4177548409
This documentation explains the security measures which are already in place in all openstack-ansible deployments. As the security-hardening role grows, this section will have additional details around the security improvements within the openstack-ansible project. Implements: blueprint security-hardening Closes-Bug: 1500564 Change-Id: Ia95bad57ba4a096f8fe85049421e58e4412b524a
2.0 KiB
Home OpenStack Ansible Installation Guide
Security
The openstack-ansible project provides provides several security features for OpenStack deployments. This section of documentation covers some of those features and how they can benefit deployers of various sizes.
Security requirements will always differ between deployers. For deployers that need additional security measures in place, please refer to the official OpenStack Security Guide for additional resources.
AppArmor
The Linux kernel offers multiple security modules (LSMs) that that set mandatory access controls (MAC) on Linux systems. The openstack-ansible project configures AppArmor, a Linux security module, to provide additional security on LXC container hosts. AppArmor allows administrators to set specific limits and policies around what resources a particular application can access. Any activity outside the allowed policies is denied at the kernel level.
In openstack-ansible, AppArmor profiles are applied that limit the actions that each LXC container may take on a system. This is done within the lxc_hosts role.
Encrypted communication
Data is encrypted while in transit between some OpenStack services in openstack-ansible deployments. Not all communication between all services is currently encrypted. For more details on what traffic is encrypted, and how to configure SSL certificates, refer to the documentation section titled Securing services with SSL certificates.