Taikun Logo

Taikun OCP Guide

Table of Contents

Security hardening

OpenStack Compute can be integrated with various third-party
technologies to increase security. For more information, see the OpenStack Security

Encrypt Compute metadata

Enabling SSL encryption

OpenStack supports encrypting Compute metadata traffic with HTTPS.
Enable SSL encryption in the metadata_agent.ini file.

  1. Enable the HTTPS protocol.

    nova_metadata_protocol = https
  2. Determine whether insecure SSL connections are accepted for
    Compute metadata server requests. The default value is

    nova_metadata_insecure = False
  3. Specify the path to the client certificate.

    nova_client_cert = PATH_TO_CERT
  4. Specify the path to the private key.

    nova_client_priv_key = PATH_TO_KEY

live migration streams with QEMU-native TLS

It is strongly recommended to secure all the different live migration
streams of a nova instance—i.e. guest RAM, device state, and disks (via
NBD) when using non-shared storage. For further details on how to set
this up, refer to the secure-live-migration-with-qemu-native-tls

for MDS (Microarchitectural Data Sampling) security flaws

It is strongly recommended to patch all compute nodes and nova
instances against the processor-related security flaws, such as MDS (and
other previous vulnerabilities). For details on applying mitigation for
the MDS flaws, refer to mitigation-for-Intel-MDS-security-flaws.