c31d6c463f
Cleanup usage of screens: * Replace with programlistings where appropriate * Add prompts Also, fix some filename markup. Partial-Bug: #1217503 Change-Id: I0b9b8a73d3449bd33cf7348b49cdc1d02f203c4f
51 lines
3.5 KiB
XML
51 lines
3.5 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<chapter xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://docbook.org/ns/docbook" xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="ch033_securing-neutron-services"><?dbhtml stop-chunking?>
|
|
<title>Securing OpenStack Networking Services</title>
|
|
<para>In order to secure OpenStack Networking, an understanding of the workflow process for tenant instance creation needs to be mapped to security domains.</para>
|
|
<para>There are four main services that interact with OpenStack Networking. In a typical OpenStack deployment these services map to the following security domains:</para>
|
|
<itemizedlist><listitem>
|
|
<para>OpenStack Dashboard: Public and Management</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>OpenStack Identity: Management</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>OpenStack Compute Node: Management and Guest</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>OpenStack Network Node: Management, Guest, and possibly Public depending upon neutron-plugin in use.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>SDN Services Node: Management, Guest and possibly
|
|
Public depending upon product used.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para><inlinemediaobject><imageobject role="html">
|
|
<imagedata contentdepth="454" contentwidth="682" fileref="static/1aa-logical-neutron-flow.png" format="PNG" scalefit="1"/>
|
|
</imageobject>
|
|
<imageobject role="fo">
|
|
<imagedata contentdepth="100%" fileref="static/1aa-logical-neutron-flow.png" format="PNG" scalefit="1" width="100%"/>
|
|
</imageobject>
|
|
</inlinemediaobject></para>
|
|
<para>In order to isolate sensitive data communication between the OpenStack Networking services and other OpenStack core services, we strongly recommend that these communication channels be configured to only allow communications over an isolated management network.</para>
|
|
<section xml:id="ch033_securing-neutron-services-idp55312">
|
|
<title>OpenStack Networking Service Configuration</title>
|
|
<section xml:id="ch033_securing-neutron-services-idp56016">
|
|
<title>Restrict Bind Address of the API server: neutron-server</title>
|
|
<para>To restrict the interface or IP address on which the OpenStack Networking API service binds a network socket for incoming client connections, specify the bind_host and bind_port in the neutron.conf file as shown:</para>
|
|
<programlisting language="ini">
|
|
# Address to bind the API server
|
|
bind_host = <replaceable>IP ADDRESS OF SERVER</replaceable>
|
|
|
|
# Port the bind the API server to
|
|
bind_port = 9696</programlisting>
|
|
</section>
|
|
<section xml:id="ch033_securing-neutron-services-idp58320">
|
|
<title>Restrict DB and RPC communication of the OpenStack Networking services:</title>
|
|
<para>Various components of the OpenStack Networking services use either the messaging queue or database connections to communicate with other components in OpenStack Networking.</para>
|
|
<para>It is recommended that you follow the guidelines provided in the Database Authentication and Access Control chapter in the Database section for all components that require direct DB connections.</para>
|
|
<para>It is recommended that you follow the guidelines provided in the Queue Authentication and Access Control chapter in the Messaging section for all components that require RPC communication.</para>
|
|
</section>
|
|
</section>
|
|
</chapter>
|