http://www.aboutyun.com/thread-8964-1-1.html
参考官方资料
You must modify the rules for the default security group because users cannot access instances that use the default group from
any IP address outside the cloud.
You can modify the rules in a security group to allow access to instances through different ports and protocols. For example,
you can modify rules to allow access to instances through SSH, to ping them, or to allow UDP traffic – for example, for a DNS
server running on an instance. You specify the following parameters for rules:
Source of traffic. Enable traffic to instances from either IP addresses inside the cloud from other group members or from all IP addresses.
Protocol. Choose TCP for SSH, ICMP for pings, or UDP.
Destination port on virtual machine. Defines a port range. To open a single port only, enter the same value twice. ICMP does not support ports: Enter values to define the codes and types of ICMP traffic to be allowed.
Rules are automatically enforced as soon as you create or modify them.
注: 已通过测试, 修改默认 secgroup 或自定义 secgroup 都可以完成数据访问测试
帮助
- [root@station140 ~(keystone_admin)]# nova help | grep secgroup
- add-secgroup Add a Security Group to a server.
- list-secgroup List Security Group(s) of a server.
- remove-secgroup Remove a Security Group from a server.
- secgroup-add-group-rule
- secgroup-add-rule Add a rule to a security group.
- secgroup-create Create a security group.
- secgroup-delete Delete a security group.
- secgroup-delete-group-rule
- secgroup-delete-rule
- secgroup-list List security groups for the current tenant.
- secgroup-list-rules
- secgroup-update Update a security group.
创建自定义安全组
- [root@station140 ~(keystone_admin)]# nova secgroup-create terry "allow ping and ssh"
- +--------------------------------------+-------+--------------------+
- | Id | Name | Description |
- +--------------------------------------+-------+--------------------+
- | 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |
- +--------------------------------------+-------+--------------------+
列出当前所有安全组
- [root@station140 ~(keystone_admin)]# nova secgroup-list
- +--------------------------------------+---------+--------------------+
- | Id | Name | Description |
- +--------------------------------------+---------+--------------------+
- | 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default |
- | 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |
- +--------------------------------------+---------+--------------------+
列出某个组中的安全规则
- [root@station140 ~(keystone_admin)]# nova secgroup-list-rules default
- +-------------+-----------+---------+----------+--------------+
- | IP Protocol | From Port | To Port | IP Range | Source Group |
- +-------------+-----------+---------+----------+--------------+
- | | | | | default |
- | | | | | default |
- +-------------+-----------+---------+----------+--------------+
增加规则方法 (允许 ping)
- [root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0
- +-------------+-----------+---------+-----------+--------------+
- | IP Protocol | From Port | To Port | IP Range | Source Group |
- +-------------+-----------+---------+-----------+--------------+
- | icmp | -1 | -1 | 0.0.0.0/0 | |
- +-------------+-----------+---------+-----------+--------------+
增加规则方法 (允许 ssh)
- [root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry tcp 22 22 0.0.0.0/0
- +-------------+-----------+---------+-----------+--------------+
- | IP Protocol | From Port | To Port | IP Range | Source Group |
- +-------------+-----------+---------+-----------+--------------+
- | tcp | 22 | 22 | 0.0.0.0/0 | |
- +-------------+-----------+---------+-----------+--------------+
增加规则方法 (允许 dns 外部访问)
- [root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry udp 53 53 0.0.0.0/0
- +-------------+-----------+---------+-----------+--------------+
- | IP Protocol | From Port | To Port | IP Range | Source Group |
- +-------------+-----------+---------+-----------+--------------+
- | udp | 53 | 53 | 0.0.0.0/0 | |
- +-------------+-----------+---------+-----------+--------------+
列出自定义组规则
- [root@station140 ~(keystone_admin)]# nova secgroup-list-rules terry
- +-------------+-----------+---------+-----------+--------------+
- | IP Protocol | From Port | To Port | IP Range | Source Group |
