Configuring Access and Security for Instances with CLI

Before you launch an instance, add the security group rules to enable users to ping and use SSH to connect to the instance. When you launch a virtual machine, you can inject a key pair, which provides SSH access to your instance. For this to work, the image must contain the cloud-init package.

You can create at least one key pair for each project. You can use the key pair for multiple instances that belong to that project. If you generate a key pair with an external tool, import it into Metacloud.

Note
A key pair belongs to an individual user, not to a project. To share a key pair across multiple users, each user needs to import that key pair.

A security group is a named collection of network access rules used to limit the types of traffic that have access to instances. When you launch an instance, you can assign one or more security groups to it. If you do not create security groups, new instances are automatically assigned to the default security group, unless you specify a different security group.

The associated rules in each security group control the traffic to instances in the group. By default, incoming traffic that is not matched by a rule is denied access. You can add rules to or remove rules from a security group. You can modify rules for any security group.

You can modify the rules in a security group to allow access to instances through different ports and protocols. For example, you can modify rules to allow access to instances through SSH, to ping instances, or to allow UDP traffic; for example, for a DNS server running on an instance. Specify the following parameters for rules:

  • Source of traffic—enable traffic to instances from IP addresses of other group members inside the cloud or from all IP addresses.
  • Protocol—choose TCP for SSH, ICMP for pings, or UDP.
  • Destination port on virtual machine—define a port range. To open a single port, enter the same value twice. ICMP does not support ports; instead, enter values to define the codes and types of ICMP traffic.

Rules are automatically enforced as soon as you create or modify them.

Note

  • Instances that use the default security group cannot, by default, be accessed from any IP address outside of the cloud. If you want those IP addresses to access the instances, you must modify the rules for the default security group.
  • You can assign a floating IP address to a running instance to make it accessible from outside the cloud. See Managing IP Addresses.

Creating a Key Pair

You can generate a key pair or upload an existing public key.

To add a key pair:

  1. Create a key pair and write the key pair to a file.

    $ openstack keypair create keyName > keyName.pem
    

    This command generates a key pair with the name that you specify, writes the private key to the .pem file that you specify, and registers the public key to the Nova database.

  2. Set the permissions of the .pem file so that you can read and write to it.

    $ chmod 600 keyName.pem
    

To import a key pair:

  1. If you have already generated a key pair, use the filename and path to register the key pair.

    $ openstack keypair create --public-key ~/.ssh/id_rsa.pub keyName
    

    This command registers the public key and assigns the key pair the name that you specify.

  2. Verify the key pair has been successfully imported.

    $ openstack keypair list
    

Creating and Managing Security Groups

Action Command
List security groups $ openstack security group list
Create a specific security group $ openstack security group create <SEC_GROUP_NAME> --description <DESC>
Delete a security group $ openstack security group delete <SEC_GROUP_NAME>
Remove security group from port $ openstack port set <PORT_ID> --no-security-group

Note

  • You cannot delete the default security group for a project.
  • You cannot delete a security group that is assigned to a running instance.

Creating and Managing Security Group Rules

Modify security group rules with the openstack security group rule commands. These actions require the appropriate permissions level to run.

Action Command
List security group rules $ openstack security group rule list
Create security group rule $ openstack security group rule create <SEC_GROUP_NAME> --protocol <PROTOCOL>
Delete security group rule $ openstack security group rule delete <RULE_ID>

To add an SSH rule to a security group:

$ openstack security group rule create <SEC_GROUP_NAME> --protocol tcp --dst-port 22:22 --remote-ip 0.0.0.0/0
+-------------------+-------------------+
| Field             | Value             |
+-------------------+-------------------+
| created_at        | None              |
| description       | None              |
| direction         | ingress           |
| ether_type        | IPv4              |
| id                | <rule_id>         |
| name              | None              |
| port_range_max    | 22                |
| port_range_min    | 22                |
| project_id        | <project_id>      |
| protocol          | tcp               |
| remote_group_id   | None              |
| remote_ip_prefix  | 0.0.0.0/32        |
| revision_number   | None              |
| security_group_id | <secgroup_id>     |
| updated_at        | None              |
+-------------------+-------------------+

To add an ICMP rule to a security group:

$ openstack security group rule create <SEC_GROUP_NAME> --protocol icmp
+-------------------+-------------------+
| Field             | Value             |
+-------------------+-------------------+
| created_at        | None              |
| description       | None              |
| direction         | ingress           |
| ether_type        | IPv4              |
| id                | <rule_id>         |
| name              | None              |
| port_range_max    | None              |
| port_range_min    | None              |
| project_id        | <project_id>      |
| protocol          | icmp              |
| remote_group_id   | None              |
| remote_ip_prefix  | 0.0.0.0/0         |
| revision_number   | None              |
| security_group_id | <secgroup_id>     |
| updated_at        | None              |
+-------------------+-------------------+

To allow access through a UDP port:

An example usage is allowing access to a DNS server that runs on a VM.

$ openstack security group rule create <SEC_GROUP_NAME> --protocol udp --dst-port 53:53
+-------------------+------------------------+
| Field             | Value                  |
+-------------------+------------------------+
| direction         | ingress                |
| ethertype         | IPv4                   |
| headers           |                        |
| id                | <rule_id>              |
| port_range_max    | 53                     |
| port_range_min    | 53                     |
| project_id        | <project_id            |
| protocol          | udp                    |
| remote_group_id   | None                   |
| remote_ip_prefix  | 0.0.0.0/0              |
| security_group_id | <secgroup_id>          |
+-------------------+------------------------+