Security groups: Enabling SSH and ICMP (ping)Adding a keypairConfirm all services runningStarting an instanceBringing down an instance
Security groups: Enabling SSH and ICMP (ping)
The Compute service uses the concept of security groups to control what network protocols (TCP, UDP, ICMP), ports, and IP addresses are permitted to access instances. Each tenant manages its own list of security groups and starts off with a security group called default. If no security group is specified upon boot, the virtual machine will be associated with the default security group.
Security groups can be listed by the nova secgroup-list command.
$ nova secgroup-list
+---------+-------------+
| Name | Description |
+---------+-------------+
| default | default |
+---------+-------------+
In this example, we will use the nova secgroup-add-rule command to enable access to TCP port 22 (so we can SSH to instances) Allow access to port 22 from all IP addresses (specified in CIDR notation as 0.0.0.0/0) with the following command:
$ nova secgroup-add-rule default tcp 22 22 0.0.0.0/0
When specifying rules for TCP and UDP protocols, you may specify a range of port consecutive addresses in a single rule (e.g., from port 5901 to port 5999). In this case, only a single port is being enabled, so we specify the start port as 22 and the end port as 22.
To be able to ping virtual machine instances, you must specify a rule to allow ICMP traffic. When specifying ICMP rules, instead of specifying a begin and end port, you specify a pemitted ICMP code and ICMP type. You can also specify -1 for the code to enable all codes and -1 for the type to enable all ICMP types. Allow access to all codes and types of ICMP traffic from all IP addresses with the following command:
$ nova secgroup-add-rule default icmp -1 -1 0.0.0.0/0
Adding a keypair
The Compute service can inject an SSH public key into an account on the instance, assuming the virtual machine image being used supports this. To add a keypair to the Compute service, use the nova keypair-add command. This command can be used to either generate a new keypair, or to upload an existing public key. The following example uploads an existing public key, located at ~/.ssh/id_rsa.pub, and gives the keypair the name mykey.
$ nova keypair-add --pub_key ~/.ssh/id_rsa.pub mykey
List the keypairs by doing:
$ nova keypair-list
+-------+-------------------------------------------------+
| Name | Fingerprint |
| mykey | c3:d2:b5:d3:ec:4a:29:b0:22:32:6e:34:dd:91:f9:cf |
+-------+-------------------------------------------------+
Confirm that the uploaded keypair matches your local key by checking your key's fingerprint with the ssh-keygen command:
Confirm all services running
Before trying to start an instance, confirm that all of the necessary services are running, in particular:
nova-api The nova-api service must be running to respond to the request to boot an instance, as well as to serve as the metadata server so that the instance can retrieve the public key uploaded i a previous section. If the nova commands in the previous section succeeded, then the service is running.
nova-scheduler The nova-scheduler service must be running in order to dispatch requests for a new virtual machine instance to a host running the nova-compute service that has sufficient resources.
nova-compute The nova-compute service must be running in order to interact with the hypervisor to bring up a virtual machine instance.
nova-network The nova-network service must be running in order to perform networking tasks such as assigning an IP address to the virtual machine instance and implementing the security group rules.
The nova-manage service list command can be used to confirm that these services are running properly.
[/td]
Note[/tr]
The nova-manage service list command does not indicate whether the nova-api service is running.
As root:
# nova-manage service list
Binary Host Zone Status State Updated_At
nova-compute myhost-1 nova enabled :-) 2012-05-27 12:36:35
nova-network myhost-1 nova enabled :-) 2012-05-27 12:36:28
nova-scheduler myhost-1 nova enabled :-) 2012-05-27 12:36:33
If any of the services are missing in your configuration, or the State column does not show a smiley face, then your Compute service will not be able to launch an instance.
Starting an instance
To start an instance, we need to specify a flavor, also known as an instance type, which indicates the size of an instance. Use the nova flavor-list command to view the list of available flavors:
$ nova flavor-list
+----+-----------+-----------+------+-----------+------+-------+-------------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor |
+----+-----------+-----------+------+-----------+------+-------+-------------+
| 1 | m1.tiny | 512 | 0 | 0 | | 1 | 1.0 |
| 2 | m1.small | 2048 | 15 | 15 | | 1 | 1.0 |
| 3 | m1.medium | 4096 | 25 | 25 | | 2 | 1.0 |
| 4 | m1.large | 8192 | 45 | 45 | | 4 | 1.0 |
| 5 | m1.xlarge | 16384 | 85 | 85 | | 8 | 1.0 |
+----+-----------+-----------+------+-----------+------+-------+-------------+
We also need to specify the image. Use the nova image-list to retrieve the ID of the CirrOS image.
$ nova image-list
+--------------------------------------+----------------------------------------+--------+--------------------------------------+
| ID | Name | Status | Server |
+--------------------------------------+----------------------------------------+--------+--------------------------------------+
| f4addd24-4e8a-46bb-b15d-fae2591f1a35 | cirros-0.3.0-x86_64 | ACTIVE | |
+--------------------------------------+----------------------------------------+--------+--------------------------------------+
Use the nova boot command to launch a new virtual machine instance. We'll use an m1.small instance in this example, using the CirrOS image, and the mykey keypair we added. We also need to give this virtual machine instance a name, we'll call it cirros. We will explicitly specify the default security group in this example, although this isn't strictly necessary since the default group will be used if no security group is specified.
$ nova boot --flavor 2 --image f4addd24-4e8a-46bb-b15d-fae2591f1a35 --key_name mykey --security_group default cirros
+-------------------------------------+----------------------------------------------------------+
| Property | Value |
+-------------------------------------+----------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-SRV-ATTR:host | host-1 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | instance-00000001 |
| OS-EXT-STS:power_state | 0 |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| accessIPv4 | |
| accessIPv6 | |
| adminPass | RG3W2bpZDbCo |
| config_drive | |
| created | 2012-05-27T13:00:33Z |
| flavor | m1.small |
| hostId | a2fd457e034c030506bac5c790c38d9519ea7a03b6861474a712c6b7 |
| id | c6bbbf26-b40a-47e7-8d5c-eb17bf65c485 |
| image | cirros-0.3.0-x86_64 |
| key_name | mykey |
| metadata | {} |
| name | cirros |
| progress | 0 |
| status | BUILD |
| tenant_id | b5815b046cfe47bb891a7b64119e7f80 |
| updated | 2012-05-27T13:00:33Z |
| user_id | a4c2d43f80a549a19864c89d759bb3fe |
+-------------------------------------+----------------------------------------------------------+
Check the progress of the instance with the nova list command. When the instance has booted, the command output will look something like:
$ nova list
+--------------------------------------+-----------------------+--------+------------------------------------------+
| ID | Name | Status | Networks |
+--------------------------------------+-----------------------+--------+------------------------------------------+
| c6bbbf26-b40a-47e7-8d5c-eb17bf65c485 | cirros | ACTIVE | private=192.168.100.5 |
+--------------------------------------+-----------------------+--------+------------------------------------------+
You can view the boot messages of the instances using the nova console-log command:
$ nova console-log
...
Starting network...
udhcpc (v1.18.5) started
Sending discover...
Sending select for 192.168.100.5...
Lease of 192.168.100.5 obtained, lease time 120
deleting routers
route: SIOCDELRT: No such process
adding dns 192.168.100.4
cloud-setup: checking http://169.254.169.254/2009-04-04/meta-data/instance-id
cloud-setup: successful after 1/30 tries: up 1.45. iid=i-00000001
Starting dropbear sshd: generating rsa key... generating dsa key... OK
===== cloud-final: system completely up in 1.77 seconds ====
instance-id: i-00000001
public-ipv4:
local-ipv4 : 192.168.100.5
cloud-userdata: user data not a script
____ ____ ____
/ __/ __ ____ ____ / __ \/ __/
/ /__ / // __// __// /_/ /\ \
\___//_//_/ /_/ \____/___/
http://launchpad.net/cirros
login as 'cirros' user. default password: 'cubswin:)'. use 'sudo' for root.
cirros login:
You should be able to ping your instance:
$ ping -c5 192.168.100.5
PING 192.168.100.5 (192.168.100.5) 56(84) bytes of data.
64 bytes from 192.168.100.5: icmp_req=1 ttl=64 time=0.270 ms
64 bytes from 192.168.100.5: icmp_req=2 ttl=64 time=0.228 ms
64 bytes from 192.168.100.5: icmp_req=3 ttl=64 time=0.244 ms
64 bytes from 192.168.100.5: icmp_req=4 ttl=64 time=0.203 ms
64 bytes from 192.168.100.5: icmp_req=5 ttl=64 time=0.210 ms
--- 192.168.100.5 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.203/0.231/0.270/0.024 ms
You should be able to ssh to your instance as the cirros user, using either the ssh keypair you uploaded or using the password cubswin:)
$ ssh cirros@192.168.100.5
The authenticity of host '192.168.100.5 (192.168.100.5)' can't be established.
RSA key fingerprint is c2:0a:95:d4:e7:e1:a6:a2:6a:99:4d:b8:f9:66:13:64.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.5' (RSA) to the list of known hosts.
cirros@192.168.100.5's password: cubswin:)
$
Bringing down an instance
Bring down your instance using the nova delete command:
$ nova delete c6bbbf26-b40a-47e7-8d5c-eb17bf65c485
QQ群⑧:
窥视卡
雷达卡
发表于 2015-4-12 10:10:06
[/td]
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