openstack/openstack-ansible
Code Issues Proposed changes
35fbce572d
openstack-ansible/doc/source/install-guide-revised-draft/app-advanced-config-affinity.rst
Alexandra 199e33c0a2 [DOCS] Updates to deploy config 
1. Moves affinity to advanced config in install draft
2. Deletes hypervisor (info already in nova role)
3. Deletes deploy config file and removes from index.rst

Change-Id: I515b3af8ac6e45aa768fda25fd3c0f57236bc7b1
Implements: blueprint osa-install-guide-overhaul
2016-08-19 14:10:43 +01:00

3.2 KiB
Raw Blame History

Affinity

OpenStack-Ansible's dynamic inventory generation has a concept called affinity. This determines how many containers of a similar type are deployed onto a single physical host.

Using shared-infra_hosts as an example, consider this openstack_user_config.yml:

shared-infra_hosts:
  infra1:
    ip: 172.29.236.101
  infra2:
    ip: 172.29.236.102
  infra3:
    ip: 172.29.236.103

Three hosts are assigned to the shared-infra_hosts group, OpenStack-Ansible ensures that each host runs a single database container, a single memcached container, and a single RabbitMQ container. Each host has an affinity of 1 by default, and that means each host will run one of each container type.

You can skip the deployment of RabbitMQ altogether. This is helpful when deploying a standalone swift environment. If you need this configuration, your openstack_user_config.yml would look like this:

shared-infra_hosts:
  infra1:
    affinity:
      rabbit_mq_container: 0
    ip: 172.29.236.101
  infra2:
    affinity:
      rabbit_mq_container: 0
    ip: 172.29.236.102
  infra3:
    affinity:
      rabbit_mq_container: 0
    ip: 172.29.236.103

The configuration above deploys a memcached container and a database container on each host, without the RabbitMQ containers.

Security hardening

OpenStack-Ansible automatically applies host security hardening configurations using the openstack-ansible-security role. The role uses a version of the Security Technical Implementation Guide (STIG) that has been adapted for Ubuntu 14.04 and OpenStack.

The role is applicable to physical hosts within an OpenStack-Ansible deployment that are operating as any type of node, infrastructure or compute. By default, the role is enabled. You can disable it by changing a variable within user_variables.yml:

apply_security_hardening: false

When the variable is set to true, the setup-hosts.yml playbook applies the role during deployments.

You can apply security configurations to an existing environment or audit an environment using a playbook supplied with OpenStack-Ansible:

# Perform a quick audit using Ansible's check mode
openstack-ansible --check security-hardening.yml

# Apply security hardening configurations
openstack-ansible security-hardening.yml

For more details on the security configurations that will be applied, refer to the openstack-ansible-security documentation. Review the Configuration section of the openstack-ansible-security documentation to find out how to fine-tune certain security configurations.