To configure security groups
To list all security groups
To list security groups for the current project, including descriptions, enter the following command:
$ nova secgroup-list
To create a security group
To create a security group with a specified name and description, enter the following command:
$ nova secgroup-create
SEC_GROUP_NAME
GROUP_DESCRIPTION
To delete a security group
To delete a specified group, enter the following command:
$ nova secgroup-delete
SEC_GROUP_NAME
Note You cannot delete the default security group for a project. Also, you cannot delete a security group that is assigned to a running instance.
To configure security group rules
Modify security group rules with the nova secgroup-*-rule commands.
On a shell, source the OpenStack RC file. For details, see the section called “OpenStack RC file”.
To list the rules for a security group
$ nova secgroup-list-rules
SEC_GROUP_NAME
To allow SSH access to the instances
Choose one of the following sub-steps:
-
Add rule for all IPs
Either from all IP addresses (specified as IP subnet in CIDR notation as 0.0.0.0/0):
$ nova secgroup-add-rule
SEC_GROUP_NAME
tcp 22 22 0.0.0.0/0 -
Add rule for security groups
Alternatively, you can allow only IP addresses from other security groups (source groups) to access the specified port:
$ nova secgroup-add-group-rule --ip_proto tcp --from_port 22 \ --to_port 22
SEC_GROUP_NAME
SOURCE_GROUP_NAME
-
To allow pinging the instances
Choose one of the following sub-steps:
To allow pinging from IPs
Specify all IP addresses as IP subnet in CIDR notation:
0.0.0.0/0
. This command allows access to all codes and all types of ICMP traffic, respectively:$ nova secgroup-add-rule
SEC_GROUP_NAME
icmp -1 -1 0.0.0.0/0To allow pinging from other security groups
To allow only members of other security groups (source groups) to ping instances:
$ nova secgroup-add-group-rule --ip_proto icmp --from_port -1 \ --to_port -1
SEC_GROUP_NAME
SOURCE_GROUP_NAME
To allow access through UDP port
To allow access through a UDP port, such as allowing access to a DNS server that runs on a VM, complete one of the following sub-steps:
To allow UDP access from IPs
Specify all IP addresses as IP subnet in CIDR notation:
0.0.0.0/0
.$ nova secgroup-add-rule SEC_GROUP_NAME udp 53 53 0.0.0.0/0
To allow UDP access
To allow only IP addresses from other security groups (source groups) to access the specified port:
$ nova secgroup-add-group-rule --ip_proto udp --from_port 53 \ --to_port 53
SEC_GROUP_NAME
SOURCE_GROUP_NAME
To delete a security group rule, specify the same arguments that you used to create the rule.
To delete the security rule that you created in Step 3.a:
$ nova secgroup-delete-rule
SEC_GROUP_NAME
tcp 22 22 0.0.0.0/0To delete the security rule that you created in Step 3.b:
$ nova secgroup-delete-group-rule --ip_proto tcp --from_port 22 \ --to_port 22
SEC_GROUP_NAME
SOURCE_GROUP_NAME