Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 7. Configuring security groups

Security groups are sets of IP filter rules that control network and protocol access to and from instances, such as ICMP to allow you to ping an instance, and SSH to allow you to connect to an instance. Security groups and their rules apply to the ports which they are associated with.

In a Red Hat OpenStack Services on OpenShift (RHOSO) environment, all projects have a default security group called default, which is used when you do not specify a security group for your instances. By default, the default security group allows all outgoing traffic and denies all incoming traffic from any source other than instances in the same security group. You can either add rules to the default security group or create a new security group for your project. You can apply one or more security groups to an instance during instance creation. To apply a security group to a running instance, apply the security group to a port attached to the instance.

When you create a security group, you can choose stateful or stateless.

Security groups are stateful by default and in most cases stateful security groups provide better control with less administrative overhead.

A stateless security group can provide significant performance benefits, because it bypasses connection tracking in the underlying firewall. But stateless security groups require more security group rules than stateful security groups. Stateless security groups also offer less granularity in some cases.

Stateless security group advantages
  • Stateless security groups can be faster than stateful security groups
  • Stateless security groups are the only viable security group option in applications that offload OpenFlow actions to hardware.
Stateless security group disadvantages
  • Stateless security group rules do not automatically allow returning traffic. For example, if you create a rule to allow outgoing TCP traffic from a port that is in a stateless security group, you must also create a rule that allows incoming replies. Stateful security groups automatically allow the incoming replies.
  • Control over those incoming replies may not be as granular as the control provided by stateful security groups.

In general, use the default stateful security group type unless your application is highly sensitive to performance or uses hardware offloading of OpenFlow actions.

This section contains the following topics:

Note

You cannot apply a role-based access control (RBAC)-shared security group directly to an instance during instance creation. To apply an RBAC-shared security group to an instance you must first create the port, apply the shared security group to that port, and then assign that port to the instance. See Adding a security group to a port in Creating and managing instances.

7.1. Creating a security group
Copier lien

You can create a new security group to apply to instances and ports within a project in a Red Hat OpenStack Services on OpenShift (RHOSO) environment.

Prerequisites

  • The administrator has created a project for you and has provided you with a clouds.yaml file for you to access the cloud.
  • You have installed the python-openstackclient package.

Procedure

  1. Confirm that the system OS_CLOUD variable is set for your cloud: 

    $ echo $OS_CLOUD
my_cloud
    Copy to Clipboard Toggle word wrap

    Reset the variable if necessary: 

    $ export OS_CLOUD=my_other_cloud
    Copy to Clipboard Toggle word wrap

    As an alternative, you can specify the cloud name by adding the --os-cloud <cloud_name> option each time you run an openstack command.

  2. Optional: To ensure the security group you need does not already exist, review the available security groups and their rules: 

    $ openstack security group list
$ openstack security group rule list <sec_group>
    Copy to Clipboard Toggle word wrap
    • Replace <sec_group> with the name or ID of the security group that you retrieved from the list of available security groups.

  3. Create your security group: 

    $ openstack security group create [--stateless] mySecGroup
    Copy to Clipboard Toggle word wrap

    • Optional: Include the --stateless option to create a stateless security group.

      Security groups are stateful by default.

  4. Add rules to your security group: 

    $ openstack security group rule create --protocol <protocol> \
[--dst-port <port-range>] \
[--remote-ip <ip-address> | --remote-group <group>] \
[--ingress | --egress] mySecGroup
    Copy to Clipboard Toggle word wrap
    • Replace <protocol> with the name of the protocol you want to allow to communicate with your instances.
    • Optional: Replace <port-range> with the destination port or port range to open for the protocol. Required for IP protocols TCP, UDP, and SCTP. Set to -1 to allow all ports for the specified protocol. Separate port range values with a colon.
    • Optional: You can allow access only from specified IP addresses by using --remote-ip to specify the remote IP address block, or --remote-group to specify that the rule only applies to packets from interfaces that are a member of the remote group. If using --remote-ip, replace <ip-address> with the remote IP address block. You can use CIDR notation. If using --remote-group, replace <group> with the name or ID of the existing security group. If neither option is specified, then access is allowed to all addresses, as the remote IP access range defaults (IPv4 default: 0.0.0.0/0; IPv6 default: ::/0).

    • Specify the direction of network traffic the protocol rule applies to, either incoming (ingress) or outgoing (egress). If not specified, defaults to ingress.

      Note

      If you created a stateless security group, and you created a rule to allow outgoing TCP traffic from a port that is in the stateless security group, you must also create a rule that allows incoming replies.

  5. Repeat the previous step until you have created rules for all the protocols that you want to allow to access your instances.

    The following example creates a rule to allow SSH connections to instances in the security group mySecGroup: 

    $ openstack security group rule create --protocol tcp \
 --dst-port 22 mySecGroup
    Copy to Clipboard Toggle word wrap

7.2. Updating security group rules
Copier lien

You can update the rules of any security group that you have access to in a Red Hat OpenStack Services on OpenShift (RHOSO) environment.

Prerequisites

  • The administrator has created a project for you and has provided you with a clouds.yaml file for you to access the cloud.

  • The python-openstackclient package resides on your workstation. 

