1.如何创建自定义安全组?' F5 N4 Z6 @6 Z4 M
2.如何查看安全组?
( }0 O$ ] e) X6 P: C r! b6 f4 D3.如何列出组中安全规则?% p$ K0 \, h/ U
4.如何实现增加规则方法 (允许 ping)?- G6 b) Q9 j2 S0 H) {7 e
# U1 P/ `7 q! D8 l/ A
) d! G7 @& z+ m注: 已通过测试, 修改默认 secgroup 或自定义 secgroup 都可以完成数据访问测试" h! y6 J; ?; U- \4 p% K
帮助1 c& G7 a; \+ _9 A
& ]+ j3 C$ v6 {1 x% R
* U) d4 o) W- g' ]) N3 U
4 q7 X2 \0 {! W
$ `) \7 ~$ _" z1 e, P! k: ]; h9 Y. G; g% Z4 j+ X
0 g" ]5 _9 p Q. n, O+ M% k, p9 X5 n" |, Q
$ E" X, T/ E3 A( K& K( I- i7 M3 b* B! L0 S9 C/ B
! ~4 m O! U. `* f
, W4 v a2 V6 f* e" \4 g# ?% ~) P8 z% v, x7 F9 G! w$ _+ x
7 _" X! A; `' {) R2 I$ o
. a |9 w6 c+ ?( B+ f
. ?( x' ]4 @" y
3 s# \' ~) p$ `" U8 g* z/ J; L5 @4 ?4 b' n
" S" d% d' G" f4 ?3 N8 Q5 v9 z# v: x
5 p+ Z4 [+ v. x* j2 B
. N! n( d: ^+ h5 Y* A
$ L5 k+ Y( M3 Y6 d0 J2 `8 \& J9 I' @" R9 @
+ ]: m# e* e% t& P) {7 Q( c) @5 p
4 s4 |1 m) x' c! Y! L F' }
4 V2 H! v& O4 a% c4 f3 ~- Q5 ?/ k# X' V9 j0 R) W9 d( T
" R, G6 { b( ~7 U2 o4 K: q+ s6 x
& e: o. ]1 G$ C; @7 O: Q& l4 R/ @
[root@station140 ~(keystone_admin)]# nova help | grep secgroup + U8 ^8 V1 O( ]5 X
add-secgroup Add a Security Group to a server. - W6 {" m% c4 j+ p. w; a2 v7 e9 {
list-secgroup List Security Group(s) of a server.
i. Z8 D! D$ T5 M: Uremove-secgroup Remove a Security Group from a server. Y7 ?, r4 `) |3 D( W2 V
secgroup-add-group-rule
3 y; t- \: F- e8 ]+ u% @5 M, Bsecgroup-add-rule Add a rule to a security group. 3 I' o) h0 c- \3 H
secgroup-create Create a security group. , _, `# v$ L! j) O& C- p
secgroup-delete Delete a security group.
6 x/ i, Q9 Q6 T/ i+ `8 \secgroup-delete-group-rule
9 W: l8 ^2 L msecgroup-delete-rule
# O8 S( }+ ]" N, i, c6 Psecgroup-list List security groups for the current tenant.
$ Y* u( @- R" psecgroup-list-rules # |6 S* K, i- e, k$ h
secgroup-update Update a security group.
