openstack 命令行管理十一 - 安全组管理 (备忘)
来源:互联网 发布:tensorflow 在spark 编辑:程序博客网 时间:2024/06/06 00:21
参考官方资料
You must modify the rules for the default security group because users cannot access instances that use the default group from any IP address outside the cloud.You can modify the rules in a security group to allow access to instances through different ports and protocols. For example, you can modify rules to allow access to instances through SSH, to ping them, or to allow UDP traffic – for example, for a DNS server running on an instance. You specify the following parameters for rules:Source of traffic. Enable traffic to instances from either IP addresses inside the cloud from other group members or from all IP addresses.Protocol. Choose TCP for SSH, ICMP for pings, or UDP.Destination port on virtual machine. Defines a port range. To open a single port only, enter the same value twice. ICMP does not support ports: Enter values to define the codes and types of ICMP traffic to be allowed.Rules are automatically enforced as soon as you create or modify them.
注: 已通过测试, 修改默认 secgroup 或自定义 secgroup 都可以完成数据访问测试
帮助
[root@station140 ~(keystone_admin)]# nova help | grep secgroup add-secgroup Add a Security Group to a server. list-secgroup List Security Group(s) of a server. remove-secgroup Remove a Security Group from a server. secgroup-add-group-rule secgroup-add-rule Add a rule to a security group. secgroup-create Create a security group. secgroup-delete Delete a security group. secgroup-delete-group-rule secgroup-delete-rule secgroup-list List security groups for the current tenant. secgroup-list-rules secgroup-update Update a security group.
创建自定义安全组
[root@station140 ~(keystone_admin)]# nova secgroup-create terry "allow ping and ssh"+--------------------------------------+-------+--------------------+| Id | Name | Description |+--------------------------------------+-------+--------------------+| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |+--------------------------------------+-------+--------------------+
列出当前所有安全组
[root@station140 ~(keystone_admin)]# nova secgroup-list+--------------------------------------+---------+--------------------+| Id | Name | Description |+--------------------------------------+---------+--------------------+| 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default || 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |+--------------------------------------+---------+--------------------+
列出某个组中的安全规则
[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default+-------------+-----------+---------+----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+----------+--------------+| | | | | default || | | | | default |+-------------+-----------+---------+----------+--------------+
增加规则方法 (允许 ping)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+
增加规则方法 (允许 ssh)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry tcp 22 22 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+
增加规则方法 (允许 dns 外部访问)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule terry udp 53 53 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| udp | 53 | 53 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+
列出自定义组规则
[root@station140 ~(keystone_admin)]# nova secgroup-list-rules terry+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | || udp | 53 | 53 | 0.0.0.0/0 | || icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+
尝试修改 default secgroup
列出 default secgroup 规则
[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default+-------------+-----------+---------+----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+----------+--------------+| | | | | default || | | | | default |+-------------+-----------+---------+----------+--------------+
添加规则 (允许 ping)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| icmp | -1 | -1 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+
添加规则 (允许 ssh)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| tcp | 22 | 22 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+
添加规则 (允许 dns外部访问)
[root@station140 ~(keystone_admin)]# nova secgroup-add-rule default udp 53 53 0.0.0.0/0+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| udp | 53 | 53 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+
列出默认组规则
[root@station140 ~(keystone_admin)]# nova secgroup-list-rules default+-------------+-----------+---------+-----------+--------------+| IP Protocol | From Port | To Port | IP Range | Source Group |+-------------+-----------+---------+-----------+--------------+| | | | | default || icmp | -1 | -1 | 0.0.0.0/0 | || tcp | 22 | 22 | 0.0.0.0/0 | || | | | | default || udp | 53 | 53 | 0.0.0.0/0 | |+-------------+-----------+---------+-----------+--------------+
删除某个实例, 使用中的规则
nova remove-secgroup terry_instance1 terry
注: 在虚拟机启动后, 无法在增加其他规则
0 0
- openstack 命令行管理十一 - 安全组管理 (备忘)
- openstack 命令行管理二十一 - 云盘管理 (备忘)
- openstack 命令行管理 - 目录(备忘)
- openstack 命令行管理三 - tenant 管理 (备忘)
- openstack 命令行管理六 - 用户管理 (备忘)
- openstack 命令行管理七 - 角色管理 (备忘)
- openstack 命令行管理八 - 服务管理 (备忘)
- openstack 命令行管理十 - 密钥管理 (备忘)
- openstack 命令行管理十四 - 路由管理 (备忘)
- openstack 命令行管理十八 - instance管理 (备忘)
- openstack 命令行管理十九 - 日志管理 (备忘)
- openstack 命令行管理四 - 资源管理 (备忘)
- openstack 命令行管理十六 - 网络测试 (备忘)
- openstack 命令行管理二 - 镜像管理 (备忘)
- openstack 命令行管理五 - 磁盘配额管理(备忘)
- openstack 命令行管理九 - flavor管理[主机模板] (备忘)
- openstack 命令行管理十二 - 内部网络[instance专用]管理 (备忘)
- openstack 命令行管理十五 - 浮动 IP 管理 (备忘)
- Jquery Table 的基本操作
- try catch finally执行顺序
- 三十六、一个职业管理者的责任和使命
- Winform自定义控件实例
- Oracle 数据库导入导出 dmp文件
- openstack 命令行管理十一 - 安全组管理 (备忘)
- 三十五、凤凰展翅 再创辉煌
- Linux内核:spinlock和睡眠
- 三十四、任正非总裁答新员工问
- oracle sql语言like模糊查询–通配符(模糊搜索系列一)
- 三十三、“中国人今天说不”图片新闻
- 三十二、能工巧匠是我们企业的宝贵财富
- WIFI 在android上的应用
- 项目管理软件redmine