[openstack-dev] [openstack-ansible] Security hardening

Jeff Keopp keopp at cray.com
Tue Sep 15 15:05:54 UTC 2015


This is a very interesting proposal and one I believe is needed.  I¹m
currently looking at hardening the controller nodes from unwanted access
and discovered that every time the controller node is booted/rebooted, it
flushes the iptables and writes only those rules that neutron believes
should be there.  This behavior would render this proposal ineffective
once the node is rebooted.

So I believe neutron needs to be fixed to not flush the iptables on each
boot, but to write the iptables to /etc/sysconfig/iptables and then
restore them as a normal linux box should do.  It should be a good citizen
with other processes.

A sysadmin should be allowed to use whatever iptables handlers they wish
to implement security policies and not have an OpenStack process undo what
they have set.

I should mention this is on a system using a flat network topology and
bare metal nodes.  No VMs.

‹
Jeff Keopp | Sr. Software Engineer, ES Systems.
380 Jackson Street | St. Paul, MN 55101 | USA  | www.cray.com
<http://www.cray.com>




-----Original Message-----
From: Major Hayden <major at mhtx.net>
Reply-To: "OpenStack Development Mailing List (not for usage questions)"
<openstack-dev at lists.openstack.org>
Date: Monday, September 14, 2015 at 11:34
To: "openstack-dev at lists.openstack.org" <openstack-dev at lists.openstack.org>
Subject: Re: [openstack-dev] [openstack-ansible] Security hardening

>On 09/14/2015 03:28 AM, Jesse Pretorius wrote:
>> I agree with Clint that this is a good approach.
>> 
>> If there is an automated way that we can verify the security of an
>>installation at a reasonable/standardised level then I think we should
>>add a gate check for it too.
>
>Here's a rough draft of a spec.  Feel free to throw some darts.
>
>  https://review.openstack.org/#/c/222619/
>
>--
>Major Hayden
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list