Securitygroups
SecurityGroups regeln den gewünschten Zugriff von Servern und bilden somit die Firewall auf der Infrastruktur-Ebene. Eine SecurityGroup besteht dabei aus einer oder mehrerer SecurityGroupRules. Neben Portfreigaben auf Subnetzebene ist es ebenfalls möglich, andere SecurityGroups zu referenzieren.
~ : openstack security group create mysecuritygroup
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2025-04-09T07:13:09Z |
| description | mysecuritygroup |
| id | 6cee68d5-43d3-4c67-8ae3-4421b3f46a6a |
| name | mysecuritygroup |
| project_id | f7f8ed8191a048248c38982cd4b3d240 |
| revision_number | 1 |
| rules | created_at='2025-04-09T07:13:09Z', direction='egress', ethertype='IPv4', id='c143e476-3cc8-470b-80f6-ce2473dadac8', updated_at='2025-04-09T07:13:09Z' |
| | created_at='2025-04-09T07:13:09Z', direction='egress', ethertype='IPv6', id='f8c00d23-9c8c-456d-ab68-3e1fdcdb59a0', updated_at='2025-04-09T07:13:09Z' |
| stateful | True |
| tags | [] |
| updated_at | 2025-04-09T07:13:09Z |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
Rules
Bei der Anlage einer SecurityGroup werden automatisch zwei Regeln erstellt. Diese erlauben lediglich die Kommunikation nach Außen. Eingehender Traffic wird nicht erlaubt. Diese Regeln können bei bedarf im Nachgang gelöscht werden. Angelegte Server erhalten automatisch die default SecurityGroup, wodurch die automatisch erstellten Regeln zumeist nicht benötigt werden. Die default SecurityGroup enthält nämlich genau diese Regeln. Wenn jedoch auf die default SecurityGroup verzichtet werden soll, ist es ratsam die Regeln zu belassen.
~ : openstack security group rule list mysecuritygroup
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| c143e476-3cc8-470b-80f6-ce2473dadac8 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
| f8c00d23-9c8c-456d-ab68-3e1fdcdb59a0 | None | IPv6 | ::/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
~ : openstack security group rule delete c143e476-3cc8-470b-80f6-ce2473dadac8 f8c00d23-9c8c-456d-ab68-3e1fdcdb59a0 # optional
IPv6
Um einen Port von extern erreichbar zu machen, reicht es dank der externen Routbarkeit von IPv6 diesen in der SecurityGroup freizugeben. Am folgenden Beispiel geschieht dies für SSH:
~ : openstack security group rule create mysecuritygroup \
--ingress \
--ethertype ipv6 \
--remote-ip ::/0 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH externally (IPv6)"
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2025-04-09T07:15:11Z |
| description | Allow access to SSH externally |
| direction | ingress |
| ether_type | IPv6 |
| id | bc08d14f-11e4-420a-918c-2bf8246c35e3 |
| name | None |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | f7f8ed8191a048248c38982cd4b3d240 |
| protocol | tcp |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | ::/0 |
| revision_number | 0 |
| security_group_id | 6cee68d5-43d3-4c67-8ae3-4421b3f46a6a |
| tags | [] |
| updated_at | 2025-04-09T07:15:11Z |
+-------------------------+--------------------------------------+
~ : openstack security group rule list mysecuritygroup
+--------------------------------------+-------------+-----------+----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+----------+------------+-----------+-----------------------+----------------------+
| bc08d14f-11e4-420a-918c-2bf8246c35e3 | tcp | IPv6 | ::/0 | 22:22 | ingress | None | None |
+--------------------------------------+-------------+-----------+----------+------------+-----------+-----------------------+----------------------+
IPv4
Beim freischalten von Ports unter IPv4 sind diese nicht gleich extern erreichbar. Erst wenn der Server eine FloatingIP gebunden bekommt, kann der Port extern erreicht werden. Die Server sind schließlich hinter einem NAT. Intern ist der Port somit bereits freigeschaltet und kann von anderen Servern aus erreicht werden, sofern diese am selben Router angeschlossen sind.
