浏览此站
联系我们相册切换到窄版 Language

 找回密码
 注册
易陆发现论坛»论坛 云计算开源区 neutron网络 openstack - 安全组管理命令介绍
返回列表 发新帖
查看: 4110|回复: 0

openstack - 安全组管理命令介绍

[复制链接]
admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
发表于 2018-11-5 22:57:45 | 显示全部楼层 |阅读模式
1.如何创建自定义安全组?3 `9 n8 O; `$ y! X! q4 z
2.如何查看安全组?2 ]( K. e9 P0 I8 U
3.如何列出组中安全规则?
1 u6 z, [' I+ j% H* \9 T, `; P+ Y4.如何实现增加规则方法 (允许 ping)?
1 W# N/ w" R& n6 H! i3 ^: [: y2 q' q4 S  H

8 u4 V% B. F7 v0 Q5 t( e注: 已通过测试, 修改默认 secgroup 或自定义 secgroup 都可以完成数据访问测试
( a, A- J  _: E: s帮助% L7 f/ |% u+ u6 T' M& v& p& M

& p7 |, `: ?' X' F2 ^3 x
) K1 g- y2 K1 V% m8 }( y/ m
- l& [+ t" S: a3 {. L8 {! K: r/ d, B! G! V. }
9 {+ y9 a4 k" V2 w3 D9 _

1 j! S& T* }- T0 `1 k1 k
8 z: A, r; f* i0 S# n7 }8 x: P7 N4 g$ n! [0 \; h
2 t4 ]/ F1 T; }! T

! o0 Q) ?. c  B' o
. f4 _0 B* N& S8 n
8 L# K4 m9 C4 c; n
- b. s* G9 _2 l6 i2 }7 u) L- |8 N$ u! L5 T
6 R/ x# n7 k- q6 R# [
0 M+ [1 w0 ~* X8 ?, d: Z4 }

$ M  ]  ~3 o$ b% [2 z5 H' N/ |* H% _  k; T

* s1 u! Q& A$ t. B- T4 p* V" m
2 H) _! q# o, m" l9 }% i3 j  l* l5 ~- N0 b

. x" |: M8 x% a# T9 [8 m  M! A; \8 ]! c

+ Q9 E$ G# O# b# |# Y" N. o; K0 @& j/ ?& M" h( _! l
( z( v3 L) Y" U2 V0 r
( w- ~' E. t: q! ^

' E  e! g& D8 t- _' U! }  ]; c

. ^3 c& Y2 L3 P

$ n- R0 F; x, O
[root@station140 ~(keystone_admin)]# nova help | grep secgroup

2 I# s5 K- m2 Y( }0 @! ?+ G" z
add-secgroup Add a Security Group to a server.

# y- X( S4 m6 U/ E
list-secgroup List Security Group(s) of a server.

1 l  t  d: P3 |, j) R+ k2 B
remove-secgroup Remove a Security Group from a server.

. V& B4 M8 r- d+ q; r, g8 P9 o
secgroup-add-group-rule
2 m/ t5 I+ h- {6 ?" c) J  s
secgroup-add-rule Add a rule to a security group.

( A2 v; k2 Z# V0 W7 h
secgroup-create Create a security group.

& ]* V+ v; y  a5 M
secgroup-delete Delete a security group.

5 W$ k2 D5 \: \. Z
secgroup-delete-group-rule

* q6 L0 f) Q: u' K6 b: H
secgroup-delete-rule
4 @- a: o; v5 t% b: V
secgroup-list List security groups for the current tenant.
/ B8 K. \7 }0 ]: U$ l: S
secgroup-list-rules
: b. O" h9 O2 p8 |. A: x
secgroup-update Update a security group.
" F* K5 x( t+ Z2 t: d9 v9 {7 x8 w
; K" n, q* Z7 r$ q! q: _) `0 A
  f6 C9 N8 e. u! v( m
创建自定义安全组

  a0 }1 G' t8 Z
[root@ ]# nova secgroup-create terry "allow ping and ssh"

( Y' W) K7 ^$ t5 m) o0 x6 W5 t
+--------------------------------------+-------+--------------------+
/ K& Q9 L0 H: @( z, z$ c
| Id | Name | Description |

7 p2 _! k$ |  _, g
+--------------------------------------+-------+--------------------+

+ d' c- y8 I5 T3 s  y. X$ ~2 ?7 {
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |

  V" y# a# O, ?% O
+--------------------------------------+-------+--------------------+
. I+ ]' f, S8 ~( m( d# ~. A
; f$ A' s0 d( o

, d& a* L( m3 H. S9 F) B6 w3 I

' `) ?* [) }3 O" |. T
5 ]+ A( L1 }$ w3 J/ y& Y+ P& J
3 S& t, F+ L$ d$ C& u
列出当前所有安全组) v" l; E! R) _/ a  ~/ ]' [

