Docs: Update integration with OSA
This patch updates the openstack-ansible-security documentation to match the documentation provided with OpenStack-Ansible. Closes-bug: 1538557 Change-Id: I63dc6a3836b7ffa35886253606b63d3aa34d0c2f
This commit is contained in:
Major Hayden
parent
62e1600993
commit
f74d72e85e
@ -1,96 +1,40 @@
|
|||||||
.. include:: <xhtml1-lat1.txt>
|
.. include:: <xhtml1-lat1.txt>
|
||||||
`Home <index.html>`__ |raquo| Security hardening for openstack-ansible
|
`Home <index.html>`__ |raquo| Security hardening for OpenStack-Ansible
|
||||||
|
|
||||||
Getting started
|
Getting started
|
||||||
===============
|
===============
|
||||||
|
|
||||||
The openstack-ansible-security role can be used along with the
|
The openstack-ansible-security role can be used along with the
|
||||||
`openstack-ansible`_ project or as a standalone role that can be used along
|
`OpenStack-Ansible`_ project or as a standalone role that can be used along
|
||||||
with other Ansible playbooks.
|
with other Ansible playbooks.
|
||||||
|
|
||||||
Using with openstack-ansible
|
.. _OpenStack-Ansible: https://github.com/openstack/openstack-ansible/
|
||||||
|
|
||||||
|
Using with OpenStack-Ansible
|
||||||
----------------------------
|
----------------------------
|
||||||
|
|
||||||
This portion of the guide assumes that openstack-ansible is already cloned
|
Starting with the Mitaka release, OpenStack-Ansible installs the
|
||||||
into ``/opt/openstack-ansible`` and it has been properly configured. Start by
|
openstack-ansible-security role automatically. It's disabled by default for
|
||||||
cloning openstack-ansible-security into Ansible's default role location::
|
deployments and can be enabled with an Ansible variable:
|
||||||
|
|
||||||
git clone https://github.com/openstack/openstack-ansible-security \
|
|
||||||
/etc/ansible/roles/openstack-ansible-security
|
|
||||||
|
|
||||||
Before getting started, review the ``defaults/main.yml`` file from the
|
|
||||||
openstack-ansible-security repository. There are some documented options there
|
|
||||||
for changes which may require opt-in or opt-out configuration. Some options
|
|
||||||
can be adjusted depending on the security level of a particular environment.
|
|
||||||
|
|
||||||
Create a directory to hold an Ansible configuration file and a small playbook::
|
|
||||||
|
|
||||||
mkdir /opt/openstack-ansible-security
|
|
||||||
cd /opt/openstack-ansible-security
|
|
||||||
|
|
||||||
Create a small Ansible playbook at
|
|
||||||
``/opt/openstack-ansible-security/os-security.yml``:
|
|
||||||
|
|
||||||
.. code-block:: yaml
|
.. code-block:: yaml
|
||||||
|
|
||||||
---
|
apply_security_hardening: true
|
||||||
|
|
||||||
- name: Run openstack-ansible-security
|
If the variable is set, the security hardening configurations will be applied
|
||||||
hosts: "{{ host_group|default('hosts') }}"
|
automatically on new builds that use the ``scripts/run_playbooks.sh`` script
|
||||||
user: root
|
provided with OpenStack-Ansible. However, the role can be applied anytime by
|
||||||
roles:
|
using the playbook provided with OpenStack-Ansible:
|
||||||
- openstack-ansible-security
|
|
||||||
|
|
||||||
Add an Ansible configuration file so that your playbook can use
|
.. code-block:: bash
|
||||||
openstack-ansible's dynamic inventory. Create a new file at
|
|
||||||
``/opt/openstack-ansible-security/ansible.cfg``::
|
|
||||||
|
|
||||||
[defaults]
|
cd /opt/openstack-ansible/playbooks/
|
||||||
gathering = smart
|
openstack-ansible -e "apply_security_hardening=true" security-hardening.yml
|
||||||
host_key_checking = False
|
|
||||||
|
|
||||||
# SSH timeout
|
For more information, refer to the OpenStack-Ansible documentation on
|
||||||
timeout = 120
|
`configuring security hardening`_.
|
||||||
|
|
||||||
# Set the path to the folder in openstack-ansible which holds the dynamic
|
.. _configuring security hardening: http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-initial.html
|
||||||
# inventory script - new config setting for ansible v1.9 and above
|
|
||||||
inventory = ../openstack-ansible/playbooks/inventory/
|
|
||||||
|
|
||||||
# Set the path to the folder in openstack-ansible which holds the dynamic
|
|
||||||
# inventory script - uncomment if using ansible below v1.9
|
|
||||||
#hostfile = ../openstack-ansible/playbooks/inventory/
|
|
||||||
|
|
||||||
# Set the path to the folder in openstack-ansible which holds the
|
|
||||||
# libraries required
|
|
||||||
library = ../openstack-ansible/playbooks/library/
|
|
||||||
|
|
||||||
# Set the path to the folder in openstack-ansible which holds the
|
|
||||||
# lookup plugins required
|
|
||||||
lookup_plugins = ../openstack-ansible/playbooks/plugins/lookups/
|
|
||||||
|
|
||||||
# Set the path to the folder in openstack-ansible which holds the filter
|
|
||||||
# plugins required
|
|
||||||
filter_plugins = ../openstack-ansible/playbooks/plugins/filters/
|
|
||||||
|
|
||||||
# Set the path to the folder in openstack-ansible which holds the action
|
|
||||||
# plugins required
|
|
||||||
action_plugins = ../openstack-ansible/playbooks/plugins/actions/
|
|
||||||
|
|
||||||
[ssh_connection]
|
|
||||||
pipelining = True
|
|
||||||
|
|
||||||
Run the playbook::
|
|
||||||
|
|
||||||
cd /opt/openstack-ansible-security/
|
|
||||||
openstack-ansible os-security.yml
|
|
||||||
|
|
||||||
There are lots of tags throughout the tasks in the role that will allow
|
|
||||||
deployers to select certain tasks or groups of tasks to run. For example, just
|
|
||||||
the ``auditd`` improvements can be deployed by using the appropriate tag::
|
|
||||||
|
|
||||||
openstack-ansible os-security.yml -t auditd
|
|
||||||
|
|
||||||
.. _openstack-ansible: https://github.com/openstack/openstack-ansible/
|
|
||||||
|
|
||||||
Using as a standalone role
|
Using as a standalone role
|
||||||
--------------------------
|
--------------------------
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user