- +-------------+-----------+---------+-----------+--------------+
- | tcp | 22 | 22 | 0.0.0.0/0 | |
- | udp | 53 | 53 | 0.0.0.0/0 | |
- | icmp | -1 | -1 | 0.0.0.0/0 | |
- +-------------+-----------+---------+-----------+--------------+
尝试修改 default secgroup
列出 default secgroup 规则
- [root@station140 ~(keystone_admin)]# nova secgroup-list-rules default
- +-------------+-----------+---------+----------+--------------+
- | IP Protocol | From Port | To Port | IP Range | Source Group |
- +-------------+-----------+---------+----------+--------------+
- | | | | | default |
- | | | | | default |
- +-------------+-----------+---------+----------+--------------+
添加规则 (允许 ping)
- [root@station140 ~(keystone_admin)]# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
- +-------------+-----------+---------+-----------+--------------+
- | IP Protocol | From Port | To Port | IP Range | Source Group |
- +-------------+-----------+---------+-----------+--------------+
- | icmp | -1 | -1 | 0.0.0.0/0 | |
- +-------------+-----------+---------+-----------+--------------+
添加规则 (允许 ssh)
- [root@station140 ~(keystone_admin)]# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
- +-------------+-----------+---------+-----------+--------------+
- | IP Protocol | From Port | To Port | IP Range | Source Group |
- +-------------+-----------+---------+-----------+--------------+
- | tcp | 22 | 22 | 0.0.0.0/0 | |
- +-------------+-----------+---------+-----------+--------------+
添加规则 (允许 dns外部访问)
- [root@station140 ~(keystone_admin)]# nova secgroup-add-rule default udp 53 53 0.0.0.0/0
- +-------------+-----------+---------+-----------+--------------+
- | IP Protocol | From Port | To Port | IP Range | Source Group |
- +-------------+-----------+---------+-----------+--------------+
- | udp | 53 | 53 | 0.0.0.0/0 | |
- +-------------+-----------+---------+-----------+--------------+
列出默认组规则
- [root@station140 ~(keystone_admin)]# nova secgroup-list-rules default
- +-------------+-----------+---------+-----------+--------------+
- | IP Protocol | From Port | To Port | IP Range | Source Group |
- +-------------+-----------+---------+-----------+--------------+
- | | | | | default |
- | icmp | -1 | -1 | 0.0.0.0/0 | |
- | tcp | 22 | 22 | 0.0.0.0/0 | |
- | | | | | default |
- | udp | 53 | 53 | 0.0.0.0/0 | |
- +-------------+-----------+---------+-----------+--------------+
删除某个实例, 使用中的规则
- nova remove-secgroup terry_instance1 terry
注: 在虚拟机启动后, 无法在增加其他规则
openstack 命令行管理:内部网络[instance专用]管理
ip 帮助
- [root@station140 ~(keystone_admin)]# nova help | grep ip
- add-fixed-ip Add new IP address on a network to server.
- add-floating-ip Add a floating IP address to a server.
- cloudpipe-configure
- Update the VPN IP/port of a cloudpipe instance.
- cloudpipe-create Create a cloudpipe instance for the given project.
- cloudpipe-list Print a list of all cloudpipe instances.
- dns-create Create a DNS entry for domain, name and ip.
- dns-list List current DNS entries for domain and ip or domain
- fixed-ip-get Retrieve info on a fixed ip.
- fixed-ip-reserve Reserve a fixed IP.
- fixed-ip-unreserve Unreserve a fixed IP.
- floating-ip-bulk-create
- Bulk create floating ips by range.
- floating-ip-bulk-delete
- Bulk delete floating ips by range.
- floating-ip-bulk-list
- List all floating ips.
- floating-ip-create Allocate a floating IP for the current tenant.
- floating-ip-delete De-allocate a floating IP.
- floating-ip-list List floating ips for this tenant.
- floating-ip-pool-list
- List all floating ip pools.
- remove-fixed-ip Remove an IP address from a server.
- remove-floating-ip Remove a floating IP address from a server.
网络管理帮助
- [root@station140 ~(keystone_admin)]# nova help | grep network
- interface-attach Attach a network interface to an instance.
- interface-detach Detach a network interface from an instance.
- network-associate-host
- Associate host with network.
- network-associate-project
- Associate project with network.
- network-create Create a network.
- network-disassociate
- network.
- network-list Print a list of available networks.
- network-show Show details about the given network.
- reset-network Reset network of an instance.
- Add a network interface to a baremetal node.
- List network interfaces associated with a baremetal
- Remove a network interface from a baremetal node.
