openstack/ironic
Code Issues Proposed changes

Merge "minor changes to security documentation"

Browse Source
This commit is contained in:
Jenkins 2016-05-26 16:03:06 +00:00 committed by Gerrit Code Review
commit 0b42710923
1 changed files with 24 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
doc/source/deploy/security.rst
View File

@ -7,14 +7,14 @@ Security
Overview Overview
======== ========
While Ironic is intended to be a secure application, it is important to While the Bare Metal service is intended to be a secure application, it is
understand what it does and does not cover today. important to understand what it does and does not cover today.
Deployers must properly evaluate their use case and take the appropriate Deployers must properly evaluate their use case and take the appropriate
actions to secure their environment appropriately. This document is intended to actions to secure their environment appropriately. This document is intended to
provide an overview of what risks and operator of Ironic should be aware of. It provide an overview of what risks an operator of the Bare Metal service should
is not intended as a How-To guide for securing a data center or an OpenStack be aware of. It is not intended as a How-To guide for securing a data center
deployment. or an OpenStack deployment.
.. TODO: add "Security Considerations for Network Boot" section .. TODO: add "Security Considerations for Network Boot" section
@ -27,10 +27,10 @@ deployment.
Firmware security Firmware security
================= =================
When ironic deploys an operating system image to a server, that image is run When the Bare Metal service deploys an operating system image to a server, that
natively on the server without virtualization. Any user with administrative image is run natively on the server without virtualization. Any user with
access to the deployed instance has administrative access to the underlying administrative access to the deployed instance has administrative access to
hardware. the underlying hardware.
Most servers' default settings do not prevent a privileged local user from Most servers' default settings do not prevent a privileged local user from
gaining direct access to hardware devices. Such a user could modify device or gaining direct access to hardware devices. Such a user could modify device or
@ -38,16 +38,17 @@ firmware settings, and potentially flash new firmware to the device, before
deleting their instance and allowing the server to be allocated to another deleting their instance and allowing the server to be allocated to another
user. user.
If the ``automated_clean`` configuration option is enabled (previously the If the ``[conductor]/automated_clean`` configuration option is enabled (and
``clean_nodes`` option), then Ironic will securely erase all local disk devices the ``[deploy]/erase_devices_priority`` configuration option is not zero),
within a machine during instance deletion. However, Ironic does not ship with the Bare Metal service will securely erase all local disk devices within a
machine during instance deletion. However, the service does not ship with
any code that will validate the integrity of, or make any modifications to, any code that will validate the integrity of, or make any modifications to,
system or device firmware or firmware settings. system or device firmware or firmware settings.
Operators are encouraged to write their own hardware manager plugins for the Operators are encouraged to write their own hardware manager plugins for the
``ironic-python-agent`` ramdisk. This should include custom ``clean steps`` ``ironic-python-agent`` ramdisk. This should include custom ``clean steps``
that would be run as part of Node de-provisioning. This should include custom that would be run during the `automated cleaning`_ process, as part of Node
``clean steps`` to be run as part of the automated cleaning process, which de-provisioning. The ``clean steps``
would perform the specific actions necessary within that environment to ensure would perform the specific actions necessary within that environment to ensure
the integrity of each server's firmware. the integrity of each server's firmware.
@ -57,11 +58,16 @@ include:
- installing signed firmware for BIOS and peripheral devices - installing signed firmware for BIOS and peripheral devices
- using a TPM (Trusted Platform Module) to validate signatures at boot time - using a TPM (Trusted Platform Module) to validate signatures at boot time
- booting machines in UEFI SecureBoot mode, rather than BIOS mode, to validate - booting machines in `UEFI Secure Boot mode`_, rather than BIOS mode, to
kernel signatures validate kernel signatures
- disabling local (in-band) access from the host OS to the management controller (BMC) - disabling local (in-band) access from the host OS to the management controller (BMC)
- disabling modifications to boot settings from the host OS - disabling modifications to boot settings from the host OS
Additional references: Additional references:
- http://docs.openstack.org/developer/ironic/deploy/install-guide.html?highlight=txt#trusted-boot-with-partition-image - `automated cleaning`_
- http://docs.openstack.org/developer/ironic/drivers/ilo.html?highlight=secure%20boot#uefi-secure-boot-support - `trusted boot with partition image`_
- `UEFI Secure Boot mode`_
.. _automated cleaning: http://docs.openstack.org/developer/ironic/deploy/cleaning.html#automated-cleaning
.. _trusted boot with partition image: http://docs.openstack.org/developer/ironic/deploy/install-guide.html?highlight=txt#trusted-boot-with-partition-image
.. _UEFI Secure Boot mode: http://docs.openstack.org/developer/ironic/drivers/ilo.html?highlight=secure%20boot#uefi-secure-boot-support