Files

Kashyap Chamarthy 6a61b68c31 docs: Update references to "QEMU-native TLS" document

Link to the "Secure live migration with QEMU-native TLS" document from
other relevant guides, and small blurbs of text where appropriate.

Blueprint: support-qemu-native-tls-for-live-migration

Change-Id: I9c6676897d27254e2e16bf7e36a74bf9f3da3832
Signed-off-by: Kashyap Chamarthy <kchamart@redhat.com>

2019-01-22 11:09:09 +01:00

1.4 KiB

Raw Blame History

Security hardening

OpenStack Compute can be integrated with various third-party technologies to increase security. For more information, see the OpenStack Security Guide.

Encrypt Compute metadata traffic

Enabling SSL encryption

OpenStack supports encrypting Compute metadata traffic with HTTPS. Enable SSL encryption in the metadata_agent.ini file.

Enable the HTTPS protocol.
```
nova_metadata_protocol = https
```
Determine whether insecure SSL connections are accepted for Compute metadata server requests. The default value is False.
```
nova_metadata_insecure = False
```
Specify the path to the client certificate.
```
nova_client_cert = PATH_TO_CERT
```
Specify the path to the private key.
```
nova_client_priv_key = PATH_TO_KEY
```

Securing live migration streams with QEMU-native TLS

It is strongly recommended to secure all the different live migration streams of a nova instance—i.e. guest RAM, device state, and disks (via NBD) when using non-shared storage. For further details on how to set this up, refer to the secure-live-migration-with-qemu-native-tls document.

1.4 KiB Raw Blame History

Security hardening

Encrypt Compute metadata traffic

Securing live migration streams with QEMU-native TLS

1.4 KiB

Raw Blame History