Tags:
, view all tags

Running Virtual Machine Instances

Security groups: Enabling SSH and ICMP (ping)

The Compute service uses the concept of security groups to control what network protocols (TCP, UDP, ICMP), ports, and IP addresses are permitted to access instances. Each tenant manages its own list of security groups and starts off with a security group called default. If no security group is specified upon boot, the virtual machine will be associated with the default security group. Security groups can be listed by the nova secgroup-list command.

# nova secgroup-list
+---------+-------------+
|   Name  | Description |
+---------+-------------+
| default | default     |
+---------+-------------+

In this example, we will use the nova secgroup-add-rule command to enable access to TCP port 22 (so we can SSH to instances) Allow access to port 22 from all IP addresses (specified in CIDR notation as 0.0.0.0/0) with the following command: nova secgroup-add-rule default tcp 22 22 0.0.0.0/0

When specifying rules for TCP and UDP protocols, you may specify a range of port consecutive addresses in a single rule (e.g., from port 5901 to port 5999). In this case, only a single port is being enabled, so we specify the start port as 22 and the end port as 22.

To be able to ping virtual machine instances, you must specify a rule to allow ICMP traffic. When specifying ICMP rules, instead of specifying a begin and end port, you specify a pemitted ICMP code and ICMP type. You can also specify -1 for the code to enable all codes and -1 for the type to enable all ICMP types. Allow access to all codes and types of ICMP traffic from all IP addresses with the following command: nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0

# nova secgroup-list
+---------+-------------+
|   Name  | Description |
+---------+-------------+
| default | default     |
+---------+-------------+


# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port |  IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp         | 22        | 22      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+


# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port |  IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp        | -1        | -1      | 0.0.0.0/0 |              |
+-------------+-----------+---------+-----------+--------------+

Adding a keypair

saltato

Starting an instance

  • To start an instance, we need to specify a flavor, also known as an instance type, which indicates the size of an instance. Use the nova flavor-list command to view the list of available flavors:
# nova flavor-list
+----+-----------+-----------+------+-----------+------+-------+-------------+
| ID |    Name   | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor |
+----+-----------+-----------+------+-----------+------+-------+-------------+
| 1  | m1.tiny   | 512       | 0    | 0         |      | 1     | 1.0         |
| 2  | m1.small  | 2048      | 10   | 20        |      | 1     | 1.0         |
| 3  | m1.medium | 4096      | 10   | 40        |      | 2     | 1.0         |
| 4  | m1.large  | 8192      | 10   | 80        |      | 4     | 1.0         |
| 5  | m1.xlarge | 16384     | 10   | 160       |      | 8     | 1.0         |
+----+-----------+-----------+------+-----------+------+-------+-------------+
  • We also need to specify the image. Use the nova image-list to retrieve the ID of the CirrOS image.

# nova image-list
+--------------------------------------+---------------------+--------+--------+
|                  ID                  |         Name        | Status | Server |
+--------------------------------------+---------------------+--------+--------+
| 3db3e2dc-9d2f-40ff-8519-af7d04f8146a | tty-linux-ramdisk   | ACTIVE |        |
| 8393828d-b226-434c-b0ea-179674fa4329 | tty-linux-kernel    | ACTIVE |        |
| ba70321b-7bb9-4fc5-a2d4-406fdd8d589d | cirros-0.3.0-x86_64 | ACTIVE |        |
| df3422c6-58f5-4d3d-8de2-b1b522ab4152 | tty-linux           | ACTIVE |        |
+--------------------------------------+---------------------+--------+--------+

  • Use the nova boot command to launch a new virtual machine instance. We'll use an m1.small instance in this example, using the CirrOS image. We also need to give this virtual machine instance a name, we'll call it cirros. We will explicitly specify the default security group in this example, although this isn't strictly necessary since the default group will be used if no security group is specified.

-- PaoloVeronesi - 2012-08-31

Edit | Attach | PDF | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | More topic actions...
Topic revision: r3 - 2012-08-31 - PaoloVeronesi
 
  • Edit
  • Attach
This site is powered by the TWiki collaboration platformCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback