Manage Security groups via CLI
Note
The openstack CLI will need to be setup to interact with the FlexiHPC system. Please read Setting up your CLI environment to interact with FlexiHPC to get started.
Creating a Security Group¶
Run the following command to create a Security Group with a specified name and description.
An example command to create a security group called My_Wiki_SG
We can check the security group is created by running
+--------------------------------------+--------------------------+---------------------------------------------------------+----------------------------------+------+
| ID | Name | Description | Project | Tags |
+--------------------------------------+--------------------------+---------------------------------------------------------+----------------------------------+------+
| 339bd140-e6a0-4afd-9b24-029c3243e779 | My_Wiki_SG | A testing group for wiki | 4f07cc254d6c4471805d49bae1f739b9 | [] |
| 7200b28f-9089-4797-a094-39f1995e6f0c | SSH Allow All | This is an open SSH that allows anyone to connect to 22 | 4f07cc254d6c4471805d49bae1f739b9 | [] |
| b5d30ed4-13b3-4f7a-bc5a-c48175566ea3 | My-Security-Group | This is my security group | 4f07cc254d6c4471805d49bae1f739b9 | [] |
| f2f15d6f-2a04-4196-8102-a058042694b3 | default | Default security group | 4f07cc254d6c4471805d49bae1f739b9 | [] |
+--------------------------------------+--------------------------+---------------------------------------------------------+----------------------------------+------+
Create and manage Security Group rules¶
You can modify Security Group rules with the openstack security group rule
command.
Create new rules for a group¶
Allow access from all IP addresses (specified as IP subnet 0.0.0.0/0
in CIDR notation) for the port 8080
The command and response looks like the following
openstack security group rule create --proto tcp --dst-port 8080 339bd140-e6a0-4afd-9b24-029c3243e779
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2023-08-10T00:59:36Z |
| description | |
| direction | ingress |
| ether_type | IPv4 |
| id | f0bce470-8d94-453f-9dfa-3e3e34b0c80e |
| name | None |
| normalized_cidr | 0.0.0.0/0 |
| port_range_max | 8080 |
| port_range_min | 8080 |
| project_id | 4f07cc254d6c4471805d49bae1f739b9 |
| protocol | tcp |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 339bd140-e6a0-4afd-9b24-029c3243e779 |
| tags | [] |
| updated_at | 2023-08-10T00:59:36Z |
+-------------------------+--------------------------------------+
If you check the rules again, you'll see the new one has been added
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| b0f0edd2-7a55-44b4-84a8-9650de36a7ec | None | IPv6 | ::/0 | | egress | None | None |
| f0bce470-8d94-453f-9dfa-3e3e34b0c80e | tcp | IPv4 | 0.0.0.0/0 | 8080:8080 | ingress | None | None |
| f3925a01-5d47-4c55-ac73-1647cca5b739 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
Delete a Security Group rule¶
First, run the following command to view all Security Groups.
+--------------------------------------+--------------------------+---------------------------------------------------------+----------------------------------+------+
| ID | Name | Description | Project | Tags |
+--------------------------------------+--------------------------+---------------------------------------------------------+----------------------------------+------+
| 339bd140-e6a0-4afd-9b24-029c3243e779 | My_Wiki_SG | A testing group for wiki | 4f07cc254d6c4471805d49bae1f739b9 | [] |
| 5150840c-9c27-45a9-91a1-61c5978de8ff | https | | 4f07cc254d6c4471805d49bae1f739b9 | [] |
| 7200b28f-9089-4797-a094-39f1995e6f0c | SSH Allow All | This is an open SSH that allows anyone to connect to 22 | 4f07cc254d6c4471805d49bae1f739b9 | [] |
| 8873336a-02e6-4f84-8fd8-5aa3b929f955 | hpc-toolset-docker-ports | Docker Ports used for the HPC Toolset | 4f07cc254d6c4471805d49bae1f739b9 | [] |
| b24e8bef-969a-4938-8b18-0a33769b181d | kubeapi_whitelist | | 4f07cc254d6c4471805d49bae1f739b9 | [] |
| b5d30ed4-13b3-4f7a-bc5a-c48175566ea3 | My-Security-Group | This is my security group | 4f07cc254d6c4471805d49bae1f739b9 | [] |
| f2f15d6f-2a04-4196-8102-a058042694b3 | default | Default security group | 4f07cc254d6c4471805d49bae1f739b9 | [] |
+--------------------------------------+--------------------------+---------------------------------------------------------+----------------------------------+------+
Locate the Security Group that you wish to remove a rule from and take note of its ID
Note
For this example we are using 339bd140-e6a0-4afd-9b24-029c3243e779
Running the following command will return all rules associated with that security group.
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| b0f0edd2-7a55-44b4-84a8-9650de36a7ec | None | IPv6 | ::/0 | | egress | None | None |
| f0bce470-8d94-453f-9dfa-3e3e34b0c80e | tcp | IPv4 | 0.0.0.0/0 | 8080:8080 | ingress | None | None |
| f3925a01-5d47-4c55-ac73-1647cca5b739 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
Take note of the Security Group Rule ID
Note
For this example we will use f0bce470-8d94-453f-9dfa-3e3e34b0c80e
To delete a rule, run the following command with the correct rule ID.
Re-run the list command to confirm the rule has been deleted
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| b0f0edd2-7a55-44b4-84a8-9650de36a7ec | None | IPv6 | ::/0 | | egress | None | None |
| f3925a01-5d47-4c55-ac73-1647cca5b739 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
Deleting a Security Group¶
Run the following to delete a Security Group
Warning
You cannot delete the default
Security Group from your project. It's also not possible to delete a Security Group that is assigned to an instance.