Running Virtual Machine Instances
Security groups: Enabling SSH and ICMP (ping)
The Compute service uses the concept of security groups to control what network protocols (TCP, UDP, ICMP), ports, and IP addresses are permitted to access instances. Each tenant manages its own list of security groups and starts off with a security group called default. If no security group is specified upon boot, the virtual machine will be associated with the default security group.
Security groups can be listed by the
nova secgroup-list
command.
# nova secgroup-list
+---------+-------------+
| Name | Description |
+---------+-------------+
| default | default |
+---------+-------------+
In this example, we will use the
nova secgroup-add-rule
command to enable access to TCP port 22 (so we can SSH to instances) Allow access to port 22 from all IP addresses (specified in CIDR notation as 0.0.0.0/0) with the following command:
nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
When specifying rules for TCP and UDP protocols, you may specify a range of port consecutive addresses in a single rule (e.g., from port 5901 to port 5999). In this case, only a single port is being enabled, so we specify the start port as 22 and the end port as 22.
To be able to ping virtual machine instances, you must specify a rule to allow ICMP traffic. When specifying ICMP rules, instead of specifying a begin and end port, you specify a pemitted ICMP code and ICMP type. You can also specify -1 for the code to enable all
codes and -1 for the type to enable all ICMP types. Allow access to all codes and types of ICMP traffic from all IP addresses with the following command:
nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
# nova secgroup-list
+---------+-------------+
| Name | Description |
+---------+-------------+
| default | default |
+---------+-------------+
# nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| tcp | 22 | 22 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
# nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
+-------------+-----------+---------+-----------+--------------+
| IP Protocol | From Port | To Port | IP Range | Source Group |
+-------------+-----------+---------+-----------+--------------+
| icmp | -1 | -1 | 0.0.0.0/0 | |
+-------------+-----------+---------+-----------+--------------+
Adding a keypair
saltato
Starting an instance
- To start an instance, we need to specify a flavor, also known as an instance type, which indicates the size of an instance. Use the
nova flavor-list
command to view the list of available flavors:
# nova flavor-list
+----+-----------+-----------+------+-----------+------+-------+-------------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor |
+----+-----------+-----------+------+-----------+------+-------+-------------+
| 1 | m1.tiny | 512 | 0 | 0 | | 1 | 1.0 |
| 2 | m1.small | 2048 | 10 | 20 | | 1 | 1.0 |
| 3 | m1.medium | 4096 | 10 | 40 | | 2 | 1.0 |
| 4 | m1.large | 8192 | 10 | 80 | | 4 | 1.0 |
| 5 | m1.xlarge | 16384 | 10 | 160 | | 8 | 1.0 |
+----+-----------+-----------+------+-----------+------+-------+-------------+
- We also need to specify the image. Use the
nova image-list
to retrieve the ID of the CirrOS image.
# nova image-list
+--------------------------------------+---------------------+--------+--------+
| ID | Name | Status | Server |
+--------------------------------------+---------------------+--------+--------+
| 3db3e2dc-9d2f-40ff-8519-af7d04f8146a | tty-linux-ramdisk | ACTIVE | |
| 8393828d-b226-434c-b0ea-179674fa4329 | tty-linux-kernel | ACTIVE | |
| ba70321b-7bb9-4fc5-a2d4-406fdd8d589d | cirros-0.3.0-x86_64 | ACTIVE | |
| df3422c6-58f5-4d3d-8de2-b1b522ab4152 | tty-linux | ACTIVE | |
+--------------------------------------+---------------------+--------+--------+
- Use the
nova boot
command to launch a new virtual machine instance. We'll use an m1.small instance in this example, using the CirrOS image. We also need to give this virtual machine instance a name, we'll call it cirros. We will explicitly specify the default security group in this example, although this isn't strictly necessary since the default group will be used if no security group is specified.
--
PaoloVeronesi - 2012-08-31