openstack/ansible-hardening
Code Issues Proposed changes

Docs: Update integration with OSA

Browse Source 
This patch updates the openstack-ansible-security documentation to match
the documentation provided with OpenStack-Ansible.

Closes-bug: 1538557

Change-Id: I63dc6a3836b7ffa35886253606b63d3aa34d0c2f
This commit is contained in:
Major Hayden 2016-02-03 09:11:02 -06:00
parent 62e1600993
commit f74d72e85e
1 changed files with 19 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
doc/source/getting-started.rst
View File

@ -1,96 +1,40 @@
.. include:: <xhtml1-lat1.txt> .. include:: <xhtml1-lat1.txt>
`Home <index.html>`__ |raquo| Security hardening for openstack-ansible `Home <index.html>`__ |raquo| Security hardening for OpenStack-Ansible
Getting started Getting started
=============== ===============
The openstack-ansible-security role can be used along with the The openstack-ansible-security role can be used along with the
`openstack-ansible`_ project or as a standalone role that can be used along `OpenStack-Ansible`_ project or as a standalone role that can be used along
with other Ansible playbooks. with other Ansible playbooks.
Using with openstack-ansible .. _OpenStack-Ansible: https://github.com/openstack/openstack-ansible/
Using with OpenStack-Ansible
---------------------------- ----------------------------
This portion of the guide assumes that openstack-ansible is already cloned Starting with the Mitaka release, OpenStack-Ansible installs the
into ``/opt/openstack-ansible`` and it has been properly configured. Start by openstack-ansible-security role automatically. It's disabled by default for
cloning openstack-ansible-security into Ansible's default role location:: deployments and can be enabled with an Ansible variable:
git clone https://github.com/openstack/openstack-ansible-security \
/etc/ansible/roles/openstack-ansible-security
Before getting started, review the ``defaults/main.yml`` file from the
openstack-ansible-security repository. There are some documented options there
for changes which may require opt-in or opt-out configuration. Some options
can be adjusted depending on the security level of a particular environment.
Create a directory to hold an Ansible configuration file and a small playbook::
mkdir /opt/openstack-ansible-security
cd /opt/openstack-ansible-security
Create a small Ansible playbook at
``/opt/openstack-ansible-security/os-security.yml``:
.. code-block:: yaml .. code-block:: yaml
--- apply_security_hardening: true
- name: Run openstack-ansible-security If the variable is set, the security hardening configurations will be applied
hosts: "{{ host_group|default('hosts') }}" automatically on new builds that use the ``scripts/run_playbooks.sh`` script
user: root provided with OpenStack-Ansible. However, the role can be applied anytime by
roles: using the playbook provided with OpenStack-Ansible:
- openstack-ansible-security
Add an Ansible configuration file so that your playbook can use .. code-block:: bash
openstack-ansible's dynamic inventory. Create a new file at
``/opt/openstack-ansible-security/ansible.cfg``::
[defaults] cd /opt/openstack-ansible/playbooks/
gathering = smart openstack-ansible -e "apply_security_hardening=true" security-hardening.yml
host_key_checking = False
# SSH timeout For more information, refer to the OpenStack-Ansible documentation on
timeout = 120 `configuring security hardening`_.
# Set the path to the folder in openstack-ansible which holds the dynamic .. _configuring security hardening: http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-initial.html
# inventory script - new config setting for ansible v1.9 and above
inventory = ../openstack-ansible/playbooks/inventory/
# Set the path to the folder in openstack-ansible which holds the dynamic
# inventory script - uncomment if using ansible below v1.9
#hostfile = ../openstack-ansible/playbooks/inventory/
# Set the path to the folder in openstack-ansible which holds the
# libraries required
library = ../openstack-ansible/playbooks/library/
# Set the path to the folder in openstack-ansible which holds the
# lookup plugins required
lookup_plugins = ../openstack-ansible/playbooks/plugins/lookups/
# Set the path to the folder in openstack-ansible which holds the filter
# plugins required
filter_plugins = ../openstack-ansible/playbooks/plugins/filters/
# Set the path to the folder in openstack-ansible which holds the action
# plugins required
action_plugins = ../openstack-ansible/playbooks/plugins/actions/
[ssh_connection]
pipelining = True
Run the playbook::
cd /opt/openstack-ansible-security/
openstack-ansible os-security.yml
There are lots of tags throughout the tasks in the role that will allow
deployers to select certain tasks or groups of tasks to run. For example, just
the ``auditd`` improvements can be deployed by using the appropriate tag::
openstack-ansible os-security.yml -t auditd
.. _openstack-ansible: https://github.com/openstack/openstack-ansible/
Using as a standalone role Using as a standalone role
-------------------------- --------------------------