247 lines
11 KiB
XML
247 lines
11 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="nova_cli_security_groups">
|
|
<title>Add security group and rules</title>
|
|
<para>The following procedure shows you how to add security groups
|
|
and add rules to the default security group.</para>
|
|
<section xml:id="secgroup_add-delete">
|
|
<title>Add or delete a security group</title>
|
|
<para>Use the <command>nova secgroup-create</command> command
|
|
to add security groups.</para>
|
|
<para>The following example shows how to create the
|
|
<literal>secure1</literal> security group:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-create secure1 "Test security group"</userinput>
|
|
<computeroutput>+---------+---------------------+
|
|
| Name | Description |
|
|
+---------+---------------------+
|
|
| secure1 | Test security group |
|
|
+---------+---------------------+</computeroutput></screen>
|
|
<para>After you create the security group, you can view it in
|
|
the security group list:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-list</userinput>
|
|
<computeroutput>+---------+---------------------+
|
|
| Name | Description |
|
|
+---------+---------------------+
|
|
| default | default |
|
|
| secure1 | Test security group |
|
|
+---------+---------------------+</computeroutput></screen>
|
|
<para>Use the <command>nova secgroup-delete</command> command
|
|
to delete security groups. You cannot delete the default
|
|
security group. The default security group has these
|
|
initial settings:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>All the traffic originated by the instances
|
|
(outbound traffic) is allowed</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>All the traffic destined to instances (inbound
|
|
traffic) is denied</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>All the instances inside the group are allowed
|
|
to talk to each other</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<note>
|
|
<para>You can add extra rules into the default security
|
|
group for handling the egress traffic. Rules are
|
|
ingress only at this time.</para>
|
|
</note>
|
|
<para>The following example deletes the
|
|
<literal>secure1</literal> group. When you view the
|
|
security group list, it no longer appears:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-delete secure1</userinput>
|
|
<prompt>$</prompt> <userinput>nova secgroup-list</userinput>
|
|
<computeroutput>+---------+-------------+
|
|
| Name | Description |
|
|
+---------+-------------+
|
|
| default | default |
|
|
+---------+-------------+</computeroutput></screen>
|
|
</section>
|
|
<section xml:id="secgroup_rules">
|
|
<title>Modify security group rules</title>
|
|
<para>The security group rules control the incoming traffic
|
|
that can access the instances in the group, while all
|
|
outbound traffic is automatically allowed. <note>
|
|
<para>You cannot change the default outbound
|
|
behavior.</para>
|
|
</note>Every security group rule is a policy that allows
|
|
you to specify inbound connections that can access the
|
|
instance by source address, destination port, and IP
|
|
protocol (TCP, UDP or ICMP). Currently, you cannot manage
|
|
IPv6 and other protocols through the security rules,
|
|
making them permitted by default. To manage such
|
|
protocols, you can deploy a firewall in front of your
|
|
OpenStack cloud to control other types of traffic. The
|
|
command requires the following arguments for both TCP and
|
|
UDP rules:</para>
|
|
<variablelist wordsize="10">
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><secgroup></emphasis></term>
|
|
<listitem>
|
|
<para>ID of security group.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><ip_proto></emphasis></term>
|
|
<listitem>
|
|
<para>IP protocol (icmp, tcp, udp).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><from_port></emphasis></term>
|
|
<listitem>
|
|
<para>Port at start of range.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><to_port></emphasis></term>
|
|
<listitem>
|
|
<para>Port at end of range.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><cidr></emphasis></term>
|
|
<listitem>
|
|
<para>CIDR for address range.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<para>For ICMP rules, instead of specifying a begin and end
|
|
port, you specify the allowed ICMP code and ICMP
|
|
type:</para>
|
|
<variablelist wordsize="10">
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><secgroup></emphasis></term>
|
|
<listitem>
|
|
<para>ID of security group.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><ip_proto></emphasis></term>
|
|
<listitem>
|
|
<para>IP protocol (with icmp specified).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><ICMP_code></emphasis></term>
|
|
<listitem>
|
|
<para>The ICMP code.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><ICMP_type></emphasis></term>
|
|
<listitem>
|
|
<para>The ICMP type.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><cidr></emphasis></term>
|
|
<listitem>
|
|
<para>CIDR for the source address range.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<note>
|
|
<para>Entering <literal>-1</literal> for both code and
|
|
type indicates that all ICMP codes and types are
|
|
allowed.</para>
|
|
</note>
|
|
<note>
|
|
<title>The CIDR notation</title>
|
|
<para>That notation allows you to specify a base IP
|
|
address and a suffix that designates the number of
|
|
significant bits in the IP address used to identify
|
|
the network. For example, by specifying a
|
|
<literal>88.170.60.32/27</literal>, you specify
|
|
<literal>88.170.60.32</literal> as the <emphasis
|
|
role="bold">base IP</emphasis> and
|
|
<literal>27</literal> as the <emphasis role="bold"
|
|
>suffix</emphasis>. Because you use an IPv4
|
|
format, only 5 bits are available for the host part
|
|
(32 minus 27). The <literal>0.0.0.0/0</literal>
|
|
notation means you allow the entire IPv4 range, which
|
|
allows all addresses.</para>
|
|
</note>
|
|
<para>For example, to allow any IP address to access a web
|
|
server running on one of your instances inside the default
|
|
security group:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule default tcp 80 80 0.0.0.0/0</userinput>
|
|
<computeroutput>+-------------+-----------+---------+-----------+--------------+
|
|
| IP Protocol | From Port | To Port | IP Range | Source Group |
|
|
+-------------+-----------+---------+-----------+--------------+
|
|
| tcp | 80 | 80 | 0.0.0.0/0 | |
|
|
+-------------+-----------+---------+-----------+--------------+</computeroutput></screen>
|
|
<para>To allow any IP address to ping an instance inside the
|
|
default security group (Code 0, Type 8 for the ECHO
|
|
request):</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule default icmp 0 8 0.0.0.0/0</userinput>
|
|
<computeroutput>+-------------+-----------+---------+-----------+--------------+
|
|
| IP Protocol | From Port | To Port | IP Range | Source Group |
|
|
+-------------+-----------+---------+-----------+--------------+
|
|
| icmp | 0 | 8 | 0.0.0.0/0 | |
|
|
+-------------+-----------+---------+-----------+--------------+</computeroutput></screen>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-list-rules default</userinput>
|
|
<computeroutput>+-------------+-----------+---------+-----------+--------------+
|
|
| IP Protocol | From Port | To Port | IP Range | Source Group |
|
|
+-------------+-----------+---------+-----------+--------------+
|
|
| tcp | 80 | 80 | 0.0.0.0/0 | |
|
|
| icmp | 0 | 8 | 0.0.0.0/0 | |
|
|
+-------------+-----------+---------+-----------+--------------+</computeroutput></screen>
|
|
<para>To delete a rule, you must specify exactly the same
|
|
arguments that you used to create it:</para>
|
|
<variablelist wordsize="10">
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><secgroup></emphasis></term>
|
|
<listitem>
|
|
<para>ID of security group.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><ip_proto></emphasis></term>
|
|
<listitem>
|
|
<para>IP protocol (icmp, tcp, udp).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><from_port></emphasis></term>
|
|
<listitem>
|
|
<para>Port at start of range.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><to_port></emphasis></term>
|
|
<listitem>
|
|
<para>Port at end of range.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><emphasis role="bold"
|
|
><cidr></emphasis></term>
|
|
<listitem>
|
|
<para>CIDR for address range.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-delete-rule default tcp 80 80 0.0.0.0/0</userinput></screen>
|
|
</section>
|
|
</section>
|