Managing security groups

At this point, you may think that you should be able to connect to your instance. Not quite yet. There is a layer of security built into OpenStack called security groups. Security groups are firewalls that can be assigned to one or more instances. You can define multiple security groups; you can assign multiple instances to a security group; you can even assign multiple security groups to a running instance. A security group named default is created for each project when the tenant is created. List the existing security groups and you will see multiple with a description Default security group. Then list the rules in the project you are authenticating to:

undercloud# neutron security group list
undercloud# openstack security group rule list

If you list all projects that exist and get their IDs, they should map to the project IDs that the security groups you have just listed are assigned to. When you list the rules defined in a security group and do not pass a specific project, you will get a list of the rules in the project you are authenticating to. If you want to see the rules for a specific security group, just pass the UUID of the security group you are interested in; grep is a good tool for this once your project list grows larger. Here are the commands to grep the ID of the project created in Chapter 2, Identity Managment, then get the security group ID of the project's default security group and finally to list its security group rules:

undercloud# openstack project list | grep danradez
undercloud# openstack security group list | grep {uuid_of_project}
undercloud# openstack security group rule list {uuid_of_sec_group}

As you can see, the default rules added to the default security group are pretty basic and the output from this list is very empty. The rules there restrict all incoming traffic from the outside. Ingress is incoming traffic to an instance; and only incoming traffic from within the security group itself is allowed. Egress is outgoing traffic; all outgoing traffic is allowed by default. Let's add a few rules to allow some external traffic to connect to the instance:

undercloud# openstack security group rule create --proto tcp --dst-port 22 default

This rule will allow all incoming SSH traffic on port 22 to be passed to instances in the default security group. If you try this with the admin's overcloudrc file sourced, you will add the rule to the admin project. If with the project you created, then it will be added to that project's default security group. Let's add a rule to allow us to ping the host too:

undercloud# openstack security group rule create --proto icmp default

As mentioned earlier, you can also have more than one security group. You can create a new security group with Neutron's security-group-create command, as follows:

undercloud# openstack security group create new_secgroup

If, for some reason, the default group did not get created, that command could add it for you if you name it default. If you create additional security groups, then other rules could be added to those groups, for example, a rule to allow access to port 80 for web traffic:

undercloud# openstack security group rule create --proto tcp --dst-port 80 new_secgroup

Now, when an instance is launched, the option --security-groups could be passed. The value given to it could be default or new_secgroup or default, new_secgroup. The respective traffic would be allowed based on what combination of security groups was assigned to the new instance being booted. If you do not pass this option, the default security group will automatically be the group assigned to the new instance.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.27.74