04b8693703
There's no real need for this to exist as its own standalone document now that we have a separate CPU models doc. Combine them. Change-Id: I3a3e19b1f2660dd773fd3d47332abadc0c0e5c55 Signed-off-by: Stephen Finucane <stephenfin@redhat.com>
1.8 KiB
Security hardening
OpenStack Compute can be integrated with various third-party technologies to increase security. For more information, see the OpenStack Security Guide.
Encrypt Compute metadata traffic
Enabling SSL encryption
OpenStack supports encrypting Compute metadata traffic with HTTPS.
Enable SSL encryption in the metadata_agent.ini file.
Enable the HTTPS protocol.
nova_metadata_protocol = httpsDetermine whether insecure SSL connections are accepted for Compute metadata server requests. The default value is
False.nova_metadata_insecure = FalseSpecify the path to the client certificate.
nova_client_cert = PATH_TO_CERTSpecify the path to the private key.
nova_client_priv_key = PATH_TO_KEY
Securing live migration streams with QEMU-native TLS
It is strongly recommended to secure all the different live migration
streams of a nova instance—i.e. guest RAM, device state, and disks (via
NBD) when using non-shared storage. For further details on how to set
this up, refer to the secure-live-migration-with-qemu-native-tls
document.
Mitigation for MDS (Microarchitectural Data Sampling) security flaws
It is strongly recommended to patch all compute nodes and nova
instances against the processor-related security flaws, such as MDS (and
other previous vulnerabilities). For details on applying mitigation for
the MDS flaws, refer to mitigation-for-Intel-MDS-security-flaws.