命令概览
(nova-api)[root@cc07 /]# nova help|grep secgroup add-secgroup Add a Security Group to a server. list-secgroup List Security Group(s) of a server. remove-secgroup Remove a Security Group from a server. secgroup-add-default-rule Add a rule to the set of rules that will be secgroup-add-group-rule Add a source group rule to a security group. secgroup-add-rule Add a rule to a security group. secgroup-create Create a security group. secgroup-delete Delete a security group. secgroup-delete-default-rule secgroup-delete-group-rule Delete a source group rule from a security secgroup-delete-rule Delete a rule from a security group. secgroup-list List security groups for the current tenant. secgroup-list-default-rules secgroup-list-rules List rules for a security group. secgroup-update Update a security group.
列出安全组
(nova-api)[root@cc07 /]# nova secgroup-list +--------------------------------------+---------+------------------------+ | Id | Name | Description | +--------------------------------------+---------+------------------------+ | 6a5dd6bb-600f-49bb-b37b-91059ff4074b | default | Default security group | | fdbffd7a-5f5e-413a-8d78-5f26bdc23c4e | hzb-sg | | +--------------------------------------+---------+------------------------+
列出某个安全组下的规则
(nova-api)[root@cc07 /]# nova secgroup-list-rules default +-------------+-----------+---------+----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+----------+--------------+ | | | | | default | | | | | | default | +-------------+-----------+---------+----------+--------------+
创建安全组
(nova-api)[root@cc07 /]# nova secgroup-create boshen-sg "allow ping and ssh" +--------------------------------------+-----------+--------------------+ | Id | Name | Description | +--------------------------------------+-----------+--------------------+ | db7599e0-be38-4955-93d9-ed20f2a8a298 | boshen-sg | allow ping and ssh | +--------------------------------------+-----------+--------------------+ (nova-api)[root@cc07 /]# nova secgroup-list +--------------------------------------+-----------+------------------------+ | Id | Name | Description | +--------------------------------------+-----------+------------------------+ | db7599e0-be38-4955-93d9-ed20f2a8a298 | boshen-sg | allow ping and ssh | | 6a5dd6bb-600f-49bb-b37b-91059ff4074b | default | Default security group | +--------------------------------------+-----------+------------------------+
增加规则 (icmp:允许 ping)
usage: nova secgroup-add-rule<from-port>
(nova-api)[root@cc07 /]# nova secgroup-add-rule boshen-sg icmp -1 -1 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | icmp | -1 | -1 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
(nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | icmp | -1 | -1 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
增加规则 (tcp:允许 ssh)
(nova-api)[root@cc07 /]# nova secgroup-add-rule boshen-sg tcp 22 22 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 22 | 22 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ (nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 22 | 22 | 0.0.0.0/0 | | | icmp | -1 | -1 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
增加规则(udp:广播)
(nova-api)[root@cc07 /]# nova secgroup-add-rule boshen-sg udp 1 65535 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | udp | 1 | 65535 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ (nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 22 | 22 | 0.0.0.0/0 | | | udp | 1 | 65535 | 0.0.0.0/0 | | | icmp | -1 | -1 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
删除安全组中的规则
格式:
usage: nova secgroup-delete-rule<from-port>
(nova-api)[root@cc07 /]# nova secgroup-delete-rule boshen-sg udp 1 65535 0.0.0.0/0 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | udp | 1 | 65535 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+ (nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 22 | 22 | 0.0.0.0/0 | | | icmp | -1 | -1 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
更新安全组(只能更新名字和描述)
格式:
usage: nova secgroup-update
(nova-api)[root@cc07 /]# nova secgroup-update boshen-sg boshen-sg2 xxxxxxxxx +--------------------------------------+------------+-------------+ | Id | Name | Description | +--------------------------------------+------------+-------------+ | db7599e0-be38-4955-93d9-ed20f2a8a298 | boshen-sg2 | xxxxxxxxx | +--------------------------------------+------------+-------------+ (nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg ERROR (CommandError): Secgroup ID or name 'boshen-sg' not found. (nova-api)[root@cc07 /]# nova secgroup-list-rules boshen-sg2 +-------------+-----------+---------+-----------+--------------+ | IP Protocol | From Port | To Port | IP Range | Source Group | +-------------+-----------+---------+-----------+--------------+ | tcp | 22 | 22 | 0.0.0.0/0 | | | icmp | -1 | -1 | 0.0.0.0/0 | | +-------------+-----------+---------+-----------+--------------+
删除安全组
(nova-api)[root@cc07 /]# nova secgroup-delete hzb-sg
+--------------------------------------+--------+-------------+
| Id | Name | Description |
+--------------------------------------+--------+-------------+
| fdbffd7a-5f5e-413a-8d78-5f26bdc23c4e | hzb-sg | |
+--------------------------------------+--------+-------------+
(nova-api)[root@cc07 /]# nova secgroup-list +--------------------------------------+---------+------------------------+ | Id | Name | Description | +--------------------------------------+---------+------------------------+ | 6a5dd6bb-600f-49bb-b37b-91059ff4074b | default | Default security group | +--------------------------------------+---------+------------------------+