Change-Id: Iee43da3b18395c3fad796e1bed223420ccf10d1e Closes-Bug: #1770566
13 KiB
Manage container security
Security groups are sets of IP filter rules that define networking access to the container. Group rules are project specific; project members can edit the default rules for their group and add new rule sets.
All projects have a default
security group which is
applied to any container that has no other defined security group.
Unless you change the default, this security group denies all incoming
traffic and allows only outgoing traffic to your container.
Create a container with security group
When adding a new security group, you should pick a descriptive but brief name. This name shows up in brief descriptions of the containers that use it where the longer description field often does not. For example, seeing that a container is using security group "http" is much easier to understand than "bobs_group" or "secgrp1".
Add the new security group, as follows:
$ openstack security group create SEC_GROUP_NAME --description Description
For example:
$ openstack security group create global_http --description "Allows Web traffic anywhere on the Internet." +-----------------+--------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+--------------------------------------------------------------------------------------------------------------------------+ | created_at | 2016-11-03T13:50:53Z | | description | Allows Web traffic anywhere on the Internet. | | headers | | | id | c0b92b20-4575-432a-b4a9-eaf2ad53f696 | | name | global_http | | project_id | 5669caad86a04256994cdf755df4d3c1 | | project_id | 5669caad86a04256994cdf755df4d3c1 | | revision_number | 1 | | rules | created_at='2016-11-03T13:50:53Z', direction='egress', ethertype='IPv4', id='4d8cec94-e0ee-4c20-9f56-8fb67c21e4df', | | | project_id='5669caad86a04256994cdf755df4d3c1', revision_number='1', updated_at='2016-11-03T13:50:53Z' | | | created_at='2016-11-03T13:50:53Z', direction='egress', ethertype='IPv6', id='31be2ad1-be14-4aef-9492-ecebede2cf12', | | | project_id='5669caad86a04256994cdf755df4d3c1', revision_number='1', updated_at='2016-11-03T13:50:53Z' | | updated_at | 2016-11-03T13:50:53Z | +-----------------+--------------------------------------------------------------------------------------------------------------------------+
Add a new group rule, as follows:
$ openstack security group rule create SEC_GROUP_NAME \ --protocol PROTOCOL --dst-port FROM_PORT:TO_PORT --remote-ip CIDR
The arguments are positional, and the
from-port
andto-port
arguments specify the local port range connections are allowed to access, not the source and destination ports of the connection. For example:$ openstack security group rule create global_http \ --protocol tcp --dst-port 80:80 --remote-ip 0.0.0.0/0 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2016-11-06T14:02:00Z | | description | | | direction | ingress | | ethertype | IPv4 | | headers | | | id | 2ba06233-d5c8-43eb-93a9-8eaa94bc9eb5 | | port_range_max | 80 | | port_range_min | 80 | | project_id | 5669caad86a04256994cdf755df4d3c1 | | project_id | 5669caad86a04256994cdf755df4d3c1 | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 1 | | security_group_id | c0b92b20-4575-432a-b4a9-eaf2ad53f696 | | updated_at | 2016-11-06T14:02:00Z | +-------------------+--------------------------------------+
Create a container with the new security group, as follows:
$ openstack appcontainer run --security-group SEC_GROUP_NAME IMAGE
For example:
$ openstack appcontainer run --security-group global_http nginx
Find container's security groups
If you cannot access your application inside the container, you might want to check the security groups of the container to ensure the rules don't block the traffic.
List the containers, as follows:
$ openstack appcontainer list +--------------------------------------+--------------------+-------+---------+------------+-----------+-------+ | uuid | name | image | status | task_state | addresses | ports | +--------------------------------------+--------------------+-------+---------+------------+-----------+-------+ | 6595aff8-6c1c-4e64-8aad-bfd3793efa54 | delta-24-container | nginx | Running | None | 10.5.0.14 | [80] | +--------------------------------------+--------------------+-------+---------+------------+-----------+-------+
Find all your container's ports, as follows:
$ openstack port list --fixed-ip ip-address=10.5.0.14 +--------------------------------------+-----------------------------------------------------------------------+-------------------+--------------------------------------------------------------------------+--------+ | ID | Name | MAC Address | Fixed IP Addresses | Status | +--------------------------------------+-----------------------------------------------------------------------+-------------------+--------------------------------------------------------------------------+--------+ | b02df384-fd58-43ee-a44a-f17be9dd4838 | 405061f9eeda5dbfa10701a72051c91a5555d19f6ef7b3081078d102fe6f60ab-port | fa:16:3e:52:3c:0c | ip_address='10.5.0.14', subnet_id='7337ad8b-7314-4a33-ba54-7362f0a7a680' | ACTIVE | +--------------------------------------+-----------------------------------------------------------------------+-------------------+--------------------------------------------------------------------------+--------+
View the details of each port to retrieve the list of security groups, as follows:
$ openstack port show b02df384-fd58-43ee-a44a-f17be9dd4838 +-----------------------+--------------------------------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | None | | binding_profile | None | | binding_vif_details | None | | binding_vif_type | None | | binding_vnic_type | normal | | created_at | 2018-05-11T21:58:42Z | | data_plane_status | None | | description | | | device_id | 6595aff8-6c1c-4e64-8aad-bfd3793efa54 | | device_owner | compute:kuryr | | dns_assignment | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='10.5.0.14', subnet_id='7337ad8b-7314-4a33-ba54-7362f0a7a680' | | id | b02df384-fd58-43ee-a44a-f17be9dd4838 | | ip_address | None | | mac_address | fa:16:3e:52:3c:0c | | name | 405061f9eeda5dbfa10701a72051c91a5555d19f6ef7b3081078d102fe6f60ab-port | | network_id | 695aff90-66c6-4383-b37c-7484c4046a64 | | option_name | None | | option_value | None | | port_security_enabled | True | | project_id | c907162152fe41f288912e991762b6d9 | | qos_policy_id | None | | revision_number | 9 | | security_group_ids | ba20b63e-8a61-40e4-a1a3-5798412cc36b | | status | ACTIVE | | subnet_id | None | | tags | kuryr.port.existing | | trunk_details | None | | updated_at | 2018-05-11T21:58:47Z | +-----------------------+--------------------------------------------------------------------------+
View the rules of security group showed up at
security_group_ids
field of the port, as follows:$ openstack security group rule list ba20b63e-8a61-40e4-a1a3-5798412cc36b +--------------------------------------+-------------+-----------+------------+-----------------------+ | ID | IP Protocol | IP Range | Port Range | Remote Security Group | +--------------------------------------+-------------+-----------+------------+-----------------------+ | 24ebfdb8-591c-40bb-a7d3-f5b5eadc72ca | None | None | | None | | 907bf692-3dbb-4b34-ba7a-22217e6dbc4f | None | None | | None | | bbcd3b46-0214-4966-8050-8b5d2f9121d1 | tcp | 0.0.0.0/0 | 80:80 | None | +--------------------------------------+-------------+-----------+------------+-----------------------+