openstack-manuals/doc/user-guide/section_dashboard_access_and_security.xml
darrenchan b967eeb1ef Minor edit to security rules in the User Guide
Added a note about specifying protocol used with a port when adding a firewall rule.

Change-Id: I25e5ee8ad22ca89c6629375ea7acd183b8d9451d
backport: none
Closes-Bug: #1373674
2014-11-26 13:08:16 +11:00

300 lines
14 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="Launching_Instances_using_Dashboard">
<title>Configure access and security for instances</title>
<?dbhtml stop-chunking?>
<para>Before you launch an instance, you should add security group rules to
enable users to ping and use SSH to connect to the instance. Security
groups are sets of IP filter rules that define networking access and are
applied to all instances within a project. To do so, you either <link
linkend="security_groups_add_rule">add rules to the default
security group</link> or add a new security group with rules.</para>
<para>Key pairs are SSH credentials that are injected into an
instance when it is launched. To use key pair injection, the
image that the instance is based on must contain the
<literal>cloud-init</literal> package. Each project should
have at least one key pair. For more information, see <xref
linkend="keypair_add"/>.</para>
<para>If you have generated a key pair with an external tool, you
can import it into OpenStack. The key pair can be used for
multiple instances that belong to a project. For more
information, see <xref linkend="dashboard_import_keypair"
/>.</para>
<para>When an instance is created in OpenStack, it is automatically
assigned a fixed IP address in the network to which the
instance is assigned. This IP address is permanently
associated with the instance until the instance is terminated.
However, in addition to the fixed IP address, a floating IP
address can also be attached to an instance. Unlike fixed IP
addresses, floating IP addresses are able to have their
associations modified at any time, regardless of the state of
the instances involved.</para>
<section xml:id="security_groups_add_rule">
<title>Add a rule to the default security group</title>
<para>This procedure enables SSH and ICMP (ping) access to
instances. The rules apply to all instances within a given
project, and should be set for every project unless there
is a reason to prohibit SSH or ICMP access to the
instances.</para>
<para>This procedure can be adjusted as necessary to add
additional security group rules to a project, if your
cloud requires them.</para>
<procedure>
<note>
<para>When adding a rule, you must specify the protocol used
with the destination port or source port.</para>
</note>
<step>
<para>Log in to the dashboard, choose a project, and
click <guilabel>Access &amp; Security</guilabel>.
The <guilabel>Security Groups</guilabel> tab shows
the security groups that are available for this
project.</para>
</step>
<step>
<para>Select the <guilabel>default</guilabel> security
group and click <guibutton>Edit
Rules</guibutton>.</para>
</step>
<step>
<para>To allow SSH access, click <guibutton>Add
Rule</guibutton>.</para>
</step>
<step>
<para>In the Add Rule dialog box, enter the following
values:</para>
<informaltable rules="all" width="75%">
<col width="50%"/>
<col width="50%"/>
<tbody>
<tr>
<td><para><guilabel>Rule</guilabel></para></td>
<td>
<para><literal>SSH</literal></para></td>
</tr>
<tr>
<td>
<para><guilabel>Remote</guilabel>
</para></td>
<td>
<para><literal>CIDR</literal></para></td>
</tr>
<tr>
<td>
<para><guilabel>CIDR</guilabel></para></td>
<td>
<para><literal>0.0.0.0/0</literal></para>
</td>
</tr>
</tbody>
</informaltable>
<note>
<para>To accept requests from a particular range
of IP addresses, specify the IP address block
in the <guilabel>CIDR</guilabel> box.</para>
</note>
</step>
<step>
<para>Click <guibutton>Add</guibutton>.</para>
<para>Instances will now have SSH port 22 open for
requests from any IP address.</para>
</step>
<step>
<para>To add an ICMP rule, click <guibutton>Add
Rule</guibutton>.</para>
</step>
<step>
<para>In the Add Rule dialog box, enter the following
values:</para>
<informaltable rules="all" width="75%">
<col width="50%"/>
<col width="50%"/>
<tr>
<td><para><guilabel>Rule</guilabel></para></td>
<td><para><literal>All ICMP</literal></para></td>
</tr>
<tr>
<td><para><guilabel>Direction</guilabel></para></td>
<td><para><literal>Ingress</literal></para></td>
</tr>
<tr>
<td><para><guilabel>Remote</guilabel></para></td>
<td><para><literal>CIDR</literal></para></td>
</tr>
<tr>
<td><para><guilabel>CIDR</guilabel></para></td>
<td><para><literal>0.0.0.0/0</literal></para></td>
</tr>
</informaltable>
</step>
<step>
<para>Click <guibutton>Add</guibutton>.</para>
<para>Instances will now accept all incoming ICMP
packets.</para>
</step>
