Very interesting discussion. The Security project has a published security guide that I believe this would be very appropriate content for, the current guide (for reference) is here: http://docs.openstack.org/sec/
Contributions welcome, just like any other part of the OpenStack docs :) -Rob On 15/09/2015 16:05, "Jeff Keopp" <ke...@cray.com> wrote: >This is a very interesting proposal and one I believe is needed. I¹m >currently looking at hardening the controller nodes from unwanted access >and discovered that every time the controller node is booted/rebooted, it >flushes the iptables and writes only those rules that neutron believes >should be there. This behavior would render this proposal ineffective >once the node is rebooted. > >So I believe neutron needs to be fixed to not flush the iptables on each >boot, but to write the iptables to /etc/sysconfig/iptables and then >restore them as a normal linux box should do. It should be a good citizen >with other processes. > >A sysadmin should be allowed to use whatever iptables handlers they wish >to implement security policies and not have an OpenStack process undo what >they have set. > >I should mention this is on a system using a flat network topology and >bare metal nodes. No VMs. > >‹ >Jeff Keopp | Sr. Software Engineer, ES Systems. >380 Jackson Street | St. Paul, MN 55101 | USA | www.cray.com ><http://www.cray.com> > > > > >-----Original Message----- >From: Major Hayden <ma...@mhtx.net> >Reply-To: "OpenStack Development Mailing List (not for usage questions)" ><openstack-dev@lists.openstack.org> >Date: Monday, September 14, 2015 at 11:34 >To: "openstack-dev@lists.openstack.org" ><openstack-dev@lists.openstack.org> >Subject: Re: [openstack-dev] [openstack-ansible] Security hardening > >>On 09/14/2015 03:28 AM, Jesse Pretorius wrote: >>> I agree with Clint that this is a good approach. >>> >>> If there is an automated way that we can verify the security of an >>>installation at a reasonable/standardised level then I think we should >>>add a gate check for it too. >> >>Here's a rough draft of a spec. Feel free to throw some darts. >> >> https://review.openstack.org/#/c/222619/ >> >>-- >>Major Hayden >> >>_________________________________________________________________________ >>_ >>OpenStack Development Mailing List (not for usage questions) >>Unsubscribe: >>openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > >__________________________________________________________________________ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev