openstack-manuals/doc/user-guide/section_cli_nova_configure_instances.xml
Joe H. Rahme 79b76f0a3e Improves formatting
This patch removes an offending line break.

Change-Id: I38845c600ce357df1f9c28d3020755330edae83a
2014-12-05 12:00:38 +01:00

218 lines
12 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section [
<!ENTITY % openstack SYSTEM "../common/entities/openstack.ent">
%openstack;
]>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="cli_configure_instances">
<title>Configure access and security for instances</title>
<?dbhtml stop-chunking?>
<para>When you launch a virtual machine, you can inject a <emphasis
role="italic">key pair</emphasis>, which provides SSH access to your
instance. For this to work, the image must contain the
<literal>cloud-init</literal> package.</para>
<para>You create at least one key pair for each project. You can use the key
pair for multiple instances that belong to that project. If you generate
a key pair with an external tool, you can import it into OpenStack.</para>
<para>If an image uses a static root password or a static key set&mdash;neither is recommended&mdash;you must not provide a key pair when you launch the instance.</para>
<para>A <emphasis role="italic">security group</emphasis> is a named
collection of network access rules that you use to limit the types of
traffic that have access to instances. When you launch an instance, you
can assign one or more security groups to it. If you do not create
security groups, new instances are automatically assigned to the default
security group, unless you explicitly specify a different security
group.</para>
<para>The associated <emphasis role="italic">rules</emphasis> in each
security group control the traffic to instances in the group. Any
incoming traffic that is not matched by a rule is denied access by
default. You can add rules to or remove rules from a security group, and
you can modify rules for the default and any other security
group.</para>
<para>You can modify the rules in a security group to allow access to
instances through different ports and protocols. For example, you can
modify rules to allow access to instances through SSH, to ping
instances, or to allow UDP traffic; for example, for a DNS server
running on an instance. You specify the following parameters for
rules:</para>
<itemizedlist>
<listitem>
<para><emphasis role="bold">Source of traffic</emphasis>.
Enable traffic to instances from either IP addresses
inside the cloud from other group members or from all
IP addresses.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Protocol</emphasis>. Choose
TCP for SSH, ICMP for pings, or UDP.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Destination port on virtual
machine</emphasis>. Define a port range. To open a single
port only, enter the same value twice. ICMP does not support
ports; instead, you enter values to define the codes and types
of ICMP traffic to be allowed.</para>
</listitem>
</itemizedlist>
<para>Rules are automatically enforced as soon as you create or
modify them.</para>
<note>
<para>Instances that use the default security group cannot, by default, be
accessed from any IP address outside of the cloud. If you want those IP
addresses to access the instances, you must modify the rules for the
default security group.</para>
<para>You can also assign a floating IP address to a running instance to
make it accessible from outside the cloud. See <xref
linkend="manage_ip_addresses"/>.</para></note>
<?hard-pagebreak?>
<section xml:id="create_import_keys">
<title>Add a key pair</title>
<procedure>
<para>You can generate a key pair or upload an existing public
key.</para>
<step>
<para>To generate a key pair, run the following command:</para>
<screen><prompt>$</prompt> <userinput>nova keypair-add <replaceable>KEY_NAME</replaceable> > <replaceable>MY_KEY</replaceable>.pem</userinput></screen>
<para>The command generates a key pair with the name that you
specify fir <replaceable>KEY_NAME</replaceable>, writes the
private key to the <filename>.pem</filename> file that you
specify, and registers the public key at the Nova
database.</para>
</step>
<step>
<para>To set the permissions of the <filename>.pem</filename>
file so that only you can read and write to it, run the
following command:</para>
<screen><prompt>$</prompt> <userinput>chmod 600 <replaceable>MY_KEY</replaceable>.pem</userinput></screen>
</step>
</procedure>
</section>
<section xml:id="import_keypair_cli">
<title>Import a key pair</title>
<procedure>
<step>
<para>If you have already generated a key pair and the public
key is located at <filename>~/.ssh/id_rsa.pub</filename>,
run the following command to upload the public key:</para>
<screen><prompt>$</prompt> <userinput>nova keypair-add --pub_key ~/.ssh/id_rsa.pub <replaceable>KEY_NAME</replaceable></userinput></screen>
<para>The command registers the public key at the Nova database
