Security groups are firewalls for your instances, and they’re mandatory in our cloud environment. The firewall actually exists on our OpenStack Compute host that is running the instance, and not as iptables
rules within the running instance itself. They allow us to protect our hosts by restricting or allowing access to specified service ports, and also protect our instances from other users’ instances running on the same hosts. Security groups are the only way to separate a tenant’s instances from another user’s instances in another tenant when VLAN or tunnel separation isn’t available, or in instances where the flat networking model is in use.
To begin with, ensure that you’re logged in to a client that has access to the Nova client tools. These packages can be installed using the following commands:
sudo apt-get update sudo apt-get install python-novaclient
And ensure you have set the following credentials:
export OS_TENANT_NAME=cookbook export OS_USERNAME=admin export OS_PASSWORD=openstack export OS_AUTH_URL=https://192.168.100.200:5000/v2.0/ export OS_NO_CACHE=1 export OS_KEY=/vagrant/cakey.pem export OS_CACERT=/vagrant/ca.pem
The following sections describe how to create and modify security groups in our OpenStack environment.
To create a security group that opens TCP port 80
and port 443
on our instances using Nova client, grouping that under a security group called webserver, we run the following commands:
nova secgroup-create webserver “Web Server Access” nova secgroup-add-rule webserver tcp 80 80 0.0.0.0/0 nova secgroup-add-rule webserver tcp 443 443 0.0.0.0/0
The reason we specified a new group, instead of assigning these to the default group, is that we might not want to open up our web server to everyone, which would happen every time we spin up a new instance. Putting it into its own security group allows us to open up access to our instance to port 80
by simply specifying this security group when we launch an instance.
For example, we specify the --security_groups
option when we boot an instance:
nova boot myInstance --image 0e2f43a8-e614-48ff-92bd-be0c68da19f4 --flavor 2 --key_name demo --security_groups default,webserver
Creation of a security group is done in just two steps. We add a group using the nova secgroup-create
command. Following the creation of a security group, we can define rules in that group using the nova secgroup-add-rule
command. With this command, we can specify the destination ports that we can open up on our instances and the networks that are allowed access.
The nova secgroup-create
command has the following syntax:
nova secgroup-create group_name “description”
The nova secgroup-add-rule
command has the following basic syntax:
nova secgroup-add-rule group_name protocol port_from port_to source
Removing rules from a security group is done using the nova secgroup-delete-rule
command and is analogous to the nova secgroup-add-rule
command. Removing a security group altogether is done using the nova secgroup-delete
command and is analogous to the nova secgroup-create
command.