2db999438d
- structural XMLfixes Change-Id: Ieebe357de841356b40c5f2456763e69e6514d672 Closes-Bug: #1419015 Closes-Bug: #1418998 Closes-Bug: #1419003
218 lines
12 KiB
XML
218 lines
12 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE section [
|
|
<!ENTITY % openstack SYSTEM "../common/entities/openstack.ent">
|
|
%openstack;
|
|
]>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="cli_configure_instances">
|
|
<title>Configure access and security for instances</title>
|
|
<?dbhtml stop-chunking?>
|
|
<para>When you launch a virtual machine, you can inject a <emphasis
|
|
role="italic">key pair</emphasis>, which provides SSH access to your
|
|
instance. For this to work, the image must contain the
|
|
<literal>cloud-init</literal> package.</para>
|
|
<para>You create at least one key pair for each project. You can use the key
|
|
pair for multiple instances that belong to that project. If you generate
|
|
a key pair with an external tool, you can import it into OpenStack.</para>
|
|
<para>If an image uses a static root password or a static key set—neither is recommended—you must not provide a key pair when you launch the instance.</para>
|
|
<para>A <emphasis role="italic">security group</emphasis> is a named
|
|
collection of network access rules that you use to limit the types of
|
|
traffic that have access to instances. When you launch an instance, you
|
|
can assign one or more security groups to it. If you do not create
|
|
security groups, new instances are automatically assigned to the default
|
|
security group, unless you explicitly specify a different security
|
|
group.</para>
|
|
<para>The associated <emphasis role="italic">rules</emphasis> in each
|
|
security group control the traffic to instances in the group. Any
|
|
incoming traffic that is not matched by a rule is denied access by
|
|
default. You can add rules to or remove rules from a security group, and
|
|
you can modify rules for the default and any other security
|
|
group.</para>
|
|
<para>You can modify the rules in a security group to allow access to
|
|
instances through different ports and protocols. For example, you can
|
|
modify rules to allow access to instances through SSH, to ping
|
|
instances, or to allow UDP traffic; for example, for a DNS server
|
|
running on an instance. You specify the following parameters for
|
|
rules:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><emphasis role="bold">Source of traffic</emphasis>.
|
|
Enable traffic to instances from either IP addresses
|
|
inside the cloud from other group members or from all
|
|
IP addresses.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Protocol</emphasis>. Choose
|
|
TCP for SSH, ICMP for pings, or UDP.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><emphasis role="bold">Destination port on virtual
|
|
machine</emphasis>. Define a port range. To open a single
|
|
port only, enter the same value twice. ICMP does not support
|
|
ports; instead, you enter values to define the codes and types
|
|
of ICMP traffic to be allowed.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>Rules are automatically enforced as soon as you create or
|
|
modify them.</para>
|
|
<note>
|
|
<para>Instances that use the default security group cannot, by default, be
|
|
accessed from any IP address outside of the cloud. If you want those IP
|
|
addresses to access the instances, you must modify the rules for the
|
|
default security group.</para>
|
|
<para>You can also assign a floating IP address to a running instance to
|
|
make it accessible from outside the cloud. See <xref
|
|
linkend="manage_ip_addresses"/>.</para></note>
|
|
<?hard-pagebreak?>
|
|
<section xml:id="create_import_keys">
|
|
<title>Add a key pair</title>
|
|
<procedure>
|
|
<para>You can generate a key pair or upload an existing public
|
|
key.</para>
|
|
<step>
|
|
<para>To generate a key pair, run the following command:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova keypair-add <replaceable>KEY_NAME</replaceable> > <replaceable>MY_KEY</replaceable>.pem</userinput></screen>
|
|
<para>The command generates a key pair with the name that you
|
|
specify for <replaceable>KEY_NAME</replaceable>, writes the
|
|
private key to the <filename>.pem</filename> file that you
|
|
specify, and registers the public key at the Nova
|
|
database.</para>
|
|
</step>
|
|
<step>
|
|
<para>To set the permissions of the <filename>.pem</filename>
|
|
file so that only you can read and write to it, run the
|
|
following command:</para>
|
|
<screen><prompt>$</prompt> <userinput>chmod 600 <replaceable>MY_KEY</replaceable>.pem</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="import_keypair_cli">
|
|
<title>Import a key pair</title>
|
|
<procedure>
|
|
<step>
|
|
<para>If you have already generated a key pair and the public
|
|
key is located at <filename>~/.ssh/id_rsa.pub</filename>,
|
|
run the following command to upload the public key:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova keypair-add --pub_key ~/.ssh/id_rsa.pub <replaceable>KEY_NAME</replaceable></userinput></screen>
|
|
<para>The command registers the public key at the Nova database
|
|
and names the key pair the name that you specify for
|
|
<literal><replaceable>KEY_NAME</replaceable></literal>.</para>
|
|
</step>
|
|
<step>
|
|
<para>To ensure that the key pair has been successfully
|
|
imported, list key pairs as follows:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova keypair-list</userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="configure_security_groups_rules">
|
|
<title>Create and manage security groups</title>
|
|
<procedure>
|
|
<step>
|
|
<para>To list the security groups for the current project,
|
|
including descriptions, enter the following command:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-list</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>To create a security group with a specified name
|
|
and description, enter the following
|
|
command:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-create <replaceable>SECURITY_GROUP_NAME</replaceable> <replaceable>GROUP_DESCRIPTION</replaceable></userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>To delete a specified group, enter the following
|
|
command:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-delete <replaceable>SECURITY_GROUP_NAME</replaceable> </userinput></screen>
|
|
<note>
|
|
<para>You cannot delete the default security group
|
|
for a project. Also, you cannot delete a
|
|
security group that is assigned to a running
|
|
instance.</para>
|
|
</note>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="security_grp_rules_cli">
|
|
<title>Create and manage security group rules</title>
|
|
<procedure>
|
|
<para>Modify security group rules with the <command>nova
|
|
secgroup-*-rule</command> commands. Before you begin, source
|
|
the OpenStack RC file. For details, see <xref
|
|
linkend="cli_openrc"/>.</para>
|
|
<step>
|
|
<para>To list the rules for a security group, run the following
|
|
command:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-list-rules <replaceable>SECURITY_GROUP_NAME</replaceable></userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>To allow SSH access to the instances, choose one of the
|
|
following options:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Allow access from all IP addresses, specified as
|
|
IP subnet <filename>0.0.0.0/0</filename> in CIDR
|
|
notation:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule <replaceable>SECURITY_GROUP_NAME</replaceable> tcp 22 22 0.0.0.0/0</userinput></screen>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Allow access only from IP addresses from other
|
|
security groups (source groups) to access the
|
|
specified port:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-add-group-rule --ip_proto tcp --from_port 22 \
|
|
--to_port 22 <replaceable>SECURITY_GROUP_NAME</replaceable> <replaceable>SOURCE_GROUP_NAME</replaceable></userinput></screen>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</step>
|
|
<step>
|
|
<para>To allow pinging of the instances, choose one of the
|
|
following options:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Allow pinging from all IP addresses, specified as
|
|
IP subnet <filename>0.0.0.0/0</filename> in CIDR
|
|
notation:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule <replaceable>SECURITY_GROUP_NAME</replaceable> icmp -1 -1 0.0.0.0/0</userinput></screen>
|
|
<para>This allows access to all codes and all types of ICMP traffic.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Allow only members of other security groups
|
|
(source groups) to ping instances:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-add-group-rule --ip_proto icmp --from_port -1 \
|
|
--to_port -1 <replaceable>SECURITY_GROUP_NAME</replaceable> <replaceable>SOURCE_GROUP_NAME</replaceable></userinput></screen>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</step>
|
|
<step>
|
|
<para>To allow access through a UDP port, such as allowing
|
|
access to a DNS server that runs on a VM, choose one of the
|
|
following options:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Allow UDP access from IP addresses, specified as
|
|
IP subnet <filename>0.0.0.0/0</filename> in CIDR
|
|
notation:<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule SECURITY_GROUP_NAME udp 53 53 0.0.0.0/0</userinput></screen></para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>Allow only IP addresses from other security groups
|
|
(source groups) to access the specified port:</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-add-group-rule --ip_proto udp --from_port 53 \
|
|
--to_port 53 <replaceable>SECURITY_GROUP_NAME</replaceable> <replaceable>SOURCE_GROUP_NAME</replaceable></userinput></screen>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</step>
|
|
</procedure>
|
|
<section xml:id="security_grp_rules_cli_delete">
|
|
<title>Delete a security group rule</title>
|
|
<para>To delete a security group rule, specify the
|
|
same arguments that you used to create the
|
|
rule.</para>
|
|
<para>For example, to delete the security group rule that permits SSH
|
|
access from all IP addresses, run the following command.</para>
|
|
<screen><prompt>$</prompt> <userinput>nova secgroup-delete-rule <replaceable>SECURITY_GROUP_NAME</replaceable> tcp 22 22 0.0.0.0/0</userinput></screen>
|
|
</section>
|
|
</section>
|
|
</section>
|