[doc] Document deployment host security hardening

Add guidance on applying security hardening to the deployment host to ensure that not only target nodes follow security best practices. Change-Id: I8051b1daa2a7a0373552295b7c8377ced0a46df4 Signed-off-by: Dmitriy Chubinidze <dcu995@gmail.com>
2025-09-03 23:35:22 +00:00
parent cce02da19d
commit 1f39f73ea7
2 changed files with 42 additions and 0 deletions
--- a/deploy-guide/source/run-playbooks.rst
+++ b/deploy-guide/source/run-playbooks.rst
@@ -132,3 +132,10 @@ Run the playbooks to install OpenStack

   Confirm satisfactory completion with zero items unreachable or
   failed.
+
+.. note::
+
+   You can also consider applying a hardening role for the deployment host
+   to improve security. For more details, see the
+   `Apply ansible-hardening <https://docs.openstack.org/openstack-ansible/latest/user/security/hardening.html>`_.
+
--- a/doc/source/user/security/hardening.rst
+++ b/doc/source/user/security/hardening.rst
@@ -27,3 +27,38 @@ For more information about the security configurations, see the
 `security hardening role`_ documentation.

 .. _security hardening role: https://docs.openstack.org/ansible-hardening/latest/
+
+Deployment Host Hardening
+-------------------------
+
+You can extend security hardening to the deployment host by defining the
+``security_host_group`` variable in your ``openstack_user_variables`` file.
+Include ``localhost`` along with your other hosts, like this:
+
+.. code-block:: yaml
+
+   security_host_group: localhost, hosts
+
+Then apply the hardening with:
+
+.. code-block:: shell-session
+
+   openstack-ansible openstack.osa.security_hardening
+
+Or alternatively, you can also supply this variable as extra variable
+during runtime, for example:
+
+.. code-block:: shell-session
+
+   openstack-ansible openstack.osa.security_hardening -e security_host_group=localhost
+
+.. warning::
+
+   After applying security hardening, root login via password will be
+   disabled. Make sure you configure SSH key authentication or set up
+   a non-root user with sudo privileges before applying the changes,
+   otherwise you may lose access to the host.
+
+Including the deployment host can be useful to reduce its attack surface
+and ensure that the host running OpenStack-Ansible follows the same security
+best practices as your other nodes.