openstack之安全组管理

Posted 2021-01-15 boshen-hzb

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了openstack之安全组管理相关的知识，希望对你有一定的参考价值。

命令概览

(nova-api)[[email protected] /]# nova help|grep secgroup
    add-secgroup                Add a Security Group to a server.
    list-secgroup               List Security Group(s) of a server.
    remove-secgroup             Remove a Security Group from a server.
    secgroup-add-default-rule   Add a rule to the set of rules that will be
    secgroup-add-group-rule     Add a source group rule to a security group.
    secgroup-add-rule           Add a rule to a security group.
    secgroup-create             Create a security group.
    secgroup-delete             Delete a security group.
    secgroup-delete-default-rule
    secgroup-delete-group-rule  Delete a source group rule from a security
    secgroup-delete-rule        Delete a rule from a security group.
    secgroup-list               List security groups for the current tenant.
    secgroup-list-default-rules
    secgroup-list-rules         List rules for a security group.
    secgroup-update             Update a security group.

列出安全组

(nova-api)[[email protected] /]# nova secgroup-list
+--------------------------------------+---------+------------------------+
| Id                                   | Name    | Description            |
+--------------------------------------+---------+------------------------+
| 6a5dd6bb-600f-49bb-b37b-91059ff4074b | default | Default security group |
| fdbffd7a-5f5e-413a-8d78-5f26bdc23c4e | hzb-sg  |                        |
+--------------------------------------+---------+------------------------+

列出某个安全组下的规则

(nova-api)[[email protected] /]# nova  secgroup-list-rules default
+-------------+-----------+---------+----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+----------+--------------+
|             |           |         |          | default      |
|             |           |         |          | default      |
+-------------+-----------+---------+----------+--------------+

创建安全组

(nova-api)[[email protected] /]# nova secgroup-create boshen-sg "allow ping and ssh"
+--------------------------------------+-----------+--------------------+
| Id                                   | Name      | Description        |
+--------------------------------------+-----------+--------------------+
| db7599e0-be38-4955-93d9-ed20f2a8a298 | boshen-sg | allow ping and ssh |
+--------------------------------------+-----------+--------------------+
(nova-api)[[email protected] /]# nova secgroup-list
+--------------------------------------+-----------+------------------------+
| Id                                   | Name      | Description            |
+--------------------------------------+-----------+------------------------+
| db7599e0-be38-4955-93d9-ed20f2a8a298 | boshen-sg | allow ping and ssh     |
| 6a5dd6bb-600f-49bb-b37b-91059ff4074b | default   | Default security group |
+--------------------------------------+-----------+------------------------+

增加规则 (icmp:允许 ping)

usage: nova secgroup-add-rule <secgroup> <ip-proto> <from-port> <to-port> <cidr>

(nova-api)[[email protected] /]# nova secgroup-add-rule boshen-sg icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+


(nova-api)[[email protected] /]# nova  secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

增加规则 (tcp:允许 ssh)

(nova-api)[[email protected] /]# nova secgroup-add-rule boshen-sg tcp 22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+
(nova-api)[[email protected] /]# nova  secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

增加规则（udp：广播）

(nova-api)[[email protected] /]# nova secgroup-add-rule boshen-sg udp 1 65535 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         | 1         | 65535   | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+
(nova-api)[[email protected] /]# nova  secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| udp         | 1         | 65535   | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

删除安全组中的规则

格式：

usage: nova secgroup-delete-rule <secgroup> <ip-proto> <from-port> <to-port> <cidr>

(nova-api)[[email protected] /]# nova secgroup-delete-rule boshen-sg udp 1 65535 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         | 1         | 65535   | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+
(nova-api)[[email protected] /]# nova  secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

更新安全组（只能更新名字和描述）

格式：

usage: nova secgroup-update <secgroup> <name> <description>

(nova-api)[[email protected] /]# nova secgroup-update boshen-sg boshen-sg2 xxxxxxxxx
+--------------------------------------+------------+-------------+
| Id                                   | Name       | Description |
+--------------------------------------+------------+-------------+
| db7599e0-be38-4955-93d9-ed20f2a8a298 | boshen-sg2 | xxxxxxxxx   |
+--------------------------------------+------------+-------------+
(nova-api)[[email protected] /]# nova  secgroup-list-rules boshen-sg
ERROR (CommandError): Secgroup ID or name ‘boshen-sg‘ not found.
(nova-api)[[email protected] /]# nova  secgroup-list-rules boshen-sg2
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

删除安全组

(nova-api)[[email protected] /]# nova secgroup-delete hzb-sg
+--------------------------------------+--------+-------------+
| Id                                   | Name   | Description |
+--------------------------------------+--------+-------------+
| fdbffd7a-5f5e-413a-8d78-5f26bdc23c4e | hzb-sg |             |
+--------------------------------------+--------+-------------+

(nova-api)[[email protected] /]# nova secgroup-list
+--------------------------------------+---------+------------------------+
| Id                                   | Name    | Description            |
+--------------------------------------+---------+------------------------+
| 6a5dd6bb-600f-49bb-b37b-91059ff4074b | default | Default security group |
+--------------------------------------+---------+------------------------+

以上是关于openstack之安全组管理的主要内容，如果未能解决你的问题，请参考以下文章

Neutron 默认安全组规则 - 每天5分钟玩转 OpenStack（115）

从虚拟机上可以反向查询openstack管理机器么

OpenStack之管理虚拟机

openstack neutron-修改新创建安全组的默认规则

openstack——使用命令行发放云主机

OpenStack云平台开启常用端口