.. include::
`Home `__ |raquo| Security hardening for OpenStack-Ansible
Getting started
===============
The openstack-ansible-security role can be used along with the
`OpenStack-Ansible`_ project or as a standalone role that can be used along
with other Ansible playbooks.
.. _OpenStack-Ansible: https://github.com/openstack/openstack-ansible/
Using with OpenStack-Ansible
----------------------------
Starting with the Mitaka release, OpenStack-Ansible installs the
openstack-ansible-security role automatically. It's disabled by default for
deployments and can be enabled with an Ansible variable:
.. code-block:: yaml
apply_security_hardening: true
If the variable is set, the security hardening configurations will be applied
automatically on new builds that use the ``scripts/run_playbooks.sh`` script
provided with OpenStack-Ansible. However, the role can be applied anytime by
using the playbook provided with OpenStack-Ansible:
.. code-block:: bash
cd /opt/openstack-ansible/playbooks/
openstack-ansible -e "apply_security_hardening=true" security-hardening.yml
For more information, refer to the OpenStack-Ansible documentation on
`configuring security hardening`_.
.. _configuring security hardening: http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-initial.html
Using as a standalone role
--------------------------
There are several options for using openstack-ansible-security as a standalone
role or along with another existing project. Here are two fairly easy methods:
* Add openstack-ansible-security as a git submodule in the roles directory
of an existing Ansible project
* Clone the role into ``/etc/ansible/roles/`` on any system and write a custom
playbook and hosts inventory file
The playbook for openstack-ansible-security can be fairly simple, depending
on the configuration of the systems:
.. code-block:: yaml
---
- name: Run openstack-ansible-security
hosts: webservers
user: root
roles:
- openstack-ansible-security
This playbook will run the tasks in the openstack-ansible-security role against
all hosts in the ``webservers`` group (as defined in an inventory file).