openstack-ansible/doc/source/install-guide/overview-security.rst

Home OpenStack-Ansible Installation Guide

Security

The OpenStack-Ansible project provides several security features for OpenStack deployments. This section of documentation covers some of those features and how they can benefit deployers of various sizes.

Security requirements will always differ between deployers. For deployers that need additional security measures in place, please refer to the official OpenStack Security Guide for additional resources.

AppArmor

The Linux kernel offers multiple security modules (LSMs) that that set mandatory access controls (MAC) on Linux systems. The openstack-ansible project configures AppArmor, a Linux security module, to provide additional security on LXC container hosts. AppArmor allows administrators to set specific limits and policies around what resources a particular application can access. Any activity outside the allowed policies is denied at the kernel level.

In OpenStack-Ansible, AppArmor profiles are applied that limit the actions that each LXC container may take on a system. This is done within the lxc_hosts role.

Encrypted communication

Data is encrypted while in transit between some OpenStack services in OpenStack-Ansible deployments. Not all communication between all services is currently encrypted. For more details on what traffic is encrypted, and how to configure SSL certificates, refer to the documentation section titled Securing services with SSL certificates.

Host security hardening

Deployers can apply security hardening to OpenStack infrastructure and compute hosts using the openstack-ansible-security role. The purpose of the role is to apply as many security configurations as possible without disrupting the operation of an OpenStack deployment.

Refer to the documentation on security_hardening for more information on the role and how to enable it in OpenStack-Ansible.

---