& _4 N& l# r+ r; U+ v' d$ |
% K# ^0 ? n& o
( X- P) \9 Z g6 F _创建自定义安全组
* ^# m, a& Z9 F1 u- S& D% ^: Q$ U0 g[root@ ]# nova secgroup-create terry "allow ping and ssh"
. [- h0 `1 a3 W# O( e2 M+--------------------------------------+-------+--------------------+
8 |9 _$ u2 ^' b$ v) i g; V| Id | Name | Description |
4 F9 W. u' \1 t9 K8 H, g! J+--------------------------------------+-------+--------------------+ - L" p9 e; H: B1 T6 H; X/ }
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |
9 g4 h, E1 H- ?' T1 V+--------------------------------------+-------+--------------------+
: a9 {5 c4 r: u5 \. `3 I5 R9 v& O
! i% Y) h: A) v8 w# N5 n3 \5 m4 J! O0 K- Q! L
8 K T, W. C( d! ~
: M: O# v4 r- X) d
1 Y5 K! e6 K8 ^* @$ u
列出当前所有安全组
' u6 m' t% \; C' H2 U0 N; u3 L7 c
2 W8 `- k2 I: {( \1 }6 b' d2 G
J3 s; I2 a4 c, o8 q
9 v; `6 C/ P$ l( z; |0 ^2 n" g
" ?1 r; L8 m3 T, D; p# w[root@ ]# nova secgroup-list & B: K/ d$ j3 E# E6 N$ ]4 Z
+--------------------------------------+---------+--------------------+ 0 z, O2 d8 Y% M M8 P# c
| Id | Name | Description |
]% o7 m" m" Q- R( N1 k+--------------------------------------+---------+--------------------+
: X* ?) a$ c P; [3 s# J| 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default | 8 m6 D2 T6 K& Z$ t: p
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |
& d% Z0 j# u4 M7 x+--------------------------------------+---------+--------------------+
* Y$ |; r+ r0 Z% E% Q& M/ c
9 D6 T8 U; d" R0 j0 z/ Y$ A
列出某个组中的安全规则 # nova secgroup-list-rules default 6 S" Y: k/ U. a: ? p
+-------------+-----------+---------+----------+--------------+
# y4 r& L; l6 I| IP Protocol | From Port | To Port | IP Range | Source Group | 2 A X$ W& W- d( n
+-------------+-----------+---------+----------+--------------+
' z* D: p1 f& k4 s| | | | | default | # z) ~& M" g! l3 p" b2 k
| | | | | default |
$ I) p7 R) g1 U8 e9 o+-------------+-----------+---------+----------+--------------+ 4 i5 y: {" g1 D! I5 P7 W
增加规则方法 (允许 ping)( t! {' K, t3 u9 Q4 a7 i
; @: w1 k1 q+ T, l0 a# D; C" T: t: K$ O
" M# V. D- ]0 C/ L
1 i4 n( | G% j* J. X
! ~- Y2 M: D6 X" ]; R5 E
8 g' x }* S! \+ D& O h+ U+ R1 q8 ?* g6 I
3 |2 Q7 P: T4 z+ O0 c( m7 A
" P( u( d" G- f/ y5 }9 I6 L5 ~; t {3 g u; B
' d* r1 S% |. C- h% i# _& t
8 p3 M! d O2 z5 W! a
& e2 C% e @' H- W. T, G
! Z* k9 H' e7 ]1 p
$ [8 E8 t' j$ x. ?' @" x4 G# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0
: H8 ?% u, ~% J! c- X8 R+-------------+-----------+---------+-----------+--------------+
2 @) r# q+ [/ L* ?# R| IP Protocol | From Port | To Port | IP Range | Source Group | 7 C) z5 e) M( \( l# ?9 E
+-------------+-----------+---------+-----------+--------------+ ' g6 D: d4 c7 d2 u
| icmp | -1 | -1 | 0.0.0.0/0 | |
' i: e5 d N" r* L1 A( q+-------------+-----------+---------+-----------+--------------+
. F% C3 i/ }) O# `% {4 i+ G
, [% z; m: Z9 ^7 _9 z4 Z增加规则方法 (允许 ssh)7 I; I) P1 J9 @5 w: i7 ~
. r& k: `$ J( D9 O* N6 U1 o4 ?/ u( r j, W
@4 d, X ^! Z0 ]7 U9 [$ x0 q+ Y ]
; M1 ~$ q9 l; a, N% {: ~# nova secgroup-add-rule terry tcp 22 22 0.0.0.0/0
. Y( z8 L- i( |" D2 ~+-------------+-----------+---------+-----------+--------------+ 3 b- J1 @# U& Q( I2 W( l8 B* i5 w: P
| IP Protocol | From Port | To Port | IP Range | Source Group | ; r9 r8 O6 [& }7 \1 t5 p, v1 Y
+-------------+-----------+---------+-----------+--------------+
8 G- U# F T l' K| tcp | 22 | 22 | 0.0.0.0/0 | |
) e/ J: ~7 P( m4 y9 v& B9 a, }+-------------+-----------+---------+-----------+--------------+
' W0 Q* R% G( d
" K& p6 t, m8 N+ o& Z9 m7 C+ @增加规则方法 (允许 dns 外部访问); C F4 x! `$ g' r# u l
, o3 H* ~2 E* j6 V/ o R
# nova secgroup-add-rule terry udp 53 53 0.0.0.0/0 ; B' s* e; h: F6 E* @& e% n
+-------------+-----------+---------+-----------+--------------+