, k5 l0 V2 ]0 f1 l4 S9 x
' f6 ^0 T0 @4 _+ ^  m
- P% o0 G& E2 `+ m* L3 q+ a! w" u# a4 ?8 r
0 K6 q% R2 x$ ~* E0 B% Z; K
[root@ ]# nova secgroup-list
4 h4 c' p! s* `" k- b
+--------------------------------------+---------+--------------------+
& j! n* b1 H2 }' q) g8 p
| Id | Name | Description |

5 S/ x/ T9 D! y  ^1 R3 u, \
+--------------------------------------+---------+--------------------+
% |. A; {* a; t% `: z
| 91a191a6-b89e-4f87-99c0-0fb985985978 | default | default |
' `" |/ \" [  ]$ T4 ^
| 6966a8e4-0980-40ad-a409-baac65b60287 | terry | allow ping and ssh |

& }  W, r, x, H6 V0 O
+--------------------------------------+---------+--------------------+
! m% Q" t, L& B" N- |9 w; q) E' `
& X! p/ ^& x+ G# r* J
列出某个组中的安全规则
# nova secgroup-list-rules default
# h9 }/ @1 s: [. I
+-------------+-----------+---------+----------+--------------+
: g- z) j% u( o
| IP Protocol | From Port | To Port | IP Range | Source Group |

, A, R3 ]8 f% m. p' p  C
+-------------+-----------+---------+----------+--------------+
* k) H4 `2 E( ]$ Y! O( O1 X
| | | | | default |

& f5 P2 n0 P$ Q  A9 r# a, z
| | | | | default |
! N5 `' O3 P  T( l2 K. {
+-------------+-----------+---------+----------+--------------+

  }% g; F9 P4 Q# n) y

9 M7 W: A; d. D% A, F$ g2 P( `增加规则方法 (允许 ping)' X/ n! }4 f: ?8 P5 ?) V. S! F. |

# n+ L9 R) f7 Q" [. D" a
+ _4 t! m3 O# Q* j  N
7 v* N: y0 a: O7 n8 Q  \. X" t& V( ~% E% `9 s+ N& E
6 _: g, y: K8 S5 k* I0 g! v

' f) ^% j% q+ s
6 y9 e6 }; R% i2 ~4 n  j6 ?7 C0 Y6 c! _5 `
8 T* M# c! _9 ?& X
9 @# i! O3 ?; ~7 Z; g. L
. K+ O/ t, E6 ~) u5 E" U& Q3 d. y
) m+ Q* W% C6 L3 G4 g0 K

) c5 M4 b, i- N5 i( b
/ Y" S2 T2 B7 N2 {9 k5 m: Q0 W0 t. H8 g/ `  H
# nova secgroup-add-rule terry icmp -1 -1 0.0.0.0/0

3 n  I& N7 t8 I$ a; y! H
+-------------+-----------+---------+-----------+--------------+
2 o: [* G1 [5 k2 M# J) B
| IP Protocol | From Port | To Port | IP Range | Source Group |
1 M- t& z; `* D# s4 ?! }
+-------------+-----------+---------+-----------+--------------+

+ O0 h4 D6 C3 c' m( R8 k7 Y, N
| icmp | -1 | -1 | 0.0.0.0/0 | |
; p/ ~; }) H" [- v: @" G2 L
+-------------+-----------+---------+-----------+--------------+

( w" H: i: f; B  M$ d- g0 Z0 X' j' _8 U! Z3 H) X
增加规则方法 (允许 ssh)
! J7 l2 V9 w; c0 P& y: J1 t1 e# y! L+ Y
; M; z( X8 O  I: ^

# x: Y& s, L; }  H' D* G7 M+ ~
+ ?2 \+ r& ?" S/ S( D) _. W! Z( l, z( a
# nova secgroup-add-rule terry tcp 22 22 0.0.0.0/0
" I. g4 N) u2 r. d' i
+-------------+-----------+---------+-----------+--------------+
% |1 `1 q7 c4 Y/ H* K
| IP Protocol | From Port | To Port | IP Range | Source Group |
2 {6 \; Y- E  a0 X# \
+-------------+-----------+---------+-----------+--------------+
% E) \2 i2 {2 T) {
| tcp | 22 | 22 | 0.0.0.0/0 | |
, w* I$ R9 ]) R" n4 o& P& R/ o! p
+-------------+-----------+---------+-----------+--------------+

* W& ]6 q* k" o4 w
1 y3 C( q5 T* W5 L: x" _+ s增加规则方法 (允许 dns 外部访问)3 }2 c# O) T5 E
6 H& h. f6 Z% h, j" t2 [. n
# nova secgroup-add-rule terry udp 53 53 0.0.0.0/0

