taikun.cloud

Taikun OCP Guide

Table of Contents

Security hardening

OpenStack Compute can be integrated with various third-party
technologies to increase security. For more information, see the OpenStack Security
Guide
.

Encrypt Compute metadata
traffic

Enabling SSL encryption

OpenStack supports encrypting Compute metadata traffic with HTTPS.
Enable SSL encryption in the metadata_agent.ini file.

  1. Enable the HTTPS protocol.

    nova_metadata_protocol = https
  2. Determine whether insecure SSL connections are accepted for
    Compute metadata server requests. The default value is
    False.

    nova_metadata_insecure = False
  3. Specify the path to the client certificate.

    nova_client_cert = PATH_TO_CERT
  4. Specify the path to the private key.

    nova_client_priv_key = PATH_TO_KEY

Securing
live migration streams with QEMU-native TLS

It is strongly recommended to secure all the different live migration
streams of a nova instance—i.e. guest RAM, device state, and disks (via
NBD) when using non-shared storage. For further details on how to set
this up, refer to the secure-live-migration-with-qemu-native-tls
document.

Mitigation
for MDS (Microarchitectural Data Sampling) security flaws

It is strongly recommended to patch all compute nodes and nova
instances against the processor-related security flaws, such as MDS (and
other previous vulnerabilities). For details on applying mitigation for
the MDS flaws, refer to mitigation-for-Intel-MDS-security-flaws.