4 O, X9 _0 y0 {7 U8 i7 b6 H' d| IP Protocol | From Port | To Port | IP Range | Source Group | 4 H1 M# R. P. P D8 x( F. p, p
+-------------+-----------+---------+-----------+--------------+
5 f7 z% S1 n2 d3 ^" Y| udp | 53 | 53 | 0.0.0.0/0 | | 2 R- S6 S2 K% u) z& |8 v" X; M
+-------------+-----------+---------+-----------+--------------+
2 ^. ], C% K( z: }! l" R8 i% G9 {' q/ ~* P! H
列出自定义组规则* I: E1 M' ]9 s
4 j4 ]& |. o) N* m6 G
1 b. J, S7 H) \/ w K# nova secgroup-list-rules terry
& F+ Y/ M7 x5 W& D$ A6 B$ W2 M. X& G+-------------+-----------+---------+-----------+--------------+ , ^2 o" @1 A8 @; `5 a2 ~2 Y
| IP Protocol | From Port | To Port | IP Range | Source Group |
. t) @- a1 r. A7 i. t* N+-------------+-----------+---------+-----------+--------------+ 0 ?# G h0 [/ f
| tcp | 22 | 22 | 0.0.0.0/0 | | # k$ D7 s0 G; T; w4 M" S4 U
| udp | 53 | 53 | 0.0.0.0/0 | | * B9 b% w9 e" a! w3 q _
| icmp | -1 | -1 | 0.0.0.0/0 | |
8 ^3 R, \. }( F% H6 y+-------------+-----------+---------+-----------+--------------+
/ p# B$ K5 ~6 h% n7 R9 y
) ^1 l# A2 G# @7 Z尝试修改 default secgroup. A! P: v6 |( T9 D
列出 default secgroup 规则
) ]* u4 n3 ?$ a6 U# nova secgroup-list-rules default
. g% o8 N6 U% H1 a+-------------+-----------+---------+----------+--------------+
1 E, z: Y& o! P! L& i: ?| IP Protocol | From Port | To Port | IP Range | Source Group |
6 t) i$ f" n/ x; h- Z+-------------+-----------+---------+----------+--------------+ ) H6 k$ H; Q; R, X7 z0 W: J
| | | | | default |
@7 o- f9 M- t( p( j! _| | | | | default | - v7 Z( @9 b6 I/ K* s3 M" W. E
+-------------+-----------+---------+----------+--------------+ " N" ?! h8 r4 p4 a1 ^! H( r
9 ]0 H: Y* ]% Y添加规则 (允许 ping)/ x( U8 R9 A9 T, P: f, K
; J1 I: ^2 T4 V% ?5 l1 ^* r7 L9 _" I d# p' _3 r
- O- X: x1 @* _
2 \' m8 t! g! _7 F' I6 y- Y. e
6 F8 N% M( D, @! D5 |3 J# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
* A6 F/ ]+ O# b. ]1 K/ m. U7 V; `+-------------+-----------+---------+-----------+--------------+ 8 _. `4 W+ I8 c6 G9 C! p. G2 a
| IP Protocol | From Port | To Port | IP Range | Source Group | 7 p6 ?9 {+ N' s5 x+ k1 Q3 v
+-------------+-----------+---------+-----------+--------------+
. b) d% B0 V7 T1 ^, z, W| icmp | -1 | -1 | 0.0.0.0/0 | | " A' g( U! z, h. k5 `+ u7 p$ x9 p
+-------------+-----------+---------+-----------+--------------+
$ w6 U4 R7 `: Q# H+ ^% y$ T6 ]添加规则 (允许 ssh)
6 C# A6 d N; p% ]3 u: R9 A7 J# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
* Z5 _5 z i: N: Q" h* l" P+-------------+-----------+---------+-----------+--------------+
1 Z1 U1 D* W5 f: U4 g) o5 {( t| IP Protocol | From Port | To Port | IP Range | Source Group | ! D9 ?7 _5 H* l* r
+-------------+-----------+---------+-----------+--------------+ . i; s! a0 a! G u6 K6 E: v
| tcp | 22 | 22 | 0.0.0.0/0 | | % u `* O/ _! \1 G2 G
+-------------+-----------+---------+-----------+--------------+
" g5 [: O& I- F7 J" Y( o添加规则 (允许 dns外部访问)2 L v& ^( R* W
( g, P. t3 N* U v
1 h, F6 @9 r4 q9 S' n4 k2 N: |" `, K" ?2 ?! U d
3 q. K6 b R* Z* z) O/ f* Q
8 D0 j5 n r, I/ u: \# nova secgroup-add-rule default udp 53 53 0.0.0.0/0 2 M9 j. U/ B, ~1 m1 Z- e
+-------------+-----------+---------+-----------+--------------+ 4 v4 l& Y; I) w
| IP Protocol | From Port | To Port | IP Range | Source Group | 2 y+ G" Q8 ]# X, T6 b
+-------------+-----------+---------+-----------+--------------+
% J7 O5 n8 U: t; W, m, l' e| udp | 53 | 53 | 0.0.0.0/0 | | & k# `( D3 A) O
+-------------+-----------+---------+-----------+--------------+
/ `8 m0 D8 j3 ~* E+ ^7 @# d8 J, K+ _! R
& J+ y; d$ ~3 O# X9 P
列出默认组规则8 M* U, K" W( N+ f- S" Q9 k
3 f/ C) x# y3 X J( N/ q
9 P& ~9 Y5 E" o
! G2 {- u+ G8 G$ [5 I
3 @. z& \6 `5 d, C
- f: G0 C: |- C0 P, ?
