命令概览

[root@controller02 ~]# openstack help security
Command "security" matches:
security group create
security group delete
security group list
security group rule create
security group rule delete
security group rule list
security group rule show
security group set
security group show
security group unset

列出安全组

openstack security group list

列出某个安全组下的规则

[root@controller02 ~]# openstack security group rule list 1c0c76c5-b66e--b483-66bf07d18cf8
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| ID | IP Protocol | IP Range | Port Range | Remote Security Group |
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| 1a255d60-4ad6-4bfe-845a-cf7eca801d54 | None | None | | None |
| 1c17d97d-17c8--91ba-b85e591df3fd | None | None | | 1c0c76c5-b66e--b483-66bf07d18cf8 |
| 569790d7-752e---606cdd0ba483 | None | None | | None |
| 5f8355d6-d9ce-4d4f-a5d9-af9ef4350bc0 | None | None | | 1c0c76c5-b66e--b483-66bf07d18cf8 |
+--------------------------------------+-------------+----------+------------+--------------------------------------+

创建安全组

usage: openstack security group create [-h] [-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--fit-width] [--print-empty]
[--noindent] [--prefix PREFIX]
[--description <description>]
[--project <project>]
[--project-domain <project-domain>]
[--tag <tag> | --no-tag]
<name>
[root@controller02 ~]#
[root@controller02 ~]# openstack security group create hzbtest
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | --10T01::34Z |
| description | hzbtest |
| id | ccb7bb7e-d978-4ce6-b2cf-8fe1b70799a9 |
| name | hzbtest |
| project_id | 8a2608dbc7014bb5ad21a4e4d3d54133 |
| revision_number | |
| rules | created_at='2019-06-10T01:17:35Z', direction='egress', ethertype='IPv6', id='5e5d7d9b-be2a-44c9-8819-46313003f49f', updated_at='2019-06-10T01:17:35Z' |
| | created_at='2019-06-10T01:17:35Z', direction='egress', ethertype='IPv4', id='c52dfc69-908e-4c7f-8df5-700a3ace527d', updated_at='2019-06-10T01:17:35Z' |
| tags | [] |
| updated_at | --10T01::35Z |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+

增加规则 (icmp:允许 ping)

usage: openstack security group rule create [-h]
[-f {json,shell,table,value,yaml}]
[-c COLUMN]
[--max-width <integer>]
[--fit-width] [--print-empty]
[--noindent] [--prefix PREFIX]
[--remote-ip <ip-address> | --remote-group <group>]
[--description <description>]
[--dst-port <port-range>]
[--icmp-type <icmp-type>]
[--icmp-code <icmp-code>]
[--protocol <protocol>]
[--ingress | --egress]
[--ethertype <ethertype>]
[--project <project>]
[--project-domain <project-domain>]
<group>
(nova-api)[root@cc07 /]# nova secgroup-add-rule boshen-sg icmp - - 0.0.0.0/
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | - | - | 0.0.0.0/ | |
+-------------+-----------+---------+-----------+--------------+ (nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | - | - | 0.0.0.0/ | |
+-------------+-----------+---------+-----------+--------------+

增加规则 (tcp:允许 ssh)

(nova-api)[root@cc07 /]# nova secgroup-add-rule boshen-sg tcp   0.0.0.0/
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | | | 0.0.0.0/ | |
+-------------+-----------+---------+-----------+--------------+
(nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | | | 0.0.0.0/ | |
| icmp | - | - | 0.0.0.0/ | |
+-------------+-----------+---------+-----------+--------------+

增加规则(udp:广播)

(nova-api)[root@cc07 /]# nova secgroup-add-rule boshen-sg udp   0.0.0.0/
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp | | | 0.0.0.0/ | |
+-------------+-----------+---------+-----------+--------------+
(nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | | | 0.0.0.0/ | |
| udp | | | 0.0.0.0/ | |
| icmp | - | - | 0.0.0.0/ | |
+-------------+-----------+---------+-----------+--------------+

删除安全组中的规则

格式:

usage: nova secgroup-delete-rule <secgroup> <ip-proto> <from-port> <to-port> <cidr>
(nova-api)[root@cc07 /]# nova secgroup-delete-rule boshen-sg udp   0.0.0.0/
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| udp | | | 0.0.0.0/ | |
+-------------+-----------+---------+-----------+--------------+
(nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | | | 0.0.0.0/ | |
| icmp | - | - | 0.0.0.0/ | |
+-------------+-----------+---------+-----------+--------------+

更新安全组(只能更新名字和描述)

格式:

usage: nova secgroup-update <secgroup> <name> <description>
(nova-api)[root@cc07 /]# nova secgroup-update boshen-sg boshen-sg2 xxxxxxxxx
+--------------------------------------+------------+-------------+
| Id | Name | Description |
+--------------------------------------+------------+-------------+
| db7599e0-be38--93d9-ed20f2a8a298 | boshen-sg2 | xxxxxxxxx |
+--------------------------------------+------------+-------------+
(nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg
ERROR (CommandError): Secgroup ID or name 'boshen-sg' not found.
(nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg2
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | | | 0.0.0.0/ | |
| icmp | - | - | 0.0.0.0/ | |
+-------------+-----------+---------+-----------+--------------+

删除安全组

(nova-api)[root@cc07 /]# nova secgroup-delete hzb-sg
+--------------------------------------+--------+-------------+
| Id | Name | Description |
+--------------------------------------+--------+-------------+
| fdbffd7a-5f5e-413a-8d78-5f26bdc23c4e | hzb-sg | |
+--------------------------------------+--------+-------------+
(nova-api)[root@cc07 /]# nova secgroup-list
+--------------------------------------+---------+------------------------+
| Id | Name | Description |
+--------------------------------------+---------+------------------------+
| 6a5dd6bb-600f-49bb-b37b-91059ff4074b | default | Default security group |
+--------------------------------------+---------+------------------------+
04-29 05:09