+++ date = "2015-09-30" draft = false weight = 08 title = "Lab 08 - Security Groups" +++
The objective of this lab is to understand how security groups work. A common issue with OpenStack is failing to set appropriate security group(s) when launching an instance. As a result, the user is unable to contact the instance on the network. The security groups are sets of IP filter rules that are applied to the instance's networking.
Security Groups are also project specific, and project members can edit the default rules for their group and add new rules sets. All projects have a "default" security group, which is applied to instances that have no other security group defined. Unless changed, this security group denies all incoming traffic. If you've tried to connect to an instance in the past, this is likely one of the reasons you were unsuccessful.
-
SSH to your controller as root, then source the keystonerc_chestercopperpot permissions file.
[root@controller ] # source keystonerc_chestercopperpot [root@controller ~(keystone_chestercopperpot)]# -
Examine the current security group rules available to the vault-tek project (the project to which chestercopperpot belongs)
[root@controller ~(keystone_chestercopperpot)]# nova secgroup-list +--------------------------------------+---------+------------------------+ | Id | Name | Description | +--------------------------------------+---------+------------------------+ | ccaf984f-f819-4aa6-943c-360d2f41ee97 | default | Default security group | +--------------------------------------+---------+------------------------+
- Note that only a single security group will exist, which is named default.
-
We need to create a few basic security group rules which we can apply to our instances. The group that is about to be created is called "http-ssh"
[root@controller ~(keystone_chestercopperpot)]# nova secgroup-create http-ssh "Allowing http and ssh traffic" +--------------------------------------+----------+-------------------------------+ | Id | Name | Description | +--------------------------------------+----------+-------------------------------+ | 0b79a2b0-ef2e-44de-a215-0c74759bbf0c | http-ssh | Allowing http and ssh traffic | +--------------------------------------+----------+-------------------------------+ -
Create an exception for TCP traffic coming to and from port 80 via any IP address
[root@controller ~(keystone_chestercopperpot)]# nova secgroup-add-rule http-ssh tcp 80 80 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 80 | 80 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ -
Create an exception for TCP traffic coming to and from port 22 via any IP address
[root@controller ~(keystone_chestercopperpot)]# nova secgroup-add-rule http-ssh tcp 22 22 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 22 | 22 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ -
Review the rules that we just created for http-ssh security group
[root@controller ~(keystone_chestercopperpot)]# nova secgroup-list-rules http-ssh +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 80 | 80 | 0.0.0.0/0 | | | tcp | 22 | 22 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
- Good job! Now the vault-tek project could apply the http-ssh rule set to a launched instance (we'll do this soon), but for now, continue on...
- Log into Horizon as chestercopperpot / fa5tpa55w0rd, and navigate to the following location:
- Navigate to: Project > Compute > Access & Security
- Can chestercopperpot see the new http-ssh rule? Why or why not?
- Log into Horizon as admin, and navigate to the following location:
- Navigate to: Project > Compute > Access & Security
- Can admin see the new http-ssh rule? Why or why not?
- Log into Horizon as aliceanderson / fa5tpa55w0rd, and navigate to the following location:
- Navigate to: Project > Compute > Access & Security
- Can aliceanderson see the new http-ssh rule? Why or why not?
-
While still logged in as aliceanderson, let's use Horizon to create a new security group rule for the tenant (project) to which aliceanderson belongs.
-
Within Horizon, navigate to the following location:
- Navigate to: Project > Compute > Access & Security
- In the Security Group tab, find the button '+Create Security Group'
-
If you are unsure of where to click, see the screenshot below.
-
A window should pop-up titled, "Create Security Group", fill this screen out as follows:
Name: http-ssh Description: Allows http and ssh access
-
After filling out the pop-up window, click on the "Edit Security Group" button.
-
If you are unsure of where to click, see the screenshot below.
- You should be looking at a page that includes the newly created rule, click on the "Manage Rules" button.
-
If you are unsure of where to click, see the screenshot below.
- You're now looking at the list of IP permissions currently applied. Click the "+Add Rule" button.
-
If you are unsure of where to click, see the screenshot below.
-
Our first rule we create will be for SSH access. Fill out the windows as follows:
Rule: SSH (choose from dropdown menu) Remote: CIDR CIDR: 0.0.0.0/0
-
Click on "Add" button when complete
-
When finished, your rule should look like the one before
-
Repeat step 6, once again, click on the "+Add Rule" button
-
Our second rule we create will be for HTTP access. Fill out the windows as follows:
Rule: HTTP (choose from dropdown menu) Remote: CIDR CIDR: 0.0.0.0/0
-
Click on "Add" button when complete
-
When finished, your rule should look like the one before
-
After pressing the "Add button", your screen should look like the following:
-
Click on the "Access & Security" link on the left.
-
If you see the new security group listed here, then that's it for this lab! We'll use this Security Group next time we launch and instance. Hang tight while the other students wrap up.
