d2d4b53d47
In Kolla Ansible OpenStack deployments, by default, libvirt is configured to allow read-write access via an unauthenticated, unencrypted TCP connection, using the internal API network. This is to facilitate migration between hosts. By default, Kolla Ansible does not use encryption for services on the internal network (and did not support it until Ussuri). However, most other services on the internal network are at least authenticated (usually via passwords), ensuring that they cannot be used by anyone with access to the network, unless they have credentials. The main issue here is the lack of authentication. Any client with access to the internal network is able to connect to the libvirt TCP port and make arbitrary changes to the hypervisor. This could include starting a VM, modifying an existing VM, etc. Given the flexibility of the domain options, it could be seen as equivalent to having root access to the hypervisor. Kolla Ansible supports libvirt TLS [1] since the Train release, using client and server certificates for mutual authentication and encryption. However, this feature is not enabled by default, and requires certificates to be generated for each compute host. This change adds support for libvirt SASL authentication, and enables it by default. This provides base level of security. Deployments requiring further security should use libvirt TLS. [1] https://docs.openstack.org/kolla-ansible/latest/reference/compute/libvirt-guide.html#libvirt-tls Depends-On: https://review.opendev.org/c/openstack/kolla/+/833021 Closes-Bug: #1964013 Change-Id: Ia91ceeb609e4cdb144433122b443028c0278b71e
Kolla Ansible
The Kolla Ansible is a deliverable project separated from Kolla project.
Kolla Ansible deploys OpenStack services and infrastructure components in Docker containers.
Kolla's mission statement is:
To provide production-ready containers and deployment tools for operating
OpenStack clouds.Kolla is highly opinionated out of the box, but allows for complete customization. This permits operators with little experience to deploy OpenStack quickly and as experience grows modify the OpenStack configuration to suit the operator's exact requirements.
Getting Started
Learn about Kolla Ansible by reading the documentation online Kolla Ansible.
Get started by reading the Developer Quickstart.
OpenStack services
Kolla Ansible deploys containers for the following OpenStack projects:
- Aodh
- Barbican
- Bifrost
- Blazar
- Ceilometer
- Cinder
- CloudKitty
- Cyborg
- Designate
- Freezer
- Glance
- Heat
- Horizon
- Ironic
- Keystone
- Kuryr
- Magnum
- Manila
- Masakari
- Mistral
- Monasca
- Murano
- Neutron
- Nova
- Octavia
- Sahara
- Senlin
- Solum
- Swift
- Tacker
- Trove
- Vitrage
- Watcher
- Zun
Infrastructure components
Kolla Ansible deploys containers for the following infrastructure components:
- Collectd, Telegraf, InfluxDB, Prometheus, and Grafana for performance monitoring.
- Elasticsearch and Kibana to search, analyze, and visualize log messages.
- Etcd a distributed reliable key-value store.
- Fluentd as an open source data collector for unified logging layer.
- Gnocchi A time-series storage database.
- HAProxy and Keepalived for high availability of services and their endpoints.
- MariaDB and Galera Cluster for highly available MySQL databases.
- Memcached a distributed memory object caching system.
- Open vSwitch and Linuxbridge backends for Neutron.
- RabbitMQ as a messaging backend for communication between services.
- Redis an in-memory data structure store.
- Zookeeper an open-source server which enables highly reliable distributed coordination.
Directories
ansible- Contains Ansible playbooks to deploy OpenStack services and infrastructure components in Docker containers.contrib- Contains demos scenarios for Heat, Magnum and Tacker and a development environment for Vagrantdoc- Contains documentation.etc- Contains a reference etc directory structure which requires configuration of a small number of configuration variables to achieve a working All-in-One (AIO) deployment.kolla_ansible- Contains password generation script.releasenotes- Contains releasenote of all features added in Kolla Ansible.specs- Contains the Kolla Ansible communities key arguments about architectural shifts in the code base.tests- Contains functional testing tools.tools- Contains tools for interacting with Kolla Ansible.zuul.d- Contains project gate job definitions.
Getting Involved
Need a feature? Find a bug? Let us know! Contributions are much appreciated and should follow the standard Gerrit workflow.
- We communicate using the #openstack-kolla irc channel.
- File bugs, blueprints, track releases, etc on Launchpad.
- Attend weekly meetings.
- Contribute code.
Contributors
Check out who's contributing code and contributing reviews.
Notices
Docker and the Docker logo are trademarks or registered trademarks of Docker, Inc. in the United States and/or other countries. Docker, Inc. and other parties may also have trademark rights in other terms used herein.