碼上快樂

相關內容    簡體    繁體

openstack之安全組管理

本文轉載自   查看原文   2018-10-26 18:02   2083    openstack

命令概覽

[root@controller02 ~]# openstack help security
Command "security" matches:
security group create
security group delete
security group list
security group rule create
security group rule delete
security group rule list
security group rule show
security group set
security group show
security group unset

 

列出安全組

openstack security group list

列出某個安全組下的規則

[root@controller02 ~]# openstack security group rule list 1c0c76c5-b66e-4738-b483-66bf07d18cf8
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| ID                                   | IP Protocol | IP Range | Port Range | Remote Security Group                |
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| 1a255d60-4ad6-4bfe-845a-cf7eca801d54 | None        | None     |            | None                                 |
| 1c17d97d-17c8-4750-91ba-b85e591df3fd | None        | None     |            | 1c0c76c5-b66e-4738-b483-66bf07d18cf8 |
| 569790d7-752e-4568-8137-606cdd0ba483 | None        | None     |            | None                                 |
| 5f8355d6-d9ce-4d4f-a5d9-af9ef4350bc0 | None        | None     |            | 1c0c76c5-b66e-4738-b483-66bf07d18cf8 |
+--------------------------------------+-------------+----------+------------+--------------------------------------+

 

創建安全組

usage: openstack security group create [-h] [-f {json,shell,table,value,yaml}]
                                       [-c COLUMN] [--max-width <integer>]
                                       [--fit-width] [--print-empty]
                                       [--noindent] [--prefix PREFIX]
                                       [--description <description>]
                                       [--project <project>]
                                       [--project-domain <project-domain>]
                                       [--tag <tag> | --no-tag]
                                       <name>
[root@controller02 ~]# 
[root@controller02 ~]# openstack security group create hzbtest
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                                 |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at      | 2019-06-10T01:17:34Z                                                                                                                                  |
| description     | hzbtest                                                                                                                                               |
| id              | ccb7bb7e-d978-4ce6-b2cf-8fe1b70799a9                                                                                                                  |
| name            | hzbtest                                                                                                                                               |
| project_id      | 8a2608dbc7014bb5ad21a4e4d3d54133                                                                                                                      |
| revision_number | 1                                                                                                                                                     |
| rules           | created_at='2019-06-10T01:17:35Z', direction='egress', ethertype='IPv6', id='5e5d7d9b-be2a-44c9-8819-46313003f49f', updated_at='2019-06-10T01:17:35Z' |
|                 | created_at='2019-06-10T01:17:35Z', direction='egress', ethertype='IPv4', id='c52dfc69-908e-4c7f-8df5-700a3ace527d', updated_at='2019-06-10T01:17:35Z' |
| tags            | []                                                                                                                                                    |
| updated_at      | 2019-06-10T01:17:35Z                                                                                                                                  |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+

 

增加規則 (icmp:允許 ping)

usage: openstack security group rule create [-h]
                                            [-f {json,shell,table,value,yaml}]
                                            [-c COLUMN]
                                            [--max-width <integer>]
                                            [--fit-width] [--print-empty]
                                            [--noindent] [--prefix PREFIX]
                                            [--remote-ip <ip-address> | --remote-group <group>]
                                            [--description <description>]
                                            [--dst-port <port-range>]
                                            [--icmp-type <icmp-type>]
                                            [--icmp-code <icmp-code>]
                                            [--protocol <protocol>]
                                            [--ingress | --egress]
                                            [--ethertype <ethertype>]
                                            [--project <project>]
                                            [--project-domain <project-domain>]
                                            <group>

 

(nova-api)[root@cc07 /]# nova secgroup-add-rule boshen-sg icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+


(nova-api)[root@cc07 /]# nova  secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

 

增加規則 (tcp:允許 ssh)

(nova-api)[root@cc07 /]# nova secgroup-add-rule boshen-sg tcp 22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+
(nova-api)[root@cc07 /]# nova  secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

增加規則(udp:廣播)

(nova-api)[root@cc07 /]# nova secgroup-add-rule boshen-sg udp 1 65535 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         | 1         | 65535   | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+
(nova-api)[root@cc07 /]# nova  secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| udp         | 1         | 65535   | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

刪除安全組中的規則

格式:

usage: nova secgroup-delete-rule <secgroup> <ip-proto> <from-port> <to-port> <cidr>
(nova-api)[root@cc07 /]# nova secgroup-delete-rule boshen-sg udp 1 65535 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp         | 1         | 65535   | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+
(nova-api)[root@cc07 /]# nova  secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

 

更新安全組(只能更新名字和描述)

格式:

usage: nova secgroup-update <secgroup> <name> <description>
(nova-api)[root@cc07 /]# nova secgroup-update boshen-sg boshen-sg2 xxxxxxxxx
+--------------------------------------+------------+-------------+
| Id                                   | Name       | Description |
+--------------------------------------+------------+-------------+
| db7599e0-be38-4955-93d9-ed20f2a8a298 | boshen-sg2 | xxxxxxxxx   |
+--------------------------------------+------------+-------------+
(nova-api)[root@cc07 /]# nova  secgroup-list-rules boshen-sg
ERROR (CommandError): Secgroup ID or name 'boshen-sg' not found.
(nova-api)[root@cc07 /]# nova  secgroup-list-rules boshen-sg2
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range  | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

 

刪除安全組

(nova-api)[root@cc07 /]# nova secgroup-delete hzb-sg
+--------------------------------------+--------+-------------+
| Id                                   | Name   | Description |
+--------------------------------------+--------+-------------+
| fdbffd7a-5f5e-413a-8d78-5f26bdc23c4e | hzb-sg |             |
+--------------------------------------+--------+-------------+
(nova-api)[root@cc07 /]# nova secgroup-list
+--------------------------------------+---------+------------------------+
| Id                                   | Name    | Description            |
+--------------------------------------+---------+------------------------+
| 6a5dd6bb-600f-49bb-b37b-91059ff4074b | default | Default security group |
+--------------------------------------+---------+------------------------+

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 OpenStack 關閉安全組 Neutron 默認安全組規則 - 每天5分鍾玩轉 OpenStack(115) 應用新安全組 - 每天5分鍾玩轉 OpenStack(116) OpenStack Neutron:網絡類型示意圖(local、flat、vlan、vxlan);網絡產品簡介(dnsmasq、floating IP、安全組、FWaaS、LBaaS) 用華為雲cli(命令行程序),管理華為雲服務器的,安全組端口 華為雲【安全組】開放所有端口 騰訊雲安全組規則導出 [譯] 企業級 OpenStack 的六大需求(第 1 部分):API 高可用、管理和安全 域控中將組策略應用到安全組 AWS服務器上安全組端口設置和訪問的問題
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM