GET'> PUT'> POST'> DELETE'> ]>

When you launch a virtual machine, you can inject a keypair, which provides SSH access to your instance. For this to work, the image must contain the cloud-init package. Create at least one keypair for each project. If you generate a keypair with an external tool, you can import it into OpenStack. You can use the keypair for multiple instances that belong to that project. In case an image uses a static root password or a static key set – neither is recommended – you must not provide a keypair when you launch the instance. A security group is a named collection of network access rules that you use to limit the types of traffic that have access to instances. When you launch an instance, you can assign one or more security groups to it. If you do not create security groups, new instances are automatically assigned to the default security group, unless you explicitly specify a different security group. The associated rules in each security group control the traffic to instances in the group. Any incoming traffic that is not matched by a rule is denied access by default. You can add rules to or remove rules from a security group. You can modify rules for the default and any other security group. You must modify the rules for the default security group because users cannot access instances that use the default group from any IP address outside the cloud. You can modify the rules in a security group to allow access to instances through different ports and protocols. For example, you can modify rules to allow access to instances through SSH, to ping them, or to allow UDP traffic – for example, for a DNS server running on an instance. You specify the following parameters for rules: Source of traffic. Enable traffic to instances from either IP addresses inside the cloud from other group members or from all IP addresses. Protocol. Choose TCP for SSH, ICMP for pings, or UDP. Destination port on virtual machine. Defines a port range. To open a single port only, enter the same value twice. ICMP does not support ports: Enter values to define the codes and types of ICMP traffic to be allowed. Rules are automatically enforced as soon as you create or modify them. You can also assign a floating IP address to a running instance to make it accessible from outside the cloud. You assign a floating IP address to an instance and attach a block storage device, or volume, for persistent storage. See .

You can generate a keypair or upload an existing public key. To generate a keypair, run the following command: $ nova keypair-add KEY_NAME > MY_KEY.pem The command generates a keypair named KEY_NAME, writes the private key to the MY_KEY.pem file, and registers the public key at the Nova database. To set the permissions of the MY_KEY.pem file, run the following command: $ chmod 600 MY_KEY.pem The command changes the permissions of the MY_KEY.pem file so that only you can read and write to it.

If you have already generated a keypair with the public key located at ~/.ssh/id_rsa.pub, run the following command to upload the public key: $ nova keypair-add --pub_key ~/.ssh/id_rsa.pub KEY_NAME The command registers the public key at the Nova database and names the keypair KEY_NAME. List keypairs to make sure that the uploaded keypair appears in the list: $ nova keypair-list

To list security groups for the current project, including descriptions, enter the following command: $ nova secgroup-list To create a security group with a specified name and description, enter the following command: $ nova secgroup-create SEC_GROUP_NAME GROUP_DESCRIPTION To delete a specified group, enter the following command: $ nova secgroup-delete SEC_GROUP_NAME You cannot delete the default security group for a project. Also, you cannot delete a security group that is assigned to a running instance.

Modify security group rules with the nova secgroup-*-rule commands. On a shell, source the OpenStack RC file. For details, see . To list the rules for a security group $ nova secgroup-list-rules SEC_GROUP_NAME To allow SSH access to the instances, choose one of the following sub-steps: Either from all IP addresses (specified as IP subnet in CIDR notation as 0.0.0.0/0): $ nova secgroup-add-rule SEC_GROUP_NAME tcp 22 22 0.0.0.0/0 Alternatively, you can allow only IP addresses from other security groups (source groups) to access the specified port: $ nova secgroup-add-group-rule --ip_proto tcp --from_port 22 \ --to_port 22 SEC_GROUP_NAME SOURCE_GROUP_NAME To allow pinging the instances, choose one of the following sub-steps: Specify all IP addresses as IP subnet in CIDR notation: 0.0.0.0/0. This command allows access to all codes and all types of ICMP traffic, respectively: $ nova secgroup-add-rule SEC_GROUP_NAME icmp -1 -1 0.0.0.0/0 To allow only members of other security groups (source groups) to ping instances: $ nova secgroup-add-group-rule --ip_proto icmp --from_port -1 \ --to_port -1 SEC_GROUP_NAME SOURCE_GROUP_NAME To allow access through a UDP port, such as allowing access to a DNS server that runs on a VM, complete one of the following sub-steps: To allow UDP access from IPs, specify all IP addresses as IP subnet in CIDR notation: 0.0.0.0/0.$ nova secgroup-add-rule SEC_GROUP_NAME udp 53 53 0.0.0.0/0 To allow only IP addresses from other security groups (source groups) to access the specified port: $ nova secgroup-add-group-rule --ip_proto udp --from_port 53 \ --to_port 53 SEC_GROUP_NAME SOURCE_GROUP_NAME To delete a security group rule, specify the same arguments that you used to create the rule. To delete the security rule that you created in : $ nova secgroup-delete-rule SEC_GROUP_NAME tcp 22 22 0.0.0.0/0 To delete the security rule that you created in : $ nova secgroup-delete-group-rule --ip_proto tcp --from_port 22 \ --to_port 22 SEC_GROUP_NAME SOURCE_GROUP_NAME