</procedure>
</section>
<section xml:id="keypair_add">
<title>Add a key pair</title>
<para>Create at least one key pair for each project.</para>
<procedure>
<step>
<para>Log in to the dashboard, choose a project, and
click <guilabel>Access &amp;
Security</guilabel>.</para>
</step>
<step>
<para>Click the <guilabel>Keypairs</guilabel> tab,
which shows the key pairs that are available for
this project.</para>
</step>
<step>
<para>Click <guibutton>Create
Keypair</guibutton>.</para>
</step>
<step>
<para>In the Create Keypair
dialog box, enter a name for your key pair, and
click <guibutton>Create
Keypair</guibutton>.</para>
</step>
<step>
<para>Respond to the prompt to download the key
pair.</para>
</step>
</procedure>
</section>
<section xml:id="dashboard_import_keypair">
<title>Import a key pair</title>
<procedure>
<step>
<para>Log in to the dashboard, choose a project, and
click <guilabel>Access &amp;
Security</guilabel>.</para>
</step>
<step>
<para>Click the <guilabel>Keypairs</guilabel> tab,
which shows the key pairs that are available for
this project.</para>
</step>
<step>
<para>Click <guibutton>Import
Keypair</guibutton>.</para>
</step>
<step>
<para>In the Import Keypair
dialog box, enter the name of your key pair, copy
the public key into the <guilabel>Public
Key</guilabel> box, and then click
<guibutton>Import Keypair</guibutton>.</para>
</step>
<step>
<para>Save the <filename>*.pem</filename> file
locally.</para></step>
<step><para>To change its permissions so that only
you can read and write to the file, run the
following command:</para>
<screen><prompt>$</prompt> <userinput>chmod 0600 <replaceable>yourPrivateKey</replaceable>.pem</userinput></screen>
<note>
<para>If you are using the dashboard from a
Windows computer, use PuTTYgen to load the
<filename>*.pem</filename> file and
convert and save it as
<filename>*.ppk</filename>. For more
information see the <link
xlink:href="http://winscp.net/eng/docs/ui_puttygen"
>WinSCP web page for
PuTTYgen</link>.</para>
</note>
</step>
<step>
<para>To make the key pair known to SSH, run the
<command>ssh-add</command> command.</para>
<screen><prompt>$</prompt> <userinput>ssh-add <replaceable>yourPrivateKey</replaceable>.pem</userinput></screen>
</step>
</procedure>
<para>The Compute database registers the public key of the key
pair.</para>
<para>The dashboard lists the key pair on the <guilabel>Access
&amp; Security</guilabel> tab.</para>
</section>
<section xml:id="add_floating_ip">
<title>Allocate a floating IP address to an instance</title>
<para>When an instance is created in OpenStack, it is
automatically assigned a fixed IP address in the network to
which the instance is assigned. This IP address is
permanently associated with the instance until the instance
is terminated.
</para>
<para>However, in addition to the fixed IP address, a floating
IP address can also be attached to an instance. Unlike
fixed IP addresses, floating IP addresses can have their
associations modified at any time, regardless of the state
of the instances involved. This procedure details the
reservation of a floating IP address from an existing pool
of addresses and the association of that address with a
specific instance.</para>
<procedure>
<step>
<para>Log in to the dashboard, choose a project, and click
<guilabel>Access &amp; Security</guilabel>.</para>
</step>
<step>
<para>Click the <guilabel>Floating IPs</guilabel> tab,
which shows the floating IP addresses allocated to
instances.</para>
</step>
<step>
<para>Click <guibutton>Allocate IP to Project</guibutton>.</para>
</step>
<step>
<para>Choose the pool from which to pick the IP
address.</para>
</step>
<step>
<para>Click <guibutton>Allocate IP</guibutton>.</para>
</step>
<step>
<para>In the <guilabel>Floating IPs</guilabel> list, click
<guibutton> Associate</guibutton>.</para>
</step>
<step>
<para>In the Manage Floating IP
Associations dialog box, choose the
following options: <itemizedlist>
<listitem>
<para>The <guilabel>IP Address</guilabel>
field is filled automatically, but you
can add a new IP address by clicking
the <guibutton>+</guibutton>
button.</para>
</listitem>
<listitem>
<para>In the <guilabel>Ports to be
associated</guilabel> field, select
a port from the list.</para>
<para>The list shows all the instances
with their fixed IP addresses.</para>
</listitem>
</itemizedlist>
</para>
</step>
<step>
<para>Click <guibutton>Associate</guibutton>.</para>
</step>
</procedure>
<note>
<para>To disassociate an IP address from an instance, click
the <guibutton>Disassociate</guibutton> button.</para>
<para>To release the floating IP address back into the pool of
addresses, click the <guibutton>More</guibutton>
button and select the <guilabel>Release Floating
IP</guilabel> option.</para>
</note>
</section>
</section>