and names the key pair the name that you specify for
<literal><replaceable>KEY_NAME</replaceable></literal>.</para>
</step>
<step>
<para>To ensure that the key pair has been successfully
imported, list key pairs as follows:</para>
<screen><prompt>$</prompt> <userinput>nova keypair-list</userinput></screen>
</step>
</procedure>
</section>
<section xml:id="configure_security_groups_rules">
<title>Create and manage security groups</title>
<procedure>
<step>
<para>To list the security groups for the current project,
including descriptions, enter the following command:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-list</userinput></screen>
</step>
<step>
<para>To create a security group with a specified name
and description, enter the following
command:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-create <replaceable>SECURITY_GROUP_NAME</replaceable> <replaceable>GROUP_DESCRIPTION</replaceable></userinput></screen>
</step>
<step>
<para>To delete a specified group, enter the following
command:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-delete <replaceable>SECURITY_GROUP_NAME</replaceable> </userinput></screen>
<note>
<para>You cannot delete the default security group
for a project. Also, you cannot delete a
security group that is assigned to a running
instance.</para>
</note>
</step>
</procedure>
</section>
<section xml:id="security_grp_rules_cli">
<title>Create and manage security group rules</title>
<procedure>
<para>Modify security group rules with the <command>nova
secgroup-*-rule</command> commands. Before you begin, source
the OpenStack RC file. For details, see <xref
linkend="cli_openrc"/>.</para>
<step>
<para>To list the rules for a security group, run the following
command:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-list-rules <replaceable>SECURITY_GROUP_NAME</replaceable></userinput></screen>
</step>
<step>
<para>To allow SSH access to the instances, choose one of the
following options:</para>
<itemizedlist>
<listitem xml:id="sec_group_rule_add">
<para>Allow access from all IP addresses, specified as
IP subnet <filename>0.0.0.0/0</filename> in CIDR
notation:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule <replaceable>SECURITY_GROUP_NAME</replaceable> tcp 22 22 0.0.0.0/0</userinput></screen>
</listitem>
<listitem xml:id="sec_group_rule_add_alt">
<para>Allow access only from IP addresses from other
security groups (source groups) to access the
specified port:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-group-rule --ip_proto tcp --from_port 22 \
--to_port 22 <replaceable>SECURITY_GROUP_NAME</replaceable> <replaceable>SOURCE_GROUP_NAME</replaceable></userinput></screen>
</listitem>
</itemizedlist>
</step>
<step>
<para>To allow pinging of the instances, choose one of the
following options:</para>
<itemizedlist>
<listitem>
<para>Allow pinging from all IP addresses, specified as
IP subnet <filename>0.0.0.0/0</filename> in CIDR
notation:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule <replaceable>SECURITY_GROUP_NAME</replaceable> icmp -1 -1 0.0.0.0/0</userinput></screen>
<para>This allows access to all codes and all types of ICMP traffic.</para>
</listitem>
<listitem>
<para>Allow only members of other security groups
(source groups) to ping instances:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-group-rule --ip_proto icmp --from_port -1 \
--to_port -1 <replaceable>SECURITY_GROUP_NAME</replaceable> <replaceable>SOURCE_GROUP_NAME</replaceable></userinput></screen>
</listitem>
</itemizedlist>
</step>
<step>
<para>To allow access through a UDP port, such as allowing
access to a DNS server that runs on a VM, choose one of the
following options:</para>
<itemizedlist>
<listitem>
<para>Allow UDP access from IP addresses, specified as
IP subnet <filename>0.0.0.0/0</filename> in CIDR
notation:<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule SECURITY_GROUP_NAME udp 53 53 0.0.0.0/0</userinput></screen></para>
</listitem>
<listitem>
<para>Allow only IP addresses from other security groups
(source groups) to access the specified port:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-group-rule --ip_proto udp --from_port 53 \
--to_port 53 <replaceable>SECURITY_GROUP_NAME</replaceable> <replaceable>SOURCE_GROUP_NAME</replaceable></userinput></screen>
</listitem>
</itemizedlist>
</step>
</procedure>
<section xml:id="security_grp_rules_cli_delete">
<title>Delete a security group rule</title>
<para>To delete a security group rule, specify the
same arguments that you used to create the
rule.</para>
<para>For example, to delete the security group rule that permits SSH
access from all IP addresses, run the following command.</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-delete-rule <replaceable>SECURITY_GROUP_NAME</replaceable> tcp 22 22 0.0.0.0/0</userinput></screen>
</section>
</section>
</section>