9 G- f! v2 @! V% @* n* {: y2 C K8 T" `* `" B, E
# nova secgroup-list-rules default
: I6 Y& R9 p7 t+ k8 ]( }# ]5 i+-------------+-----------+---------+-----------+--------------+
- b |# s3 ~0 E7 a; S| IP Protocol | From Port | To Port | IP Range | Source Group |
" y, A3 g& q# Y, C+-------------+-----------+---------+-----------+--------------+
5 [! n0 Q4 ?1 j, C4 P) D: Y7 M3 J| | | | | default | ! \( B/ \1 `) l7 D/ Q, g1 a
| icmp | -1 | -1 | 0.0.0.0/0 | |
& _ V* i8 Y; u) h| tcp | 22 | 22 | 0.0.0.0/0 | | ) G7 s; U; U5 i* P8 Z# M
| | | | | default |
+ f1 R, L! Z) ~| udp | 53 | 53 | 0.0.0.0/0 | | * o5 F$ A% ~3 J6 f- m
+-------------+-----------+---------+-----------+--------------+ 3 N6 d2 h/ B. |! A! f+ l; @5 L4 {
$ L; V a1 m6 c& {1 w; _
删除某个实例, 使用中的规则) W' p" A4 e2 t' P
" u5 z3 C& M. k E+ N1 U Q
' E" \- e4 L+ \' c: [
& u0 f. P" u& N5 G$ @8 \0 e
8 b4 u, Y) u7 `7 m" v0 U& `
- Y5 K( ~ S- b9 S& p8 ]nova remove-secgroup terry_instance1 terry
& z! B/ a0 n4 {2 A0 j& r4 b7 o' o4 n K/ H4 L% }0 ]8 ^
4 L; I. |0 O" w) X
5 B/ w# e& O- k: e4 g1 M; l% c
) s. N, P6 Q7 y, V4 \7 g8 i9 ]4 o注: 在虚拟机启动后, 无法在增加其他规则
4 b! s; i7 \9 p- e3 H' ^
- { _6 I* r4 E8 r- E
& M5 \, J, ^$ Y. p8 Z) Y6 h- i9 W9 @* _/ W% H# C
& K" F/ ^- i1 t- ]; K
- K, N5 v. E0 F0 G* c
7 [& J( H& C/ k5 t/ S1 l/ }5 E9 V/ \5 }. h& s
- ~* i6 X3 t4 M% L5 t& C2 e/ w4 D6 e
, s, q% R; i- G: B: o! N) @ M
8 T: d2 a6 J$ P4 ~2 @$ U! h3 w3 O
4 \' V) p, O& _/ T8 t* T4 e% P- x1 q: V4 a( f2 p1 Q1 K- T0 J3 p
2 Z- v1 S. u2 ]
! N, o6 o& v, T* K
' C. [" x9 o6 J! A+ o- @' P9 a0 ^$ U; d2 q# g+ D% P) \& a9 m6 Q
! l* v' Y# `' R/ y1 p
' a7 X3 S. [9 @$ c" f& \3 t+ k0 v) g
1 a+ F) y; @- Q* N: g4 j
2 S- _8 E6 i; {0 k& y: Z2 ~3 u% _! c% H& ?1 n+ Q# F( O, k6 `- M6 e
0 ~& k; F8 ~; O- z7 T, N+ s! T! ^
f0 l6 t- O6 C' p+ Y4 p |
发表于 2018-11-5 22:57:45