openstack/openstack-manuals
Code Issues Proposed changes
eb6a27bdc4
openstack-manuals/doc/security-guide/ch033_securing-neutron-services.xml
Diane Fleming 64b6c9261e Folder rename, file rename, flattening of directories 
Current folder name	New folder name	        Book title
----------------------------------------------------------
basic-install 	        DELETE
cli-guide	        DELETE
common	                common
NEW	                admin-guide-cloud	Cloud Administrators Guide
docbkx-example	        DELETE
openstack-block-storage-admin 	DELETE
openstack-compute-admin 	DELETE
openstack-config 	config-reference	OpenStack Configuration Reference
openstack-ha 	        high-availability-guide	OpenStack High Availabilty Guide
openstack-image	        image-guide	OpenStack Virtual Machine Image Guide
openstack-install 	install-guide	OpenStack Installation Guide
openstack-network-connectivity-admin 	admin-guide-network 	OpenStack Networking Administration Guide
openstack-object-storage-admin 	DELETE
openstack-security 	security-guide	OpenStack Security Guide
openstack-training 	training-guide	OpenStack Training Guide
openstack-user 	        user-guide	OpenStack End User Guide
openstack-user-admin 	user-guide-admin	OpenStack Admin User Guide
glossary	        NEW        	OpenStack Glossary

bug: #1220407

Change-Id: Id5ffc774b966ba7b9a591743a877aa10ab3094c7
author: diane fleming
2013-09-08 15:15:50 -07:00

51 lines
3.4 KiB
XML
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://docbook.org/ns/docbook" xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="ch033_securing-neutron-services"><?dbhtml stop-chunking?>
<title>Securing OpenStack Networking Services</title>
<para>In order to secure OpenStack Networking, an understanding of the workflow process for tenant instance creation needs to be mapped to security domains. </para>
<para>There are four main services that interact with OpenStack Networking. In a typical OpenStack deployment these services map to the following security domains:</para>
<itemizedlist><listitem>
<para>OpenStack Dashboard: Public and Management</para>
</listitem>
<listitem>
<para>OpenStack Identity: Management</para>
</listitem>
<listitem>
<para>OpenStack Compute Node: Management and Guest</para>
</listitem>
<listitem>
<para>OpenStack Network Node: Management, Guest, and possibly Public depending upon neutron-plugin in use.</para>
</listitem>
<listitem>
<para>SDN Services Node: Management, Guest and possibly
Public depending upon product used.</para>
</listitem>
</itemizedlist>
<para><inlinemediaobject><imageobject role="html">
<imagedata contentdepth="454" contentwidth="682" fileref="static/1aa-logical-neutron-flow.png" format="PNG" scalefit="1"/>
</imageobject>
<imageobject role="fo">
<imagedata contentdepth="100%" fileref="static/1aa-logical-neutron-flow.png" format="PNG" scalefit="1" width="100%"/>
</imageobject>
</inlinemediaobject></para>
<para>In order to isolate sensitive data communication between the OpenStack Networking services and other OpenStack core services, we strongly recommend that these communication channels be configured to only allow communications over an isolated management network.</para>
<section xml:id="ch033_securing-neutron-services-idp55312">
<title>OpenStack Networking Service Configuration</title>
<section xml:id="ch033_securing-neutron-services-idp56016">
<title>Restrict Bind Address of the API server: neutron-server</title>
<para>To restrict the interface or IP address on which the OpenStack Networking API service binds a network socket for incoming client connections, specify the bind_host and bind_port in the neutron.conf file as shown:</para>
<screen> 
# Address to bind the API server
bind_host = &lt;ip address of server&gt;
# Port the bind the API server to
bind_port = 9696</screen>
</section>
<section xml:id="ch033_securing-neutron-services-idp58320">
<title>Restrict DB and RPC communication of the OpenStack Networking services:</title>
<para>Various components of the OpenStack Networking services use either the messaging queue or database connections to communicate with other components in OpenStack Networking.</para>
<para>It is recommended that you follow the guidelines provided in the Database Authentication and Access Control chapter in the Database section for all components that require direct DB connections.</para>
<para>It is recommended that you follow the guidelines provided in the Queue Authentication and Access Control chapter in the Messaging section for all components that require RPC communication.</para>
</section>
</section>
</chapter>
View Git Blame Copy Permalink