7 ~  t. z! i/ \
+-------------+-----------+---------+-----------+--------------+
7 k. ~& a3 G" F* }! b! V$ _9 \
| IP Protocol | From Port | To Port | IP Range | Source Group |
  p1 S0 c: u3 t& e- @
+-------------+-----------+---------+-----------+--------------+
: b* P+ u% r  Y# v' d. i
| udp | 53 | 53 | 0.0.0.0/0 | |
% J) e; [( B) S+ R% c5 e/ E( B
+-------------+-----------+---------+-----------+--------------+
$ s* u, j# a* F) f4 @  S

* j* d$ z8 r& M+ d0 i, T列出自定义组规则. r* `  V" _) ?6 V, V" m
) E" G* W9 E5 S% z/ X% `7 O3 Y; b

. y$ T+ w+ O9 U8 [; u% I
# nova secgroup-list-rules terry
( D% |, U' x0 [, ]6 J5 t7 P
+-------------+-----------+---------+-----------+--------------+

* e2 @3 X7 Q* P# x6 N6 X# N
| IP Protocol | From Port | To Port | IP Range | Source Group |

9 d! o8 U7 e6 l& H  K0 C; ]
+-------------+-----------+---------+-----------+--------------+
  D& |- U6 Q2 @+ o$ `- ]. q$ M
| tcp | 22 | 22 | 0.0.0.0/0 | |
/ ^- [. G+ s. `) Y3 L5 J3 N3 y
| udp | 53 | 53 | 0.0.0.0/0 | |
5 l( ]  F- y) r1 e9 o. g
| icmp | -1 | -1 | 0.0.0.0/0 | |

) t/ D2 r) o- H3 J* j% k9 |( Y
+-------------+-----------+---------+-----------+--------------+
9 Y, D8 G' B8 L) k, o2 [2 ]
1 t" I" B" `8 v: h
尝试修改 default secgroup
5 N+ O& X* l) a& v' t9 k: }# F列出 default secgroup 规则6 m! U3 G7 z  a' q# m' Z
# nova secgroup-list-rules default
3 l$ V# ]& o3 c: J! q+ z- t
+-------------+-----------+---------+----------+--------------+

) C$ Z! R3 e8 |( o' [7 i
| IP Protocol | From Port | To Port | IP Range | Source Group |
" j+ F& T! x4 \# R8 A7 u
+-------------+-----------+---------+----------+--------------+

& P" S. x2 c5 `  e$ E2 ^+ x# `
| | | | | default |
( O6 B; ?; m6 N8 B: ~) [
| | | | | default |

# i+ `& x* ^1 v# z1 z+ }' ?
+-------------+-----------+---------+----------+--------------+

* |. n7 @/ `' m& e+ Z- }* w4 h2 o2 u4 _1 B, w
添加规则 (允许 ping)
* V4 e% @5 ~( B* a7 r; X3 x! `7 t1 M/ A6 G2 }
- N% G+ `0 t  o: l- x6 |
' H$ b4 S* \" c% X1 ^1 Z
1 m9 e$ I0 o& h
$ v7 v, m, P0 d5 b5 l, H& x  j. y6 u6 H
# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0

& Q5 A; c  z1 ~8 n( U! |6 K! a
+-------------+-----------+---------+-----------+--------------+
, S8 r6 H- ~) i- V2 G! u) N8 y
| IP Protocol | From Port | To Port | IP Range | Source Group |
4 h" ?- x8 v; d. ^% [, r! x
+-------------+-----------+---------+-----------+--------------+

$ \1 |* j) w' j+ B2 _
| icmp | -1 | -1 | 0.0.0.0/0 | |
/ [0 }1 g; T, V' z
+-------------+-----------+---------+-----------+--------------+
8 Y0 D0 k7 \' H) U8 m
添加规则 (允许 ssh)

& S2 P: }9 Q  U3 p
# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0

' c5 {" B  Q% J. j! g
+-------------+-----------+---------+-----------+--------------+
- y; E  h. X4 B0 K
| IP Protocol | From Port | To Port | IP Range | Source Group |

5 H8 W) W! [4 x8 W; a& c5 p
+-------------+-----------+---------+-----------+--------------+

. _8 @3 k; n. c( o+ ?/ k. I# v
| tcp | 22 | 22 | 0.0.0.0/0 | |
$ T% e! `& N) V
+-------------+-----------+---------+-----------+--------------+

  |6 j- R& ^1 }添加规则 (允许 dns外部访问)5 J/ o: A8 ~4 A# o5 T
1 H. W) r8 S' K& z* R. c: K3 x

