A Managing security group is one of the greatest features of OpenStack. A common new-user issue with OpenStack is failing to set an appropriate security group when launching an instance. As a result, the user is unable to contact the instance on the network.
Security groups are sets of IP filter rules that are applied to an instance’s networking. They are project-specific, and project members can edit the default rules for their group and add new rule sets. All projects have a “default” security group, which is applied to instances that have no other security group defined. Unless changed, this security group denies all incoming traffic.
Security groups are also known as firewalls for your instances, and they’re mandatory in our cloud environment. The firewall actually exists on our OpenStack Compute host that is running the instance and not as portable rules within the running instance.
They allow us to protect our hosts by restricting or allowing access to specified service ports and also protect our instances from other users’ instances running on the same hosts. Security groups are the only way to separate a tenant’s instances from another user’s instance in another tenant when running under the Flat network modes and where VLAN or tunnel separation isn’t available.
Virtual firewalls are provided by the advanced neutron service known as firewall as a service- FWaas. All projects have a default security group which is applied to any instance that has no other defined security group. Unless you change the default, this security group denies all incoming traffic and allows only outgoing traffic to your instance.
The number of maximum rules per security group is controlled by security_group_rules.
The nova command-line interface provides facilities for adding rules to security groups. To begin with, assure that you’re logged into a client that has access to the Nova Client tools. These packages can be installed using the following commands:
sudo apt-get update
sudo apt-get –y install python-nova client
And assure that you have set the following credentials :
The following sections describe how to create and modify security groups in our OpenStack environment.
Creating security groups:
Recall that we have already created, a default security group that opened TCP port 22 from anywhere and allowed us to ping our instances. To open another port, we simply run our command again, assigning that port to a particular group.
For example, to open TCP port 80 and port 443 on our instances using Nova Client, a grouping that under a security group called webserver we can do the following:
[ Related Article: Introduction to Openstack ]
nova sec group-create webserver “Web Server Access” nova sec group-add-rule webserver tcp 80 80 0.0.0.0/0 nova sec group-add-rule webserver tcp 443 443 0.0.0.0/0
The reason why we specified a new group, rather than assigning these to the default group, is that we might not want to open up our webserver to everyone, which would happen every time we spin up a new instance. Putting it into its own security group allows us to open up access to our instance to port 80 by simply specifying this security group when we launch an instance.
For example, we specify the –security_groups option w boot an instance:
nova boot myInstance
–image 0e2f43a8-e614-48ff-92bd-be0c68da19f4 –flavor 2
Removing a rule from a security group
To remove a rule from a security group, we run the nova sec group -delete command. For example, suppose we want to remove the HTTPS rule from our webserver group, we do this using Nova Client, by running the following command:
nova sec group-delete-rule webserver tcp 443 443 0.0.0.0/0
Deleting a security group
To delete a security group, for example, a webserver, we run the following command:
nova sec group-delete webserver
The creation of a security group is done in two steps as follows:
1. The first is that we add a group using the nova sec group-create
2. Following the creation of a security group, we can define rules in that group using the nova sec group-add-rule. With this command, we can specify destination ports that we can open up on our instances and the networks that are allowed access.
[ Related Article: Interview Questions - Openstack ]
Defining groups and rules using Nova Client
The nova sec group-create command has the following syntax:
nova sec group-create group_name “description”
The nova sec group-add-rule command has the following basic syntax:
nova sec group-add-rule group_name protocol port_from port_to source
Removing rules from a security group is done using the nova sec group-delete-rule command and is analogous to the nova sec group-add-rule command. Removing a security group altogether is done using the nova sec group-delete command is analogous to the nova sec group-create command.
Ravindra Savaram is a Content Lead at Mindmajix.com. His passion lies in writing articles on the most popular IT platforms including Machine learning, DevOps, Data Science, Artificial Intelligence, RPA, Deep Learning, and so on. You can stay up to date on all these technologies by following him on LinkedIn and Twitter.