Managing Project Security

Security groups are sets of IP filter rules that are applied to all project instances, which define networking access to the instance. Group rules are project specific; project members can edit the default rules for their group and add new rule sets.

All projects have a default security group for each instance that has no other defined security group. Unless you change the default, this security group denies all incoming traffic and allows only outgoing traffic to your instance.

Contact Metacloud Support for assistance in editing global security rules.

Additionally, the number of maximum rules per security group is controlled by the security_group_rules and the number of allowed security groups per project is controlled by the security_groups quota.

To view security groups:

  1. Ensure your system variables are set for the user and tenant for which you are checking security group rules.

    export OS_USERNAME=<user_name>
    export OS_TENANT_NAME=<tenant_name>
    
  2. List security groups.

    $ openstack security group list
    +---------+-------------+
    | Name    | Description |
    +---------+-------------+
    | default | default     |
    | open    | all ports   |
    +---------+-------------+
    
  3. View the details of a group.

    $ openstack security group rule list open
    +-------------+-----------+---------+-----------+--------------+
    | IP Protocol | From Port | To Port | IP Range  | Source Group |
    +-------------+-----------+---------+-----------+--------------+
    | icmp        | -1        | 255     | 0.0.0.0/0 |              |
    | tcp         | 1         | 65535   | 0.0.0.0/0 |              |
    | udp         | 1         | 65535   | 0.0.0.0/0 |              |
    +-------------+-----------+---------+-----------+--------------+
    

    These are allow type rules; the default is deny. The first column is the IP protocol (one of icmp, tcp, or udp). The second and third columns specify the affected port range. The third column specifies the IP range in CIDR format. This example shows the full port range for all protocols allowed from all IPs.

Creating a Security Group

When adding a new security group, pick a descriptive but brief name. This name shows up in brief descriptions of the instances that use it where the longer description field often does not. For example, seeing that an instance is using security group http is much easier to understand than bobs_group or secgrp1.

  1. Ensure your system variables are set for the user and tenant for which you are creating security group rules.
  2. Add the new security group.

    $ openstack security group create <SEC_GROUP_NAME> "<DESCRIPTION>"
    +----------------+--------------+----------------------------------------------+
    | Id             | Name         | Description                                  |
    +----------------+--------------+----------------------------------------------+
    | <sec_group-id> | <sec_group_name>  | Allows Web traffic anywhere on the Internet. |
    +----------------+--------------+----------------------------------------------+
    
  3. Add a new group rule.

    The arguments are positional, and the from-port and to-port arguments specify the local port range connections are allowed to access, not the source and destination ports of the connection.

    $ openstack security group rule create <SEC_GROUP_NAME> <PROTOCOL> <TO_PORT> <FROM_PORT> <IP_RANGE>
    +-------------+-----------+---------+-----------+--------------+
    | IP Protocol | From Port | To Port | IP Range  | Source Group |
    +-------------+-----------+---------+-----------+--------------+
    | tcp         | 80        | 80      | 0.0.0.0/0 |              |
    +-------------+-----------+---------+-----------+--------------+
    

    You can create complex rule sets by creating additional rules. For example, you can pass both HTTP and HTTPS traffic by adding port 443.

  4. View all rules for the new security group.

    $ openstack security group rule list <SEC_GROUP_NAME>
    +-------------+-----------+---------+-----------+--------------+
    | IP Protocol | From Port | To Port | IP Range  | Source Group |
    +-------------+-----------+---------+-----------+--------------+
    | tcp         | 80        | 80      | 0.0.0.0/0 |              |
    | tcp         | 443       | 443     | 0.0.0.0/0 |              |
    +-------------+-----------+---------+-----------+--------------+
    

To delete a security group:

Ensure your system variables are set for the user and tenant for which you are deleting a security group.

$ openstack security group delete <SEC_GROUP_NAME>

Creating Security Group Rules for a Cluster of Instances

Source Groups are a special, dynamic way of defining the CIDR of allowed sources. The user specifies a Source Group (Security Group name), and all the user’s other Instances using the specified Source Group are selected dynamically. This alleviates the need for individual rules to allow each new member of the cluster.

Make sure to set the system variables for the user and tenant for which you are creating a security group rule.

To add a source group:

$ openstack security group rule create <SEC_GROUP_NAME> <SOURCE_GROUP> <IP_PROTOCOL> <FROM_PORT> <TO_PORT>

The <SEC_GROUP_NAME> rule allows SSH access from any other instance that uses that <SOURCE_GROUP>.