Home OpenStack-Ansible Installation Guide
The OpenStack-Ansible project provides several security features for OpenStack deployments. This section of documentation covers those features and how they can benefit deployers of various sizes.
Security requirements always differ between deployers. If you require additional security measures, refer to the official OpenStack Security Guide for additional resources.
The Linux kernel offers multiple security modules (LSMs) that set mandatory access controls (MAC) on Linux systems. The OpenStack-Ansible project configures AppArmor. AppArmor is a Linux security module that provides additional security on LXC container hosts. AppArmor allows administrators to set specific limits and policies around what resources a particular application can access. Any activity outside the allowed policies is denied at the kernel level.
AppArmor profiles that are applied in OpenStack-Ansible limit the actions that each LXC container may take on a system. This is done within the lxc_hosts role.
While in transit, data is encrypted between some OpenStack services in OpenStack-Ansible deployments. Not all communication between all services is encrypted. For more details on what traffic is encrypted, and how to configure SSL certificates, refer to the documentation section titled Securing services with SSL certificates.
Deployers can apply security hardening to OpenStack infrastructure and compute hosts using the openstack-ansible-security role. The purpose of the role is to apply as many security configurations as possible without disrupting the operation of an OpenStack deployment.
Refer to the documentation on Security hardening for more information on the role and how to enable it in OpenStack-Ansible.
The principle of least privilege is used throughout OpenStack-Ansible to limit the damage that could be caused if an attacker gained access to a set of credentials.
OpenStack-Ansible configures unique username and password combinations for each service that talks to RabbitMQ and Galera/MariaDB. Each service that connects to RabbitMQ uses a separate virtual host for publishing and consuming messages. The MariaDB users for each service are only granted access to the database(s) that they need to query.
OpenStack environments expose many service ports and API endpoints to the network.
Note
Deployers must limit access to these resources and expose them only to trusted users and networks.
The resources within an OpenStack environment can be divided into two groups:
To manage instances, you are able to access certain public API endpoints, such as the Nova or Neutron API. Configure firewalls to limit network access to these services.
Other services, such as MariaDB and RabbitMQ, must be segmented away from direct user access. You must configure a firewall to only allow connectivity to these services within the OpenStack environment itself. This reduces an attacker’s ability to query or manipulate data in OpenStack’s critical database and queuing services, especially if one of these services has a known vulnerability.
For more details on recommended network policies for OpenStack clouds, refer to the API endpoint process isolation and policy section from the OpenStack Security Guide