开发者社区> terry.zeng> 正文
阿里云
为了无法计算的价值
打开APP
阿里云APP内打开

openstack 命令行管理十一 - 安全组管理 (备忘)

简介:  参考官方资料 You must modify the rules for the default security group because users cannot access instances that use the default group from any IP address outside the cloud. You can modify the rul
+关注继续查看


参考官方资料

You must modify the rules for the default security group because users cannot access instances that use the default group from 
any IP address outside the cloud.

You can modify the rules in a security group to allow access to instances through different ports and protocols. For example, 
you can modify rules to allow access to instances through SSH, to ping them, or to allow UDP traffic – for example, for a DNS 
server running on an instance. You specify the following parameters for rules:

Source of traffic. Enable traffic to instances from either IP addresses inside the cloud from other group members or from all IP addresses.

Protocol. Choose TCP for SSH, ICMP for pings, or UDP.

Destination port on virtual machine. Defines a port range. To open a single port only, enter the same value twice. ICMP does not support ports: Enter values to define the codes and types of ICMP traffic to be allowed.

Rules are automatically enforced as soon as you create or modify them.

注: 已通过测试, 修改默认 secgroup 或自定义 secgroup 都可以完成数据访问测试

帮助

[root@station140 ~(keystone_admin)]# nova help | grep secgroup
    add-secgroup        Add a Security Group to a server.
    list-secgroup       List Security Group(s) of a server.
    remove-secgroup     Remove a Security Group from a server.
    secgroup-add-group-rule
    secgroup-add-rule   Add a rule to a security group.
    secgroup-create     Create a security group.
    secgroup-delete     Delete a security group.
    secgroup-delete-group-rule
    secgroup-delete-rule
    secgroup-list       List security groups for the current tenant.
    secgroup-list-rules
    secgroup-update     Update a security group.

创建自定义安全组

[root@station140 ~(keystone_admin)]# nova secgroup-create terry "allow ping and ssh"
+--------------------------------------+-------+--------------------+
| Id                                   | Name  | Description        |
+--------------------------------------+-------+--------------------+
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |
+--------------------------------------+-------+--------------------+

列出当前所有安全组

[root@station140 ~(keystone_admin)]# nova  secgroup-list
+--------------------------------------+---------+--------------------+
| Id                                   | Name    | Description        |
+--------------------------------------+---------+--------------------+
| 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default            |
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry   | allow ping and ssh |
+--------------------------------------+---------+--------------------+

列出某个组中的安全规则
[root@station140 ~(keystone_admin)]# nova  secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
|             |           |         |          | default      |
|             |           |         |          | default      |
+-------------+-----------+---------+----------+--------------+

增加规则方法 (允许 ping)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

增加规则方法 (允许 ssh)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry tcp  22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

增加规则方法 (允许 dns 外部访问)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry udp 53 53 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         | 53        | 53      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

列出自定义组规则

[root@station140 ~(keystone_admin)]# nova secgroup-list-rules terry
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| udp         | 53        | 53      | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

尝试修改 default secgroup
列出 default secgroup 规则

[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
|             |           |         |          | default      |
|             |           |         |          | default      |
+-------------+-----------+---------+----------+--------------+

添加规则 (允许 ping)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

添加规则 (允许 ssh)

[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default tcp  22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

添加规则 (允许 dns外部访问)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default udp 53 53 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         | 53        | 53      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

列出默认组规则

[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
|             |           |         |           | default      |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
|             |           |         |           | default      |
| udp         | 53        | 53      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

删除某个实例, 使用中的规则
nova remove-secgroup terry_instance1 terry

注: 在虚拟机启动后, 无法在增加其他规则


版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

相关文章
openstack 管理 - 索引(备忘)
命令行管理介绍 openstack 命令行管理一 - br-ex 网络设定 (备忘) openstack 命令行管理二 - 镜像管理 (备忘) openstack 命令行管理三 - tenant 管理 (备忘) openstack 命令行管理四 - 资源管理 (备忘) openstack 命令行管理五 - 磁盘配额管理(备忘) openstack 命令行管理六 - 用户管理
1802 0
openstack 命令行管理二十一 - 云盘管理 (备忘)
Openstack 中, 创建云主机时, 需要定义 flavor 类型, flavor 定义了每个云主机的硬件类型, 包括 cpu 个数, 内存大小, 硬盘大小(根盘), 作为通用类型, 我们不会把硬盘容量设定过大, 那么对于数据库用户或其他需要使用大容量磁盘的用户是不合适的. 特点: 云主机与云硬盘, 需要独立地创建, 独立管理 云硬盘需要通过命令指定
2890 0
openstack 命令行管理十七 - 宿主主机管理 (备忘)
帮助信息 [root@station140 ~(keystone_admin)]# nova help | grep hyper hypervisor-list List hypervisors. hypervisor-servers List instances belonging to specific hypervisors. hypervisor
1230 0
openstack 命令行管理十三 - 外部网络[外部连接专用]管理 (备忘)
 创建公网 [root@station140 ~(network_admin)]# neutron net-create --router:external=true pub1 Created a new network: +---------------------------+--------------------------------------+ | Field
1435 0
openstack 命令行管理十五 - 浮动 IP 管理 (备忘)
帮助[root@station140 ~(keystone_admin)]# nova help | grep float add-floating-ip Add a floating IP address to a server. floating-ip-bulk-create Bulk create floatin
1935 0
openstack 命令行管理十八 - instance管理 (备忘)
Openstak 中, 常用 nova 命令对实例进行管理 常见管理方法有,  创建, 删除,  更改(resize flavor, 冷/热迁移), 查询 等   列出当前 tenant 中的实例 首先需要载入 keystone 验证信息 [root@gz-controller-209131 ~(keystone_admin)]# cat keystonerc_admin
30170 0
openstack 命令行管理八 - 服务管理 (备忘)
 帮助 [root@station140 tmp(keystone_admin)]# keystone help | grep service service-create Add service to Service Catalog. service-delete Delete service from Service Catalog.
1211 0
openstack 命令行管理十四 - 路由管理 (备忘)
 帮助 [root@station140 ~(network_admin)]# neutron help | grep route l3-agent-list-hosting-router List L3 agents hosting a router. l3-agent-router-add Add a router to a L3 agent.
1621 0
+关注
terry.zeng
怕麻烦
192
文章
0
问答
文章排行榜
最热
最新
相关电子书
更多
低代码开发师(初级)实战教程
立即下载
阿里巴巴DevOps 最佳实践手册
立即下载
冬季实战营第三期:MySQL数据库进阶实战
立即下载