    $ dnf list installed python-openstackclient
    Copy to Clipboard Toggle word wrap

Procedure

  1. Confirm that the system OS_CLOUD variable is set for your cloud: 

    $ echo $OS_CLOUD
my_cloud
    Copy to Clipboard Toggle word wrap

    Reset the variable if necessary: 

    $ export OS_CLOUD=my_other_cloud
    Copy to Clipboard Toggle word wrap

    As an alternative, you can specify the cloud name by adding the --os-cloud <cloud_name> option each time you run an openstack command.

  2. Retrieve the name or ID of the security group that you want to update the rules for: 

    $ openstack security group list
    Copy to Clipboard Toggle word wrap
  3. Determine the rules that you need to apply to the security group.

  4. Add rules to your security group: 

    $ openstack security group rule create --protocol <protocol> \
[--dst-port <port-range>] \
[--remote-ip <ip-address> | --remote-group <group>] \
[--ingress | --egress] <group_name>
    Copy to Clipboard Toggle word wrap
    • Replace <protocol> with the name of the protocol you want to allow to communicate with your instances.
    • Optional: Replace <port-range> with the destination port or port range to open for the protocol. Required for IP protocols TCP, UDP, and SCTP. Set to -1 to allow all ports for the specified protocol.Separate port range values with a colon.
    • Optional: You can allow access only from specified IP addresses by using --remote-ip to specify the remote IP address block, or --remote-group to specify that the rule only applies to packets from interfaces that are a member of the remote group. If using --remote-ip, replace <ip-address> with the remote IP address block. You can use CIDR notation. If using --remote-group, replace <group> with the name or ID of the existing security group. If neither option is specified, then access is allowed to all addresses, as the remote IP access range defaults (IPv4 default: 0.0.0.0/0; IPv6 default: ::/0).
    • Specify the direction of network traffic the protocol rule applies to, either incoming (ingress) or outgoing (egress). If not specified, defaults to ingress.
    • Replace <group_name> with the name or ID of the security group that you want to apply the rule to.

  5. Repeat the previous step until you have created rules for all the protocols that you want to allow to access your instances.

    The following example creates a rule to allow SSH connections to instances in the security group mySecGroup: 

    $ openstack security group rule create --protocol tcp \
 --dst-port 22 mySecGroup
    Copy to Clipboard Toggle word wrap

7.3. Deleting security group rules
Copier lien

You can delete rules from a security group in a Red Hat OpenStack Services on OpenShift (RHOSO) environment.

Prerequisites

  • The administrator has created a project for you and has provided you with a clouds.yaml file for you to access the cloud.

  • The python-openstackclient package resides on your workstation. 

    $ dnf list installed python-openstackclient
    Copy to Clipboard Toggle word wrap

Procedure

  1. Confirm that the system OS_CLOUD variable is set for your cloud: 

    $ echo $OS_CLOUD
my_cloud
    Copy to Clipboard Toggle word wrap

    Reset the variable if necessary: 

    $ export OS_CLOUD=my_other_cloud
    Copy to Clipboard Toggle word wrap

    As an alternative, you can specify the cloud name by adding the --os-cloud <cloud_name> option each time you run an openstack command.

  2. Identify the security group that the rules are applied to: 

    $ openstack security group list
    Copy to Clipboard Toggle word wrap

  3. Retrieve IDs of the rules associated with the security group: 

    $ openstack security group show <sec-group>
    Copy to Clipboard Toggle word wrap

  4. Delete the rule or rules: 

    $ openstack security group rule delete <rule> [<rule> ...]
    Copy to Clipboard Toggle word wrap

    Replace <rule> with the ID of the rule to delete. You can delete more than one rule at a time by specifying a space-delimited list of the IDs of the rules to delete.

7.4. Deleting a security group
Copier lien

You can delete security groups that are not associated with any ports in a Red Hat OpenStack Services on OpenShift (RHOSO) environment.

Prerequisites

  • The administrator has created a project for you and has provided you with a clouds.yaml file for you to access the cloud.
  • You have installed the python-openstackclient package.

Procedure

  1. Confirm that the system OS_CLOUD variable is set for your cloud: 

    $ echo $OS_CLOUD
my_cloud
    Copy to Clipboard Toggle word wrap

    Reset the variable if necessary: 

    $ export OS_CLOUD=my_other_cloud
    Copy to Clipboard Toggle word wrap

    As an alternative, you can specify the cloud name by adding the --os-cloud <cloud_name> option each time you run an openstack command.

  2. Retrieve the name or ID of the security group that you want to delete: 

    $ openstack security group list
    Copy to Clipboard Toggle word wrap

  3. Retrieve a list of the available ports: 

    $ openstack port list
    Copy to Clipboard Toggle word wrap

  4. Check each port for an associated security group: 

    $ openstack port show <port-uuid> -c security_group_ids
    Copy to Clipboard Toggle word wrap

    If the security group you want to delete is associated with any of the ports, then you must first remove the security group from the port. For more information, see Removing a security group from a port in Creating and managing instances.

  5. Delete the security group: 

    $ openstack security group delete <group> [<group> ...]
    Copy to Clipboard Toggle word wrap

    Replace <group> with the ID of the group that you want to delete. You can delete more than one group at a time by specifying a space-delimited list of the IDs of the groups to delete.

Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat