Managing your cloud resources with OpenStack: Difference between revisions

copyediting
(Marked this version for translation)
(copyediting)
Line 9: Line 9:
This page describes how to perform common tasks encountered while working with OpenStack. It is assumed that you have already read [[Cloud Quick Start]] and understand the basic operations of launching and connecting to a VM. Most tasks can be performed using the dashboard, as described there and below. But some require use of the command line tools, for example [[#Creating an Image From a Volume|creating an image]]. See [[OpenStack Command Line Clients]] for more information.
This page describes how to perform common tasks encountered while working with OpenStack. It is assumed that you have already read [[Cloud Quick Start]] and understand the basic operations of launching and connecting to a VM. Most tasks can be performed using the dashboard, as described there and below. But some require use of the command line tools, for example [[#Creating an Image From a Volume|creating an image]]. See [[OpenStack Command Line Clients]] for more information.
=Security Groups= <!--T:3-->
=Security Groups= <!--T:3-->
Security groups allow you to control network traffic into and out of your virtual machines. To manage security groups go to ''Project->Compute->Access & Security'' and select the ''Security Groups'' tab. You will see a list of currently defined security groups. If you have not previously defined any security groups, there will be single ''default'' security group.  
A security group is a set of rules to control network traffic into and out of your virtual machines. To manage security groups go to ''Project->Compute->Access & Security'' and select the ''Security Groups'' tab. You will see a list of currently defined security groups. If you have not previously defined any security groups, there will be single default security group.  


<!--T:4-->
<!--T:4-->
To add or remove security rules from a security group click ''Manage Rules'' for that particular security group. To add a new rule click ''Add Rule'' button in the top right, to remove a rule click ''Delete Rule'' beside the rule you wish to delete.
To add or remove rules from a security group click ''Manage Rules'' beside that group. To add a new rule click ''Add Rule'' button in the top right; to remove a rule click ''Delete Rule'' beside the rule you wish to delete.


<!--T:5-->
<!--T:5-->
The ''default'' security group contains a number of rules by default. These rules allow network traffic for any port, from any ip, into (Ingress) a VM originating from another VM in the ''default'' security group for internet protocols version 4 and 6. They also allow network traffic out (Egress) of a VM from any port to any IP for both internet protocol versions. In other words these rules allow a VM which belongs to the ''Default'' security group access out to the internet, to download content (e.g. operating system upgrades, package installations) but does not allow another machine outside the ''default'' security group access to the VM. These default rules allow you to correctly launch a VM, removing them may cause problems when creating new VMs and is not recommended. These rules do not allow access to your VM from outside the default security group which is why to connect to your VM via SSH a security rule was added for port 22 to allow incoming (Ingress) traffic so that you were able to connect to your VM (see [[Cloud Quick Start#Firewall, add rules to allow SSH| Firewall, add rules to allow SSH]]).
The '''default security group''' contains rules which allow a VM access out to the internet, for example to download operating system upgrades or package installations, but does not allow another machine outside the default security group access to the VM. We recommend you do not remove rules from the default security group as this may cause problems when creating new VMs. You may recall, however, in the [[Cloud Quick Start]] you were directed to add a security rule for port 22 to allow incoming traffic so that you were able to connect to your VM ([[Cloud Quick Start#Firewall, add rules to allow SSH| Firewall, add rules to allow SSH]]).


<!--T:6-->
<!--T:6-->
You can define multiple security groups and a VM can belong to multiple security groups with each security group having a number of security rules. When deciding on how to manage your security groups and rules, think carefully about what needs to be accessed and who needs to access it. For example, if you will always be connecting to your VM from the same computer with a static IP via SSH it makes sense to allow SSH access only from that IP. To specify the allowed IP or IP range use the [https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR] box. Further, if you are only connecting to one VM via ssh from the outside, and then connecting to other VMs within the default security group from that VM it makes sense to add the SSH security rule to a separate group and add that group to the VM you are SSHing to, however, you will also need to ensure your ssh keys are configured correctly to ssh between VMs (see [[Ssh keys | SSH Keys]]).
You can define multiple security groups and a VM can belong to more than one security group. When deciding on how to manage your security groups and rules, think carefully about what needs to be accessed and who needs to access it. Strive to minimize the IP addresses and ports in your Ingress rules. For example, if you will always be connecting to your VM via SSH from the same computer with a static IP it makes sense to allow SSH access only from that IP. To specify the allowed IP or IP range use the [https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR] box. Further, if you only need to connect to one VM via SSH from the outside and then can use that as a gateway to any other Cloud VMs, it makes sense to put the SSH rule in a separate security group and add that group only to the gateway VM. However, you will also need to ensure your SSH keys are configured correctly to allow you to use SSH between VMs (see [[Ssh keys | SSH Keys]]).


<!--T:7-->
<!--T:7-->
The security group a VM belongs to can be configured when they are created on the ''Launch Instance'' screen under the ''Access & Security'' tab, or after the VM has been launched by selecting ''Edit Security Groups'' form the drop down menu of actions for the VM on the ''Project->Compute->Instances'' page.
The security groups a VM belongs to can be chosen when it is created on the ''Launch Instance'' screen under the ''Access & Security'' tab, or after the VM has been launched by selecting ''Edit Security Groups'' form the drop down menu of actions for the VM on the ''Project->Compute->Instances'' page.


=Working with Volumes= <!--T:8-->
=Working with Volumes= <!--T:8-->
Bureaucrats, cc_docs_admin, cc_staff
2,879

edits