Security Groups
Security groups are a mechanism to control the outgoing and incoming network traffic of virtual machine instances. Implemented as sets of IP filter rules that are applied to servers, they effectively define networking access from and to these servers. The rules in these groups are project specific and project members can edit the default rules for their group and add new rule sets.
Warning
Support for Security groups is only available in the Prevessin Data Centre (PDC), and not in the Meyrin Data Centre (MDC).
Machines in the PDC will have a restricted set of rules to begin with. Users may need to explicitely open ports to communicate with other machines of the setup.
To read more about security groups in general, please refer to the upstream documentation for OpenStack Security Groups.
Default security groups
All projects have a default security group which is applied to any port that has no other security group defined. Unless you change the default, this security group denies all incoming traffic and allows only outgoing traffic from your instance.
The main purpose of this policy is to make the users aware of the ports opened to the other VMs on the site, reducing the attack vector in case of an intrusion.
A user can list the security groups in a project by typing:
$ openstack security group list
+--------------------------------------+---------+---------------------------------------+--------------------------------------+-----------+
| ID | Name | Description | Project | Tags |
+--------------------------------------+---------+---------------------------------------+--------------------------------------+-----------+
| 1b7ec78b-84ac-401e-989a-bc37009039fa | default | Default security group | 7f1f1658-e495-4829-86d2-3a1ced0f1c56 | [] |
| 1e4dbafb-d7b9-4549-b6e3-17a4e369299f | rdp | Cloud Security group for RDP traffic | 29d90dc8-2558-41c9-a997-836c0d1df2fb | ['cloud'] |
| e898e850-2fca-45aa-a873-199bafd706d5 | icmp | Cloud Security group for ICMP traffic | 29d90dc8-2558-41c9-a997-836c0d1df2fb | ['cloud'] |
| fce01218-57a6-472f-ab5b-dfd20629e130 | ssh | Cloud Security group for SSH traffic | 29d90dc8-2558-41c9-a997-836c0d1df2fb | ['cloud'] |
+--------------------------------------+---------+---------------------------------------+--------------------------------------+-----------+
Then you can list the rules opened by the default security group by typing:
$ openstack security group rule list default
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
| 2a2d49ab-2b50-4017-a1e0-47ba2cc4ad34 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
| 9c1e3be3-5aa4-4914-bdf3-daf2793f8e89 | None | IPv6 | ::/0 | | egress | None | None |
| dcd8af99-b0ad-4352-925a-681b4d6ad2fd | None | IPv4 | 0.0.0.0/0 | | ingress | 1b7ec78b-84ac-401e-989a-bc37009039fa | None |
| f5a43462-38e7-4c23-ae2e-395fa5062add | None | IPv6 | ::/0 | | ingress | 1b7ec78b-84ac-401e-989a-bc37009039fa | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+--------------------------------------+----------------------+
Following the advice of the security team and to help users interact with security groups, we have also 3 security groups that allow connectivity to some standard services for user VMs. Those will allow to ping any machine in the group (ICMP v4/v6) or to connect remotely via SSH (on Linux) or via RDP (on Windows).
These are the rules for inbound ICMP traffic:
$ openstack security group rule list icmp
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 4c7070f8-c945-4716-943b-e4f5a0416f43 | ipv6-icmp | IPv6 | ::/0 | | ingress | None | None |
| b4815dbe-fb8f-4008-8213-210b091330f4 | icmp | IPv4 | 0.0.0.0/0 | | ingress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
These are rules for inbound SSH traffic:
$ openstack security group rule list ssh
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| b3348c2a-12b9-499b-b2d6-21cbf5d22b85 | tcp | IPv4 | 0.0.0.0/0 | 22:22 | ingress | None | None |
| f55a33c8-9355-47db-b876-1e795bca29d0 | tcp | IPv6 | ::/0 | 22:22 | ingress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
These are rules for inbound RDP traffic:
$ openstack security group rule list rdp
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 4e3c597a-6643-43af-8004-0256c69274bc | tcp | IPv4 | 0.0.0.0/0 | 3389:3389 | ingress | None | None |
| abdd2bfb-74e5-47bb-85b6-3994ab9e6a29 | tcp | IPv6 | ::/0 | 3389:3389 | ingress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
By default all the traffic is blocked, and a user needs to explicitely define rules that allow connectivity on both ingress (inbound connectivity) and egress (outbound connectivity).
Machines (and ports) can have multiple security groups associated and the traffic will be filtered using the combination of all the rules of all the security groups defined in that VM or port.
For example, if a user creates a linux machine with the default, icmp and ssh security groups, they will be able to ping and to ssh into it from outside the project.
