When you launch a virtual machine, you can inject a key pair, which provides SSH access to your instance. You can create at least one key pair for each project. You can use the key pair for multiple instances that belong to that project. If you generate a key pair with an external tool, you can import it into OpenStack.
Add/import key pair
You can generate a key pair or upload an existing public key
Add key pair
# To generate a key pair, run the following command (if "--private-key" flag is not used, print private key in console). $ openstack keypair create <name> [--private-key <name>] # If you have already generated a key pair $ openstack keypair create <name> --public-key <file>
To delete a key pair
Delete key pair
$ openstack keypair delete <key> # Verify that the key has been deleted $ openstack keypair list
Create and manage security groups
A few basic commands to manage security groups
Manage security group
# To list the security groups for the current project $ openstack security group list # To create a security group with a specified name and description $ openstack security group create <name> --description <description> # To delete a specified group $ openstack security group delete <group>
Note
You cannot delete the default security group for a project. Also, you cannot delete a security group that is assigned to a running instance.
Create and manage security group rules
To create or delete a rule for a security group, run the following command
Create/delete rule
$ openstack security group rule create --ingress --protocol <protocol> --dst-port <port-range> --remote-ip <ip-address> <group> # To see the rules within a group $ openstack security group rule list <group> # To delete a rule, retrieve the ID from the previous command and use $ openstack security group rule delete <rule>
Let's try to give some examples
Rules (examples)
# Allow SSH access to the instances, from all remote IP $ openstack security group rule create --ingress --protocol tcp --dst-port 22 --remote-ip 0.0.0.0/0 <group> # Open ports 52:60 (including extremes) with udp protocol from subnet 131.154.0.0/16 $ openstack security group rule create --ingress --protocol udp --dst-port 52:60 --remote-ip 131.154.0.0/16 <group> # Allow access only from IP addresses from other security groups (source groups) to access the specified port $ openstack security group rule create --ingress --protocol tcp --dst-port 80 --remote-group <source_group> <group> # An example of an outbound rule $ openstack security group rule create --egress --protocol tcp --dst-port 443 --remote-ip 0.0.0.0/0 <group>