38,760
edits
Managing your cloud resources with OpenStack/en: Difference between revisions
Jump to navigation
Jump to search
Managing your cloud resources with OpenStack/en (view source)
Revision as of 17:42, 31 January 2017
, 7 years agoUpdating to match new version of source page
(Updating to match new version of source page) |
(Updating to match new version of source page) |
||
| Line 12: | Line 12: | ||
The '''default security group''' contains rules which allow a VM access out to the internet, for example to download operating system upgrades or package installations, but does not allow another machine to access it, except for other VMs belonging to the same default security group. We recommend you do not remove rules from the default security group as this may cause problems when creating new VMs. You may recall, however, in the [[Cloud Quick Start]] you were directed to add a security rule for port 22 to allow incoming traffic so that you were able to connect to your VM ([[Cloud Quick Start#Firewall, add rules to allow SSH|Firewall, add rules to allow SSH]]). | The '''default security group''' contains rules which allow a VM access out to the internet, for example to download operating system upgrades or package installations, but does not allow another machine to access it, except for other VMs belonging to the same default security group. We recommend you do not remove rules from the default security group as this may cause problems when creating new VMs. You may recall, however, in the [[Cloud Quick Start]] you were directed to add a security rule for port 22 to allow incoming traffic so that you were able to connect to your VM ([[Cloud Quick Start#Firewall, add rules to allow SSH|Firewall, add rules to allow SSH]]). | ||
You can define multiple security groups and a VM can belong to more than one security group. When deciding on how to manage your security groups and rules, think carefully about what needs to be accessed and who needs to access it. Strive to minimize the IP addresses and ports in your Ingress rules. For example, if you will always be connecting to your VM via SSH from the same computer with a static IP it makes sense to allow SSH access only from that IP. To specify the allowed IP or IP range use the [https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR] box. Further, if you only need to connect to one VM via SSH from the outside and then can use that as a gateway to any other Cloud VMs, it makes sense to put the SSH rule in a separate security group and add that group only to the gateway VM. However, you will also need to ensure your SSH keys are configured correctly to allow you to use SSH between VMs (see [[ | You can define multiple security groups and a VM can belong to more than one security group. When deciding on how to manage your security groups and rules, think carefully about what needs to be accessed and who needs to access it. Strive to minimize the IP addresses and ports in your Ingress rules. For example, if you will always be connecting to your VM via SSH from the same computer with a static IP it makes sense to allow SSH access only from that IP. To specify the allowed IP or IP range use the [https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing CIDR] box. Further, if you only need to connect to one VM via SSH from the outside and then can use that as a gateway to any other Cloud VMs, it makes sense to put the SSH rule in a separate security group and add that group only to the gateway VM. However, you will also need to ensure your SSH keys are configured correctly to allow you to use SSH between VMs (see [[SSH Keys]]). | ||
The security groups a VM belongs to can be chosen when it is created on the ''Launch Instance'' screen under the ''Access & Security'' tab, or after the VM has been launched by selecting ''Edit Security Groups'' form the drop down menu of actions for the VM on the ''Project->Compute->Instances'' page. | The security groups a VM belongs to can be chosen when it is created on the ''Launch Instance'' screen under the ''Access & Security'' tab, or after the VM has been launched by selecting ''Edit Security Groups'' form the drop down menu of actions for the VM on the ''Project->Compute->Instances'' page. | ||
| Line 103: | Line 103: | ||
[[File:VM multi user cloud init.png|400px|thumb| Cloud init to add multiple users (Click for larger image)]] | [[File:VM multi user cloud init.png|400px|thumb| Cloud init to add multiple users (Click for larger image)]] | ||
There are a number of ways to allow more than one person to log in to a VM. We recommend creating new user accounts and adding public [[ | There are a number of ways to allow more than one person to log in to a VM. We recommend creating new user accounts and adding public [[SSH Keys]] to these accounts. To do so manually, first create a new user account (under Ubuntu, for example) with the command {{Command|sudo adduser --disabled-password USERNAME}} | ||
Then add the person's public key to the <code>/home/$USER/.ssh/authorized_keys</code> file as described in [[ | Then add the person's public key to the <code>/home/$USER/.ssh/authorized_keys</code> file as described in [[SSH Keys]] and linked pages. | ||
If you wish to allow the new user root privileges, then you need to add the permissions with | |||
{{Command|sudo visudo -f /etc/sudoers.d/90-cloud-init-users}} | |||
and add a line like | |||
USERNAME ALL=(ALL) NOPASSWD:ALL | |||
Alternatively, you can do this during the creation of a VM using [http://cloudinit.readthedocs.org/en/latest/index.html# CloudInit]. The following CloudInit script adds two users <code>gretzky</code> and <code>lemieux</code> with and without sudo permissions respectively. | Alternatively, you can do this during the creation of a VM using [http://cloudinit.readthedocs.org/en/latest/index.html# CloudInit]. The following CloudInit script adds two users <code>gretzky</code> and <code>lemieux</code> with and without sudo permissions respectively. | ||
| Line 152: | Line 157: | ||
ci-info: +---------+-------------------------------------------------+---------+------------------+ | ci-info: +---------+-------------------------------------------------+---------+------------------+ | ||
Once this is done, users can log into the VM with their private keys as usual (see [[ | Once this is done, users can log into the VM with their private keys as usual (see [[SSH Keys]]). | ||
=Downloading an image= | =Downloading an image= | ||