管理容器安全¶
安全组是 IP 过滤规则的集合,用于定义对容器的网络访问。组规则是项目特定的;项目成员可以编辑其组的默认规则并添加新的规则集。
所有项目都有一个 default 安全组,该安全组应用于没有定义其他安全组的任何容器。除非您更改默认设置,否则此安全组会拒绝所有传入流量,并仅允许传出流量到您的容器。
使用安全组创建容器¶
在添加新的安全组时,您应该选择一个描述性但简短的名称。此名称显示在描述容器的简短描述中,而较长的描述字段通常不会显示。例如,看到容器正在使用安全组“http”比“bobs_group”或“secgrp1”更容易理解。
按以下方式添加新的安全组
$ openstack security group create SEC_GROUP_NAME --description Description
例如
$ openstack security group create global_http --description "Allows Web traffic anywhere on the Internet." +-----------------+--------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +-----------------+--------------------------------------------------------------------------------------------------------------------------+ | created_at | 2016-11-03T13:50:53Z | | description | Allows Web traffic anywhere on the Internet. | | headers | | | id | c0b92b20-4575-432a-b4a9-eaf2ad53f696 | | name | global_http | | project_id | 5669caad86a04256994cdf755df4d3c1 | | project_id | 5669caad86a04256994cdf755df4d3c1 | | revision_number | 1 | | rules | created_at='2016-11-03T13:50:53Z', direction='egress', ethertype='IPv4', id='4d8cec94-e0ee-4c20-9f56-8fb67c21e4df', | | | project_id='5669caad86a04256994cdf755df4d3c1', revision_number='1', updated_at='2016-11-03T13:50:53Z' | | | created_at='2016-11-03T13:50:53Z', direction='egress', ethertype='IPv6', id='31be2ad1-be14-4aef-9492-ecebede2cf12', | | | project_id='5669caad86a04256994cdf755df4d3c1', revision_number='1', updated_at='2016-11-03T13:50:53Z' | | updated_at | 2016-11-03T13:50:53Z | +-----------------+--------------------------------------------------------------------------------------------------------------------------+
按以下方式添加新的组规则
$ openstack security group rule create SEC_GROUP_NAME \ --protocol PROTOCOL --dst-port FROM_PORT:TO_PORT --remote-ip CIDR
参数是位置参数,
from-port和to-port参数指定连接允许访问的本地端口范围,而不是连接的源端口和目标端口。例如$ openstack security group rule create global_http \ --protocol tcp --dst-port 80:80 --remote-ip 0.0.0.0/0 +-------------------+--------------------------------------+ | Field | Value | +-------------------+--------------------------------------+ | created_at | 2016-11-06T14:02:00Z | | description | | | direction | ingress | | ethertype | IPv4 | | headers | | | id | 2ba06233-d5c8-43eb-93a9-8eaa94bc9eb5 | | port_range_max | 80 | | port_range_min | 80 | | project_id | 5669caad86a04256994cdf755df4d3c1 | | project_id | 5669caad86a04256994cdf755df4d3c1 | | protocol | tcp | | remote_group_id | None | | remote_ip_prefix | 0.0.0.0/0 | | revision_number | 1 | | security_group_id | c0b92b20-4575-432a-b4a9-eaf2ad53f696 | | updated_at | 2016-11-06T14:02:00Z | +-------------------+--------------------------------------+
按以下方式使用新的安全组创建容器
$ openstack appcontainer run --security-group SEC_GROUP_NAME IMAGE
例如
$ openstack appcontainer run --security-group global_http nginx
查找容器的安全组¶
如果您无法访问容器内的应用程序,您可能需要检查容器的安全组,以确保规则不会阻止流量。
列出容器,如下所示
$ openstack appcontainer list +--------------------------------------+--------------------+-------+---------+------------+-----------+-------+ | uuid | name | image | status | task_state | addresses | ports | +--------------------------------------+--------------------+-------+---------+------------+-----------+-------+ | 6595aff8-6c1c-4e64-8aad-bfd3793efa54 | delta-24-container | nginx | Running | None | 10.5.0.14 | [80] | +--------------------------------------+--------------------+-------+---------+------------+-----------+-------+
查找容器的所有端口,如下所示
$ openstack port list --fixed-ip ip-address=10.5.0.14 +--------------------------------------+-----------------------------------------------------------------------+-------------------+--------------------------------------------------------------------------+--------+ | ID | Name | MAC Address | Fixed IP Addresses | Status | +--------------------------------------+-----------------------------------------------------------------------+-------------------+--------------------------------------------------------------------------+--------+ | b02df384-fd58-43ee-a44a-f17be9dd4838 | 405061f9eeda5dbfa10701a72051c91a5555d19f6ef7b3081078d102fe6f60ab-port | fa:16:3e:52:3c:0c | ip_address='10.5.0.14', subnet_id='7337ad8b-7314-4a33-ba54-7362f0a7a680' | ACTIVE | +--------------------------------------+-----------------------------------------------------------------------+-------------------+--------------------------------------------------------------------------+--------+
查看每个端口的详细信息以检索安全组列表,如下所示
$ openstack port show b02df384-fd58-43ee-a44a-f17be9dd4838 +-----------------------+--------------------------------------------------------------------------+ | Field | Value | +-----------------------+--------------------------------------------------------------------------+ | admin_state_up | UP | | allowed_address_pairs | | | binding_host_id | None | | binding_profile | None | | binding_vif_details | None | | binding_vif_type | None | | binding_vnic_type | normal | | created_at | 2018-05-11T21:58:42Z | | data_plane_status | None | | description | | | device_id | 6595aff8-6c1c-4e64-8aad-bfd3793efa54 | | device_owner | compute:kuryr | | dns_assignment | None | | dns_name | None | | extra_dhcp_opts | | | fixed_ips | ip_address='10.5.0.14', subnet_id='7337ad8b-7314-4a33-ba54-7362f0a7a680' | | id | b02df384-fd58-43ee-a44a-f17be9dd4838 | | ip_address | None | | mac_address | fa:16:3e:52:3c:0c | | name | 405061f9eeda5dbfa10701a72051c91a5555d19f6ef7b3081078d102fe6f60ab-port | | network_id | 695aff90-66c6-4383-b37c-7484c4046a64 | | option_name | None | | option_value | None | | port_security_enabled | True | | project_id | c907162152fe41f288912e991762b6d9 | | qos_policy_id | None | | revision_number | 9 | | security_group_ids | ba20b63e-8a61-40e4-a1a3-5798412cc36b | | status | ACTIVE | | subnet_id | None | | tags | kuryr.port.existing | | trunk_details | None | | updated_at | 2018-05-11T21:58:47Z | +-----------------------+--------------------------------------------------------------------------+
查看显示在端口的
security_group_ids字段中的安全组的规则,如下所示$ openstack security group rule list ba20b63e-8a61-40e4-a1a3-5798412cc36b +--------------------------------------+-------------+-----------+------------+-----------------------+ | ID | IP Protocol | IP Range | Port Range | Remote Security Group | +--------------------------------------+-------------+-----------+------------+-----------------------+ | 24ebfdb8-591c-40bb-a7d3-f5b5eadc72ca | None | None | | None | | 907bf692-3dbb-4b34-ba7a-22217e6dbc4f | None | None | | None | | bbcd3b46-0214-4966-8050-8b5d2f9121d1 | tcp | 0.0.0.0/0 | 80:80 | None | +--------------------------------------+-------------+-----------+------------+-----------------------+