~ : openstack security group rule create mysecuritygroup
--ingress \
--remote-ip 0.0.0.0/0 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH externally (IPv4)"
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2025-04-09T07:36:46Z |
| description | Allow access to SSH externally |
| direction | ingress |
| ether_type | IPv4 |
| id | 5c9a666d-e7a8-4587-b731-ea3a22627ce7 |
| name | None |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | f7f8ed8191a048248c38982cd4b3d240 |
| protocol | tcp |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 6cee68d5-43d3-4c67-8ae3-4421b3f46a6a |
| tags | [] |
| updated_at | 2025-04-09T07:36:46Z |
+-------------------------+--------------------------------------+
~ : openstack security group rule list mysecuritygroup
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 5c9a666d-e7a8-4587-b731-ea3a22627ce7 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |
| bc08d14f-11e4-420a-918c-2bf8246c35e3 | tcp | IPv6 | ::/0 | 22:22 | ingress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
Verbinden von SecurityGroups (Advanced)
In einigen Fällen macht es Sinn mehrere SecurityGroup zu erstellen und diese so miteinander zu verbinden, dass durch das Binden der einen Gruppe, Ports aus der anderen freigeben werden. Als Beispiel dient ein App-Server, der auf die Datenbank zugreifen soll. Dafür wird die db und app SecurityGroup angelegt. Für die externe Konnektivität sorgt die internet-access SecurityGroup. Die default SecurityGroup verwenden wir nicht, da diese internen Traffic zwischen den Servern vollständig erlaubt. Das ist für das Fallbeispiel wenig restriktiv.
# Create SecurityGroups
for i in internet-acces db app; do
openstack security group create "$i"
done
# Remove default rules from db and app SecurityGroup
ids=()
for sg in db app; do
for id in $(openstack security group rule list -f value -c ID "$sg"); do
ids+=("$id")
done
done
# Delete gathered SecurityGroups by expanding ids array to its values
openstack security group rule delete "${ids[@]}"
App
Die Applikations-Server müssen von Außen per HTTP(s) erreichbar sein. Anderer Zugriff ist untersagt. Lediglich unsere fikitiven App-Admins sollen noch in der Lage sein, per SSH auf die Maschienen zuzugreifen. Den benötigten Zugriff auf die Datenbank-Server erlauben wir in der db SecurityGroup.
# Allow HTTP(s) externally
for port in 80 443; do
for family in ipv4 ipv6; do
openstack security group rule create app \
--ingress \
--ethertype "$family" \
--proto tcp \
--dst-port "$port" \
--description "Allow access to Port $port ($family)"
done
done
# Allow SSH Access to App instances from App Admins
openstack security group rule create app \
--ingress \
--ethertype ipv6 \
--remote-ip 2001:db8::a66:ad/128 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH from App Admins (IPv6)"
openstack security group rule create app \
--ingress \
--remote-ip 2.3.4.5/32 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH from App Admins (IPv4)"
~ : openstack security group rule list app
+--------------------------------------+-------------+-----------+----------------------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+----------------------+------------+-----------+-----------------------+----------------------+
| e4597426-ee56-400b-a18c-c7cf7208629a | tcp | IPv6 | 2001:db8::a66:ad/128 | 22:22 | ingress | None | None |
| edfb31e8-d14d-4a4f-9008-ed69c632f17a | tcp | IPv4 | 2.3.4.5/32 | 22:22 | ingress | None | None |
| 207de6d5-8690-4519-aae2-dbc7b2913d82 | tcp | IPv6 | ::/0 | 80:80 | ingress | None | None |
| 701d9cf8-1234-4e23-8bea-fdec97cd0fb1 | tcp | IPv4 | 0.0.0.0/0 | 80:80 | ingress | None | None |
| 505eeb8c-d6be-4640-b87a-ff5ca385cb70 | tcp | IPv6 | ::/0 | 443:443 | ingress | None | None |
| e6ca13d6-734d-4d4c-b8d0-8b723e541af3 | tcp | IPv4 | 0.0.0.0/0 | 443:443 | ingress | None | None |
+--------------------------------------+-------------+-----------+----------------------+------------+-----------+-----------------------+----------------------+
DB
In der db SecurityGroup schalten wir den Zugriff auf den PostgreSQL Port für die App Server frei. Auch geben wir den Datenbank-Admins Zugriff per SSH. Da dieser Port nur von den App-Servern verwendet werden darf, geben wir die entsprechende SecurityGroup mit dem Flag --remote-group an. Somit erhalten alle Server mit der SecurityGroup app automatisch Zugriff auf den Port 5432. Ganz gleich in welchem Netzwerk sie laufen.