Operations with security groups
A security group can be created by any member of the project, like
Security groups are really only containers for rules. Security group rules define the actual IP filter rules that will be applied. Security groups deny everything by default, so rules indicate what is allowed. Typically, a security group rule will be configured with the following attributes: an IP protocol (one of ICMP, TCP, or UDP), a destination port or port range, and a remote IP range (in CIDR format). You create security group rules by specifying these attributes and the security group to which the rules should be added. For example:
$ openstack security group rule create [--remote-ip <ip-address> | --remote-group <group> | --remote-address-group <group>]
[--dst-port <port-range>]
[--protocol <protocol>]
[--description <description>]
[--icmp-type <icmp-type>]
[--icmp-code <icmp-code>]
[--ingress | --egress]
[--ethertype <ethertype>]
<group>
| Arguments | Description |
|---|---|
| --remote-ip |
Remote IP address block (may use CIDR notation; default for IPv4 rule: 0.0.0.0/0, default for IPv6 rule: ::/0) |
| --remote-group |
Remote security group (name or ID) |
| --remote-address-group |
Remote address group (name or ID) |
| --dst-port |
Destination port, may be a single port or a starting and ending port range: 137:139. Required for IP protocols TCP and UDP. Ignored for ICMP IP protocols. |
| --protocol |
IP protocol (ah, dccp, egp, esp, gre, icmp, igmp, ipv6-encap, ipv6-frag, ipv6-icmp, ipv6-nonxt, ipv6-opts, ipv6-route, ospf, pgm, rsvp, sctp, tcp, udp, udplite, vrrp and integer representations [0-255] or any; default: any (all protocols)) |
| --description |
Set security group rule description |
| --icmp-type |
ICMP type for ICMP IP protocols |
| --icmp-code |
ICMP code for ICMP IP protocols |
| --ingress | Rule applies to incoming network traffic (default) |
| --egress | Rule applies to outgoing network traffic |
| --ethertype |
Ethertype of network traffic (IPv4, IPv6; default: based on IP protocol) |
| Create rule in this security group (name or ID) |
Note
The
So in order to create rules to allow ICMP v4 and ICMP v6 on the default group, we just need to run:
$ openstack security group rule create --protocol icmp --ingress default
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2024-04-17T11:45:40Z |
| description | |
| direction | ingress |
| ether_type | IPv4 |
| id | 30636649-a712-4f12-98cf-fb68049aba80 |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | 7f1f1658-e495-4829-86d2-3a1ced0f1c56 |
| protocol | icmp |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 1b7ec78b-84ac-401e-989a-bc37009039fa |
| tags | [] |
| updated_at | 2024-04-17T11:45:40Z |
+-------------------------+--------------------------------------+
$ openstack security group rule create --protocol ipv6-icmp --ingress default
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2024-04-17T11:45:45Z |
| description | |
| direction | ingress |
| ether_type | IPv6 |
| id | afec618a-e081-449b-a45c-ec768a07c519 |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | 7f1f1658-e495-4829-86d2-3a1ced0f1c56 |
| protocol | ipv6-icmp |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | ::/0 |
| revision_number | 0 |
| security_group_id | 1b7ec78b-84ac-401e-989a-bc37009039fa |
| tags | [] |
| updated_at | 2024-04-17T11:45:45Z |
+-------------------------+--------------------------------------+
For SSH access over IPv4 and IPv6 on the default group, we just need to run:
$ openstack security group rule create --protocol tcp --ethertype IPv4 --remote-ip 0.0.0.0/0 --dst-port 22:22 --ingress default
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2024-04-17T11:45:51Z |
| description | |
| direction | ingress |
| ether_type | IPv4 |
| id | 4903063d-a73e-4030-86e9-d598863c686f |
| name | None |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | 7f1f1658-e495-4829-86d2-3a1ced0f1c56 |
| protocol | tcp |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 1b7ec78b-84ac-401e-989a-bc37009039fa |
| tags | [] |
| updated_at | 2024-04-17T11:45:51Z |
+-------------------------+--------------------------------------+
$ openstack security group rule create --protocol tcp --ethertype IPv6 --remote-ip ::/0 --dst-port 22:22 --ingress default
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2024-04-17T11:45:56Z |
| description | |
| direction | ingress |
| ether_type | IPv6 |
| project_id | 7f1f1658-e495-4829-86d2-3a1ced0f1c56 |
| name | None |
| port_range_max | 22 |
| port_range_min | 22 |
| project_id | 8e35e961-f888-4622-bf7d-5fe9eb8cf563 |
| protocol | tcp |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | ::/0 |
| revision_number | 0 |
| security_group_id | 1b7ec78b-84ac-401e-989a-bc37009039fa |
| tags | [] |
| updated_at | 2024-04-17T11:45:56Z |
+-------------------------+--------------------------------------+
Assign/Remove security groups to ports
Security groups are an attribute of ports. By default, it will assign the default security group to all newly created ports.
It is possible to specify different security groups when creating a new port. For example:
Please note that you can specify multiple security groups while creating a port by just adding additional --security-group parameters
Additional security groups can also be added or removed from existing ports. For example:
openstack port set --security-group <group> ... <port>
openstack port unset --security-group <group> ... <port>
Note: A port can be member of multiple security groups. The rules from all the security groups are combined to get the final state of the traffic that is allowed or not to access the VM through that port.
Assign/Remove security groups to servers
You can specify at creation time the security group in which a server has all the ports by passing --security-group parameter like:
Please note that you can specify multiple security groups while creating a port by just adding additional --security-group parameters
Once a server has been created, it is possible to add or remove a security group from all ports attached to the server by calling the following commands
openstack server add security group <server> <group>
openstack server remove security group <server> <group>
Note
A VM can be member of multiple security groups, and those will be applied on all the ports that a machine could have. The rules from all the security groups are combined to get the final state of the traffic that is allowed or not to access the VM.
List the security groups of a server
You can list the security groups associated with a server by:
E.g.:
$ openstack server openstack server show arne-sg-03
+-----------------------------+----------------------------------------------------------+
| Field | Value |
+-----------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | cern-pdc-a |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2024-07-23T14:15:02.000000 |
| OS-SRV-USG:terminated_at | None |
... |
| name | arne-sg-03 |
| progress | 0 |
| project_id | 09fce77b-5412-44b3-bd1e-120a4f2406e9 |
| properties | cern-waitdns='false' |
| security_groups | name='default' <<<<<<<<<<<<<< |
| | name='ssh' <<<<<<<<<<<<<< |
| status | ACTIVE |
| updated | 2024-07-23T14:15:03Z |
| user_id | wiebalck |
| volumes_attached | |
+-----------------------------+----------------------------------------------------------+
and then use the above
to understand the rules these groups bring.