6 ]: P1 h" p2 R
+ O0 E2 F2 Y% A% [$ i/ {3 V3 K* p- g. x" M+ ~3 r. @

* |& S- L  t. g/ \
# nova secgroup-add-rule default udp 53 53 0.0.0.0/0

' Q5 }- }) y$ N, U
+-------------+-----------+---------+-----------+--------------+
4 ^! P' L% B2 f* ^" s
| IP Protocol | From Port | To Port | IP Range | Source Group |

' F" E8 v. x$ @+ _4 }- r4 t! v
+-------------+-----------+---------+-----------+--------------+
0 W  ?8 |  v8 M' V+ G# Z5 v
| udp | 53 | 53 | 0.0.0.0/0 | |

8 q" Z6 T3 o+ _3 j+ U3 I" a* K) h
+-------------+-----------+---------+-----------+--------------+
6 V0 S: C9 t. m

& D, [" r' T7 z! G: [6 z, R3 K, t: W  g
列出默认组规则
7 _* }3 C- }9 C; f) f- R2 @) @# u8 v5 j2 R

* g1 s3 T( l. z; d/ t+ m7 d' U
" m! _( x# A. M# Z" R! V) @7 |+ v) Y5 I
1 m6 N9 X  P7 u
( }0 v" |  p) t2 q( e  o

1 U( V  K" V9 I5 ?) ]: Y
# nova secgroup-list-rules default

5 f7 k! m# x  @# p! j
+-------------+-----------+---------+-----------+--------------+

3 m) {4 ?) q$ \8 p5 ^* @+ ~6 X3 s1 i
| IP Protocol | From Port | To Port | IP Range | Source Group |

8 F/ d+ R  O3 C) D% q& b" a  w
+-------------+-----------+---------+-----------+--------------+

0 ?7 `1 }+ x! j
| | | | | default |
3 t$ h5 _9 ?+ @( ^9 S
| icmp | -1 | -1 | 0.0.0.0/0 | |

$ l0 d) z: i7 |! p! w2 b9 {: N
| tcp | 22 | 22 | 0.0.0.0/0 | |

3 u+ Z5 E" p6 k9 \
| | | | | default |
6 j( p) B. O- x9 n  C. E8 N/ r
| udp | 53 | 53 | 0.0.0.0/0 | |

0 u& `" w  t+ F8 O* `; y( X6 Q
+-------------+-----------+---------+-----------+--------------+

$ V- B6 k' J7 a6 }# G, I
; R1 O$ J. ~7 X$ C) d删除某个实例, 使用中的规则
3 o: s) v+ [7 y) [. S% s+ a$ K
( W  E9 G8 G' B9 e
8 _. H$ I8 T/ K* o+ H( G* }* H0 b/ Q4 v# n4 ]
" Z/ O# ]: D! P4 w5 v# g

7 h( V, m& Y, U
nova remove-secgroup terry_instance1 terry

. ^4 d8 {7 j. L) d0 k# s

8 c- D+ o) \/ p2 |  U! x* `
5 |# x4 d8 k/ q

2 [6 I, P' m, u3 Q0 d/ I6 n

! ]. L$ s3 |/ }( [7 P. e注: 在虚拟机启动后, 无法在增加其他规则
/ D6 O! j) I! N$ N7 G$ x9 }) O$ ]# f8 R1 ?5 N

. X  v, ]. \" e$ n
. M9 C( S/ w9 e' u) L/ Y5 a
; I0 q; u6 J( K: `) S! ]# e/ H( t, y5 ?8 D

- E/ e; S6 s8 I; Q& C! }/ ?) q2 {# q: i" Z; L
1 u8 n( a6 z8 S9 ]# K

+ h% s' }/ j( \% e& f9 P* X
$ p4 O: X! [% R2 I* G
8 q$ J% T5 B4 L, H! I9 b' t% ?- N' B8 {& [1 _% Y5 N
: a' U4 x  ^2 n
" G+ }4 R6 S5 w5 v& Q

7 o5 \/ \2 H: w9 b$ w' T7 R7 \+ y( a7 I
  }1 _* T7 g& C# @4 e" C' B

# d% Z' B* ]2 G/ e) \6 s- \0 _9 b

: W" e3 K0 _  U# b; k7 n. ^4 F4 m+ e/ ~  B, N8 S% x1 a) `3 g

% E* x2 B* h" y
* v1 h$ f' O- |2 V" o  |5 Q
- n! l7 H3 q) t: z2 y& u
2 {) |# P" P& [: i* _6 r
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

返回首页|Archiver|手机版|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )

GMT+8, 2026-6-12 01:01 , Processed in 0.019832 second(s), 22 queries .

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表