# Allow Postgress from app SecurityGroup
port=5432
for proto in tcp udp; do
for family in ipv4 ipv6; do
openstack security group rule create db \
--ingress \
--remote-group app \
--ethertype "$family" \
--proto "$proto" \
--dst-port "$port"
--description "Allow access to DB ($family)"
done
done
# Allow SSH Access to DB instances from Database Admins
openstack security group rule create db \
--ingress \
--ethertype ipv6 \
--remote-ip 2001:db8::db:ad/128 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH from DBAs (IPv6)"
openstack security group rule create db \
--ingress \
--remote-ip 1.2.3.4/32 \
--proto tcp --dst-port 22 \
--description "Allow access to SSH from DBAs (IPv4)"
~ : openstack security group rule list db
+--------------------------------------+-------------+-----------+---------------------+------------+-----------+--------------------------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+---------------------+------------+-----------+--------------------------------------+----------------------+
| cd0ca73a-0c75-4f8a-a133-de577f4252a2 | tcp | IPv6 | 2001:db8::db:ad/128 | 22:22 | ingress | None | None |
| 036a64c7-cad9-4a08-8e71-0d75ea6e7cae | tcp | IPv4 | 1.2.3.4/32 | 22:22 | ingress | None | None |
| 9670351e-1223-4202-99f0-58b290344be4 | udp | IPv6 | ::/0 | 5432:5432 | ingress | 3127a73d-463a-4736-a986-f83f2de373e5 | None |
| f175b455-6a6a-4717-9ce8-be0f50930d72 | tcp | IPv6 | ::/0 | 5432:5432 | ingress | 3127a73d-463a-4736-a986-f83f2de373e5 | None |
| 70752850-7b84-41a7-9eb2-49c5a1c6d32a | udp | IPv4 | 0.0.0.0/0 | 5432:5432 | ingress | 3127a73d-463a-4736-a986-f83f2de373e5 | None |
| 8500cdff-3649-488e-bdd9-eb2e625da360 | tcp | IPv4 | 0.0.0.0/0 | 5432:5432 | ingress | 3127a73d-463a-4736-a986-f83f2de373e5 | None |
+--------------------------------------+-------------+-----------+---------------------+------------+-----------+--------------------------------------+----------------------+
Ergebnis
~ : openstack server show app01
+-------------------------------------+----------------------------------------------------------------------------+
| Field | Value |
+-------------------------------------+----------------------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | RegionOne |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2025-04-09T10:22:38.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | mynetwork=192.168.199.182, 2a02:ed80:80:101:f816:3eff:fe44:ae77 |
| config_drive | |
| created | 2025-04-09T10:22:27Z |
| description | app01 |
| flavor | description=, disk='25', ephemeral='0', , id='s1.small', is_disabled=, |
| | is_public='True', location=, name='s1.small', original_name='s1.small', |
| | ram='2048', rxtx_factor=, swap='0', vcpus='2' |
| hostId | 36981f1ee60b435e820aa0f4e957d5146845ab43d98285fc57cb88bc |
| id | 42ecd18e-16d8-4146-beb5-bbcedf543f48 |
| image | Ubuntu Noble 24.04 LTS (829fff8b-e1b9-43d1-9f4a-52ccfc2edfe2) |
| key_name | None |
| locked | False |
| locked_reason | None |
| name | app01 |
| progress | 0 |
| project_id | f7f8ed8191a048248c38982cd4b3d240 |
| properties | |
| security_groups | name='app' |
| | name='internet-access' |
| server_groups | [] |
| status | ACTIVE |
| tags | |
| trusted_image_certificates | None |
| updated | 2025-04-09T10:22:38Z |
| user_id | 9dad1ab0716b4d0bb025d045fc28e987 |
| volumes_attached | |
+-------------------------------------+----------------------------------------------------------------------------+