- net Show a network
- net-create Create a network
- net-delete Delete a network
- net-list List networks
显示当前 openstack 网络方法
- [root@station140 ~(keystone_admin)]# nova network-list
- +--------------------------------------+---------+------+
- | ID | Label | Cidr |
- +--------------------------------------+---------+------+
- | 68a1d874-e7bd-42e2-9f86-8eb0b0b4b8fd | public | None |
- | e8e14001-44d9-4ab1-a462-ea621b8a4746 | private | None |
- +--------------------------------------+---------+------+
参考 openstack 官方文档, 在某些旧版本中, 需要利用下面方法创建网络, 当前 H 版本可以不使用下面变量
- export OS_USERNAME=admin
- export OS_PASSWORD=password
- export OS_TENANT_NAME=admin
- export OS_AUTH_URL=http://localhost:5000/v2.0
另外一种列出网络方法
- [root@station140 ~(network_admin)]# neutron net-list
- +--------------------------------------+---------+------------------------------------------------------+
- | id | name | subnets |
- +--------------------------------------+---------+------------------------------------------------------+
- | 68a1d874-e7bd-42e2-9f86-8eb0b0b4b8fd | public | ce0a4a92-5c23-4557-ad67-97560ab5afa1 172.24.4.224/28 |
- | e8e14001-44d9-4ab1-a462-ea621b8a4746 | private | 79fdeabd-7f8a-4619-a17d-87864ccdfa80 10.0.0.0/24 |
- +--------------------------------------+---------+------------------------------------------------------+
显示某个网络详细信息
- [root@station140 ~(network_admin)]# neutron net-show public
- +---------------------------+--------------------------------------+
- | Field | Value |
- +---------------------------+--------------------------------------+
- | admin_state_up | True |
- | id | 68a1d874-e7bd-42e2-9f86-8eb0b0b4b8fd |
- | name | public |
- | provider:network_type | local |
- | provider:physical_network | |
- | provider:segmentation_id | |
- | router:external | True |
- | shared | False |
- | status | ACTIVE |
- | subnets | ce0a4a92-5c23-4557-ad67-97560ab5afa1 |
- | tenant_id | e3a71a59840c4e88b8740b789c3afb9c |
- +---------------------------+--------------------------------------+
显示网络 extension 详细信息
- [root@station140 ~(keystone_admin)]# neutron ext-list
- +-----------------------+-----------------------------------------------+
- | alias | name |
- +-----------------------+-----------------------------------------------+
- | ext-gw-mode | Neutron L3 Configurable external gateway mode |
- | security-group | security-group |
- | l3_agent_scheduler | L3 Agent Scheduler |
- | provider | Provider Network |
- | binding | Port Binding |
- | quotas | Quota management support |
- | agent | agent |
- | dhcp_agent_scheduler | DHCP Agent Scheduler |
- | external-net | Neutron external network |
- | router | Neutron L3 Router |
- | allowed-address-pairs | Allowed Address Pairs |
- | extra_dhcp_opt | Neutron Extra DHCP opts |
- | extraroute | Neutron Extra Route |
- +-----------------------+-----------------------------------------------+
创建私有网络
- [root@station140 ~(network_admin)]# neutron net-create net1
- Created a new network:
- +---------------------------+--------------------------------------+
- | Field | Value |
- +---------------------------+--------------------------------------+
- | admin_state_up | True |
- | id | d0e3f988-d62f-4f95-ab21-b73f4dae326b |
- | name | net1 |
- | provider:network_type | local |
- | provider:physical_network | |
- | provider:segmentation_id | |
- | shared | False |
- | status | ACTIVE |
- | subnets | |
- | tenant_id | e3a71a59840c4e88b8740b789c3afb9c |
- +---------------------------+--------------------------------------+
显示 net1 网络详细信息
- [root@station140 ~(keystone_admin)]# neutron net-show net1
- +---------------------------+--------------------------------------+
- | Field | Value |
- +---------------------------+--------------------------------------+
- | admin_state_up | True |
- | id | d0e3f988-d62f-4f95-ab21-b73f4dae326b |
