Configuring access and security for DreamCompute instances using the OpenStack command line client

Key pairs

When launching an instance, you can inject a key pair which provides SSH access to the instance. For this to work, the image must contain the cloud-init package.

When you create a key pair for a project, you can then use that key pair for multiple instances that belong to that project.

If you generate a key pair with an external tool, you can import it into DreamCompute.

A key pair belongs to an individual user, not to a project. To share a key pair across multiple users, each user needs to import that key pair.

If an image uses a static root password or a static key set (neither is recommended), you must not provide a key pair when you launch the instance.

Security groups

A security group is a named collection of network access rules. These access rules are used to limit the types of traffic that have access to instances. When you launch an instance, you can assign one or more security groups to it. If you do not create or specify a security group, new instances are automatically assigned to the 'default' security group.

The associated rules in each security group control the traffic to instances in the group. Any incoming traffic that is not matched by a rule is denied access by default.

You can add, remove, or modify rules from a security group you have created. You can also modify rules for the default security group.

You can also modify the rules to allow access to instances through different ports and protocols. For example, you can modify rules to allow a service on an instance (like a web server) to be visible to the internet or to allow UDP traffic (like a DNS server running on an instance). You specify the following parameters for rules:

  • Source of traffic— Enable traffic to instances from IP addresses inside the cloud from other group members, or from all IP addresses.
  • Protocol — TCP, ICMP, or UDP.
  • Destination port on virtual machine — Define a port range. ICMP does not support ports; instead, enter values to define the codes and types of ICMP traffic to be allowed.

Rules are automatically enforced as soon as you create or modify them.

This tutorial assumes that you have installed the OpenStack client and sourced your project's RC file. If you need help with those tasks, see our articles here:

Some of the examples below contain a back slash character at the end of each line. This back slash continues the command on the next line. If you like, you can remove this character and put the entire command on a single line.

Adding and importing Key pairs

You can generate a key pair or upload an existing public key.

Adding a Key pair

To generate a key pair, run the following command.

[user@localhost]$ openstack keypair create KEY_NAME > MY_KEY.pem

This command generates a key pair with the name that you specify for KEY_NAME, writes the private key to the .pem file that you specify, and registers the public key in your DreamCompute project.

Importing a key pair

  1. If you have already generated a key pair on your Linux or Mac computer, it is most likely named 'id_rsa.pub' and located in the directory: ~/.ssh/id_rsa.pub. Run the following command to upload the public key.

    [user@localhost]$ openstack keypair create --public-key \
    ~/.ssh/id_rsa.pub KEY_NAME
    

    This command registers the public key in your DreamCompute project and names the key pair the name that you specify for KEY_NAME.

  2. To ensure that the key pair has been successfully imported, run the following command to list key pairs:

    [user@localhost]$ openstack keypair list
    

Security groups

List the security groups for the current project (including descriptions):

[user@localhost]$ openstack security group list

Create a security group with a specified name and description (optional):

[user@localhost]$ openstack security group create \
--description GROUP_DESCRIPTION SECURITY_GROUP_NAME
+-------------+-----------------------+
| Field       | Value                 |
+-------------+-----------------------+
| description | GROUP_DESCRIPTION     |
| id          | 18fb88bb-7362-4349... |
| name        | SECURITY_GROUP_NAME   |
| rules       | []                    |
| tenant_id   | TENANTID              |
+-------------+-----------------------+

Delete a specified group:

[user@localhost]$ openstack security group delete SECURITY_GROUP_NAME

You cannot delete the 'default' security group from your project. It's also not possible to delete a security group that is assigned to an instance.

Create and manage security group rules

You can modify security group rules with the openstack security group rule * command.

List the rules for a security group

[user@localhost]$ openstack security group rule list SECURITY_GROUP_NAME

Allow requests to port 8080

To allow requests to port 8080 on all instances using this group, choose one of the following options:

  • Allow access from all IP addresses (specified as IP subnet 0.0.0.0/0 in CIDR notation).
    [user@localhost]$ openstack security group rule create \
    --proto tcp --dst-port 8080 SECURITY_GROUP_NAME
    +-----------------------+-----------------------+
    | Field                 | Value                 |
    +-----------------------+-----------------------+
    | id                    | 88cbb9a5-f637-4151... |
    | ip_protocol           | tcp                   |
    | ip_range              | 0.0.0.0/0             |
    | parent_group_id       | 932633da-b130-4365... |
    | port_range            | 8080:8080             |
    | remote_security_group |                       |
    +-----------------------+-----------------------+
    
  • Allow access only from IP addresses from other security groups (source groups) to access the specified port.
    [user@localhost]$ openstack security group rule create --proto tcp \
    --dst-port 8080 --src-group SOURCE_GROUP_ID SECURITY_GROUP_NAME
    +-----------------------+-----------------------+
    | Field                 | Value                 |
    +-----------------------+-----------------------+
    | id                    | 21cb0ce6-5765-41c6... |
    | ip_protocol           | tcp                   |
    | ip_range              |                       |
    | parent_group_id       | 932633da-b130-4365... |
    | port_range            | 8080:8080             |
    | remote_security_group | SOURCE_GROUP_NAME     |
    +-----------------------+-----------------------+
    

    Use the openstack security group list command to obtain the desired SOURCE_GROUP_ID.

Allow access through a UDP port

To allow access through a UDP port, such as allowing access to a DNS server that runs on an instance, choose one of the following options:

  • Allow UDP access from all IP addresses (specified as IP subnet 0.0.0.0/0 in CIDR notation).
    [user@localhost]$ openstack security group rule create \
    --proto udp --dst-port 53 SECURITY_GROUP_NAME
    +-----------------------+-----------------------+
    | Field                 | Value                 |
    +-----------------------+-----------------------+
    | id                    | 0686f2be-17b5-41f9... |
    | ip_protocol           | udp                   |
    | ip_range              | 0.0.0.0/0             |
    | parent_group_id       | 932633da-b130-4365... |
    | port_range            | 53:53                 |
    | remote_security_group |                       |
    +-----------------------+-----------------------+
    
  • Allow only IP addresses from other security groups (source groups) to access the specified port.

    [user@localhost]$ openstack security group rule create --proto udp \
    --dst-port 53 --src-group SOURCE_GROUP_ID SECURITY_GROUP_NAME
    +-----------------------+-----------------------+
    | Field                 | Value                 |
    +-----------------------+-----------------------+
    | id                    | 61bd6d8e-5ad7-4773... |
    | ip_protocol           | udp                   |
    | ip_range              |                       |
    | parent_group_id       | 932633da-b130-4365... |
    | port_range            | 53:53                 |
    | remote_security_group | SOURCE_GROUP_NAME     |
    +-----------------------+-----------------------+
    

Delete a security group rule

To delete a security group rule, specify the same arguments that you used to create the rule.

For example, to delete the security group rule that permits access to port 8080 from all IP addresses, look up that rule's ID using the openstack security group rule list command above, then run the following command.

[user@localhost]$ openstack security group rule delete SECURITY_GROUP_RULE_ID

Did this article answer your questions?

Article last updated .