -1 | 0.0.0.0/0 | | | tcp | 22 | 22 | 0.0.0.0/0 | | | | | | | default | | udp | 53 | 53 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
刪除某個實例, 使用中的規則
nova remove-secgroup terry_instance1 terry
注: 在虛擬機啟動後, 無法在增加其他規則
最後更新:2017-04-03 12:55:09