Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 19. Security Enhancements
The following sections provide some suggestions to harden the security of your overcloud.
19.1. Managing the Overcloud Firewall
Each of the core OpenStack Platform services contains firewall rules in their respective composable service templates. This automatically creates a default set of firewall rules for each overcloud node.
The overcloud Heat templates contain a set of parameters to help with additional firewall management:
- ManageFirewall
- 
							Defines whether to automatically manage the firewall rules. Set to trueto allow Puppet to automatically configure the firewall on each node. Set tofalseif you want to manually manage the firewall. The default istrue.
- PurgeFirewallRules
- 
							Defines whether to purge the default Linux firewall rules before configuring new ones. The default is false.
				If ManageFirewall is set to true, you can create additional firewall rules on deployment. Set the tripleo::firewall::firewall_rules hieradata using a configuration hook (see Section 4.5, “Puppet: Customizing Hieradata for Roles”) in an environment file for your overcloud. This hieradata is a hash containing the firewall rule names and their respective parameters as keys, all of which are optional:
			
- port
- The port associated to the rule.
- dport
- The destination port associated to the rule.
- sport
- The source port associated to the rule.
- proto
- 
							The protocol associated to the rule. Defaults to tcp.
- action
- 
							The action policy associated to the rule. Defaults to accept.
- jump
- 
							The chain to jump to. If present, it overrides action.
- state
- 
							An Array of states associated to the rule. Defaults to ['NEW'].
- source
- The source IP address associated to the rule.
- iniface
- The network interface associated to the rule.
- chain
- 
							The chain associated to the rule. Defaults to INPUT.
- destination
- The destination CIDR associated to the rule.
The following example demonstrates the syntax of the firewall rule format:
				This applies two additional firewall rules to all nodes through ExtraConfig.
			
					Each rule name becomes the comment for the respective iptables rule. Note also each rule name starts with a three-digit prefix to help Puppet order all defined rules in the final iptables file. The default OpenStack Platform rules use prefixes in the 000 to 200 range.
				
19.2. Changing the Simple Network Management Protocol (SNMP) Strings
The director provides a default read-only SNMP configuration for your overcloud. It is advisable to change the SNMP strings to mitigate the risk of unauthorized users learning about your network devices.
					When you configure the ExtraConfig interface with a string parameter, you must use the following syntax to ensure that Heat and Hiera do not interpret the string as a boolean value: '"<VALUE>"'.
				
				Set the following hieradata using the ExtraConfig hook in an environment file for your overcloud:
			
- snmp::ro_community
- 
							IPv4 read-only SNMP community string. The default value is public.
- snmp::ro_community6
- 
							IPv6 read-only SNMP community string. The default value is public.
- snmp::ro_network
- 
							Network that is allowed to RO querythe daemon. This value can be a string or an array. Default value is127.0.0.1.
- snmp::ro_network6
- 
							Network that is allowed to RO querythe daemon with IPv6. This value can be a string or an array. The default value is::1/128.
- snmp::snmpd_config
- 
							Array of lines to add to the snmpd.conf file as a safety valve. The default value is []. See the SNMP Configuration File web page for all available options.
For example:
parameter_defaults:
  ExtraConfig:
    snmp::ro_community: mysecurestring
    snmp::ro_community6: myv6securestring
parameter_defaults:
  ExtraConfig:
    snmp::ro_community: mysecurestring
    snmp::ro_community6: myv6securestringThis changes the read-only SNMP community string on all nodes.
19.3. Changing the SSL/TLS Cipher and Rules for HAProxy
If you enabled SSL/TLS in the overcloud (see Chapter 14, Enabling SSL/TLS on Overcloud Public Endpoints), you might want to harden the SSL/TLS ciphers and rules used with the HAProxy configuration. This helps avoid SSL/TLS vulnerabilities, such as the POODLE vulnerability.
				Set the following hieradata using the ExtraConfig hook in an environment file for your overcloud:
			
- tripleo::haproxy::ssl_cipher_suite
- The cipher suite to use in HAProxy.
- tripleo::haproxy::ssl_options
- The SSL/TLS rules to use in HAProxy.
For example, you might aim to use the following cipher and rules:
- 
						Cipher: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
- 
						Rules: no-sslv3 no-tls-tickets
Create an environment file with the following content:
parameter_defaults:
  ExtraConfig:
    tripleo::haproxy::ssl_cipher_suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    tripleo::haproxy::ssl_options: no-sslv3 no-tls-tickets
parameter_defaults:
  ExtraConfig:
    tripleo::haproxy::ssl_cipher_suite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    tripleo::haproxy::ssl_options: no-sslv3 no-tls-ticketsThe cipher collection is one continuous line.
Include this environment file with your overcloud creation.
19.4. Using the Open vSwitch Firewall
				You can configure security groups to use the Open vSwitch (OVS) firewall driver in Red Hat OpenStack Platform director. The NeutronOVSFirewallDriver parameter allows you to specify which firewall driver to use:
			
- 
						iptables_hybrid- Configures neutron to use the iptables/hybrid based implementation.
- 
						openvswitch- Configures neutron to use the OVS firewall flow-based driver.
				The openvswitch firewall driver includes higher performance and reduces the number of interfaces and bridges used to connect guests to the project network.
			
					The iptables_hybrid option is not compatible with OVS-DPDK.
				
				Configure the NeutronOVSFirewallDriver parameter in the network-environment.yaml file:
			
NeutronOVSFirewallDriver: openvswitch
NeutronOVSFirewallDriver: openvswitch- 
						NeutronOVSFirewallDriver: Configures the name of the firewall driver to use when implementing security groups. Possible values depend on your system configuration; some examples are:noop,openvswitch,iptables_hybrid. The default value of an empty string results in a supported configuration.
19.5. Using Secure Root User Access
				The overcloud image automatically contains hardened security for the root user. For example, each deployed overcloud node automatically disables direct SSH access to the root user. You can still access the root user on overcloud nodes through the following method:
			
- 
						Log into the undercloud node’s stackuser.
- 
						Each overcloud node has a heat-adminuser account. This user account contains the undercloud’s public SSH key, which provides SSH access without a password from the undercloud to the overcloud node. On the undercloud node, log into the chosen overcloud node through SSH using theheat-adminuser.
- 
						Switch to the rootuser withsudo -i.
Reducing Root User Security
					Some situations might require direct SSH access to the root user. In this case, you can reduce the SSH restrictions on the root user for each overcloud node.
				
This method is intended for debugging purposes only. It is not recommended for use in a production environment.
The method uses the first boot configuration hook (see Section 4.1, “First Boot: Customizing First Boot Configuration”). Place the following content in an environment file:
resource_registry: OS::TripleO::NodeUserData: /usr/share/openstack-tripleo-heat-templates/firstboot/userdata_root_password.yaml parameter_defaults: NodeRootPassword: "p@55w0rd!"
resource_registry:
  OS::TripleO::NodeUserData: /usr/share/openstack-tripleo-heat-templates/firstboot/userdata_root_password.yaml
parameter_defaults:
  NodeRootPassword: "p@55w0rd!"Note the following:
- 
						The OS::TripleO::NodeUserDataresource refers to the a template that configures therootuser during the first bootcloud-initstage.
- 
						The NodeRootPasswordparameter sets the password for therootuser. Change the value of this parameter to your desired password. Note the environment file contains the password as a plain text string, which is considered a security risk.
				Include this environment file with the openstack overcloud deploy command when creating your overcloud.