168 lines
5.4 KiB
ReStructuredText
168 lines
5.4 KiB
ReStructuredText
.. _section-compute-security:
|
|
|
|
==================
|
|
Security hardening
|
|
==================
|
|
|
|
OpenStack Compute can be integrated with various third-party
|
|
technologies to increase security. For more information, see the
|
|
`OpenStack Security Guide <http://docs.openstack.org/sec/>`_.
|
|
|
|
Trusted compute pools
|
|
~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Administrators can designate a group of compute hosts as trusted using
|
|
trusted compute pools. The trusted hosts use hardware-based security
|
|
features, such as the Intel Trusted Execution Technology (TXT), to
|
|
provide an additional level of security. Combined with an external
|
|
stand-alone, web-based remote attestation server, cloud providers can
|
|
ensure that the compute node runs only software with verified
|
|
measurements and can ensure a secure cloud stack.
|
|
|
|
Trusted compute pools provide the ability for cloud subscribers to
|
|
request services run only on verified compute nodes.
|
|
|
|
The remote attestation server performs node verification like this:
|
|
|
|
1. Compute nodes boot with Intel TXT technology enabled.
|
|
|
|
2. The compute node BIOS, hypervisor, and operating system are measured.
|
|
|
|
3. When the attestation server challenges the compute node, the measured
|
|
data is sent to the attestation server.
|
|
|
|
4. The attestation server verifies the measurements against a known good
|
|
database to determine node trustworthiness.
|
|
|
|
A description of how to set up an attestation service is beyond the
|
|
scope of this document. For an open source project that you can use to
|
|
implement an attestation service, see the `Open
|
|
Attestation <https://github.com/OpenAttestation/OpenAttestation>`__
|
|
project.
|
|
|
|
|image0|
|
|
|
|
**Configuring Compute to use trusted compute pools**
|
|
|
|
#. Enable scheduling support for trusted compute pools by adding these
|
|
lines to the ``DEFAULT`` section of the :file:`/etc/nova/nova.conf` file:
|
|
|
|
.. code:: ini
|
|
|
|
[DEFAULT]
|
|
compute_scheduler_driver=nova.scheduler.filter_scheduler.FilterScheduler
|
|
scheduler_available_filters=nova.scheduler.filters.all_filters
|
|
scheduler_default_filters=AvailabilityZoneFilter,RamFilter,ComputeFilter,TrustedFilter
|
|
|
|
#. Specify the connection information for your attestation service by
|
|
adding these lines to the ``trusted_computing`` section of the
|
|
:file:`/etc/nova/nova.conf` file:
|
|
|
|
.. code-block:: ini
|
|
|
|
[trusted_computing]
|
|
attestation_server = 10.1.71.206
|
|
attestation_port = 8443
|
|
# If using OAT v2.0 after, use this port:
|
|
# attestation_port = 8181
|
|
attestation_server_ca_file = /etc/nova/ssl.10.1.71.206.crt
|
|
# If using OAT v1.5, use this api_url:
|
|
attestation_api_url = /AttestationService/resources
|
|
# If using OAT pre-v1.5, use this api_url:
|
|
# attestation_api_url = /OpenAttestationWebServices/V1.0
|
|
attestation_auth_blob = i-am-openstack
|
|
|
|
In this example:
|
|
|
|
server
|
|
Host name or IP address of the host that runs the attestation
|
|
service
|
|
|
|
port
|
|
HTTPS port for the attestation service
|
|
|
|
server_ca_file
|
|
Certificate file used to verify the attestation server's identity
|
|
|
|
api_url
|
|
The attestation service's URL path
|
|
|
|
auth_blob
|
|
An authentication blob, required by the attestation service.
|
|
|
|
#. Save the file, and restart the nova-compute and nova-scheduler services
|
|
to pick up the changes.
|
|
|
|
To customize the trusted compute pools, use these configuration option
|
|
settings:
|
|
|
|
.. list-table:: **Description of trusted computing configuration options**
|
|
:header-rows: 2
|
|
|
|
* - Configuration option = Default value
|
|
- Description
|
|
* - [trusted_computing]
|
|
-
|
|
* - attestation_api_url = /OpenAttestationWebServices/V1.0
|
|
- (StrOpt) Attestation web API URL
|
|
* - attestation_auth_blob = None
|
|
- (StrOpt) Attestation authorization blob - must change
|
|
* - attestation_auth_timeout = 60
|
|
- (IntOpt) Attestation status cache valid period length
|
|
* - attestation_insecure_ssl = False
|
|
- (BoolOpt) Disable SSL cert verification for Attestation service
|
|
* - attestation_port = 8443
|
|
- (StrOpt) Attestation server port
|
|
* - attestation_server = None
|
|
- (StrOpt) Attestation server HTTP
|
|
* - attestation_server_ca_file = None
|
|
- (StrOpt) Attestation server Cert file for Identity verification
|
|
|
|
**Specifying trusted flavors**
|
|
|
|
#. Flavors can be designated as trusted using the ``nova flavor-key set``
|
|
command. In this example, the ``m1.tiny`` flavor is being set as
|
|
trusted:
|
|
|
|
.. code:: console
|
|
|
|
$ nova flavor-key m1.tiny set trust:trusted_host=trusted
|
|
|
|
#. You can request that your instance is run on a trusted host by
|
|
specifying a trusted flavor when booting the instance:
|
|
|
|
.. code:: console
|
|
|
|
$ nova boot --flavor m1.tiny --key_name myKeypairName --image myImageID newInstanceName
|
|
|
|
|Trusted compute pool|
|
|
|
|
.. |image0| image:: ../../common/figures/OpenStackTrustedComputePool1.png
|
|
.. |Trusted compute pool| image:: ../../common/figures/OpenStackTrustedComputePool2.png
|
|
|
|
|
|
Encrypt Compute metadata traffic
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
**Enabling SSL encryption**
|
|
|
|
OpenStack supports encrypting Compute metadata traffic with HTTPS.
|
|
Enable SSL encryption in the :file:`metadata_agent.ini` file.
|
|
|
|
#. Enable the HTTPS protocol::
|
|
|
|
nova_metadata_protocol = https
|
|
|
|
#. Determine whether insecure SSL connections are accepted for Compute
|
|
metadata server requests. The default value is ``False``::
|
|
|
|
nova_metadata_insecure = False
|
|
|
|
#. Specify the path to the client certificate::
|
|
|
|
nova_client_cert = PATH_TO_CERT
|
|
|
|
#. Specify the path to the private key::
|
|
|
|
nova_client_priv_key = PATH_TO_KEY
|