- | name | net1 |
- | provider:network_type | local |
- | provider:physical_network | |
- | provider:segmentation_id | |
- | router:external | False |
- | shared | False |
- | status | ACTIVE |
- | subnets | |
- | tenant_id | e3a71a59840c4e88b8740b789c3afb9c |
- +---------------------------+--------------------------------------+
创建私网络 net1 的子网
- [root@station140 ~(network_admin)]# neutron subnet-create --name terry_pri_net1 --allocation-pool start=10.0.0.50,end=10.0.0.100 --no-gateway --ip-version 4 net1 10.0.0.0/24
- Created a new subnet:
- +------------------+---------------------------------------------+
- | Field | Value |
- +------------------+---------------------------------------------+
- | allocation_pools | {"start": "10.0.0.50", "end": "10.0.0.100"} |
- | cidr | 10.0.0.0/24 |
- | dns_nameservers | |
- | enable_dhcp | True |
- | gateway_ip | |
- | host_routes | |
- | id | 3066c397-bccf-4473-8a94-72b09a97a70a |
- | ip_version | 4 |
- | name | terry_pri_net1 |
- | network_id | d0e3f988-d62f-4f95-ab21-b73f4dae326b |
- | tenant_id | e3a71a59840c4e88b8740b789c3afb9c |
- +------------------+---------------------------------------------+
显示 net1 网络详细信息
- [root@station140 ~(keystone_admin)]# neutron net-show net1
- +---------------------------+--------------------------------------+
- | Field | Value |
- +---------------------------+--------------------------------------+
- | admin_state_up | True |
- | id | d0e3f988-d62f-4f95-ab21-b73f4dae326b |
- | name | net1 |
- | provider:network_type | local |
- | provider:physical_network | |
- | provider:segmentation_id | |
- | router:external | False |
- | shared | False |
- | status | ACTIVE |
- | subnets | 3066c397-bccf-4473-8a94-72b09a97a70a |
- | tenant_id | e3a71a59840c4e88b8740b789c3afb9c |
- +---------------------------+--------------------------------------+
注意 net1 中的 subnets values 部分 3066c397-bccf-4473-8a94-72b09a97a70a 显示为 terry_pri_net1 中的 ID 值
相关推荐
syntribos, OpenStack安全组的python API安全测试工具 团队和知识库标签 Syntribos,自动化的API安全测试工具 syntribos xxxxxxx x xxxxxxxxxxxxx x x xxxxxxxxxxx x xxxxx
本文讲述了OpenStack中防火墙和安全组的区别,写的很详细。供大家学习。
(平台搭建版本:Queen版本,安全部署主要包括https安全传输、服务组件日志集中收收集、云主机迁移、VxLAN网络、配置用户密码策略、流量监控、防火墙即服务FwaaS、安全组规则、浮动IP、iptables防火墙、KVM热添加...
另外,对平台安全性进行配置,包括https传输加密、存储加密、云主机迁移、防火墙即服务、安全组规则、浮动IP、iptables防火墙、用户登录密码策略、VxLAN网络、KVM热添加硬盘、openstack服务组件日志集中收集、DDoS...
prometheus监控规则大全 node规则,redis监控,es监控,vmware监控,ipmi监控,ceph监控,etcd监控,k8s监控,mysql监控,openstack监控,os监控,交换机监控,windows监控,cdh监控,calico监控规则监控
OpenStack 云安全参考文档 security guide
《Open Stack设计与实现》是一本介绍OpenStack设计与实现原理的书。《Open Stack设计与实现》以Juno版本为基础,覆盖了OpenStack的学习方法到设计与实现等各个方面内容,致力于帮助读者形成OpenStack及其各个主要...
Design, deploy, and manage a scalable OpenStack infrastructure About This Book Learn how to design and deploy an OpenStack private cloud using automation tools and best practices Gain valuable ...
openstack 计费模块设计与SSH实现
Openstack Trove概要Openstack Trove概要Openstack Trove概要Openstack Trove概要Openstack Trove概要Openstack Trove概要Openstack Trove概要Openstack Trove概要Openstack Trove概要Openstack Trove概要Openstack ...
计算已成为IT业界出现频率最高的热门词语之...包括OpenStack计算(代号为Nova),OpenStack对象存储(代号为Swift),并OpenStack镜像服务(代号Glance)的集合。OpenStack提供了一个操作平台,或工具包,用于编排云。
OpenStack is today’s leading technology for building and integrating public and private clouds. Common OpenStack Deployments is a complete, practical guide to deploying OpenStack and understanding ...
Openstack组件卸载命令,跟上面的Openstack实验相对应的卸载文档。http://download.csdn.net/detail/u014028392/9161039
手动安装openstack Mitaka版
OpenStack实战 完整
基于OpenStack的多租户数据安全保护技术研究基于OpenStack的多租户数据安全保护技术研究
openstack安装图解
The Fourth Edition of the industry-acclaimed OpenStack Cloud Computing Cookbook, from four recognized experts, updated to the latest OpenStack build including Cinder, Nova, and Neutron. Key Features ...